Hi All,
I am sure this has been asked before (in fact, I think I asked it over 2
years ago).
I am snooping tcp traffic on the e1000g using dtrace. Almost everything
works (I print mac header,
ip header, and tcp header). I would like to use something like
tracemem() to dump the payload.
However, tracemem() won''t let me specify anything but a constant as the
length. Has anyone
succeeded in dumping an arbitrary number of hex bytes? What I want is
something
like:
tracemem(mp->b_rptr+offset, mp->b_wptr-(mp->b_rptr+offset));
Or maybe there is a way to do this with printf???
thanks,
max
First, the length on tracemem is a constant because the output from one
clause must be the same length every time it executes. With ASCII
strings, you can fake it, because you can set the maximum length of
strings to whatever you want. When the used length of a string varies
each time the same clause is executed, this isn''t a problem because D
always records the full length of the string in the switch buffer, not
just the used length. The full length never varies.
However, the problem with this for binary data, is that all of the
string format items in printf stop when a null character
(''\0'') is
reached: not a good thing for binary data.
I have a possible solution, but I don''t think you''re going to
like it.
I''ve thought about this before, and considered how I might solve it.
If
you know the buffer you want to trace is between say 1 and 8000 bytes,
include enough additional probe specs and clauses for the same function
over and over to display the whole thing, but trace it 100 bytes at a
time. So for a maximum of 8000 bytes, you''d need 80 clauses. Then use
a counter in a predicate to limit the number of clauses executed for
each pass. It''s crude, I know.
I considered a profile probe that fires over and over with a predicate
that stops the output when the end of the buffer is reached, but the
buffer would likely be modified before you''d get a chance to get all of
the data traced.
We need a tracemem that has two parameters: buffer len, a variable, a
max length, a constant. Tracemem would then always record the full
length in the switch buffer, but only the actual data would be
displayed, along with the length.
Good luck!
Chip
> -----Original Message-----
> From: dtrace-discuss-bounces at opensolaris.org [mailto:dtrace-discuss-
> bounces at opensolaris.org] On Behalf Of max at bruningsystems.com
> Sent: Friday, November 21, 2008 7:10 AM
> To: dtrace-discuss at opensolaris.org
> Subject: [dtrace-discuss] tracemem question
>
> Hi All,
> I am sure this has been asked before (in fact, I think I asked it over
> 2
> years ago).
> I am snooping tcp traffic on the e1000g using dtrace. Almost
> everything
> works (I print mac header,
> ip header, and tcp header). I would like to use something like
> tracemem() to dump the payload.
> However, tracemem() won''t let me specify anything but a constant
as
the> length. Has anyone
> succeeded in dumping an arbitrary number of hex bytes? What I want is
> something
> like:
> tracemem(mp->b_rptr+offset, mp->b_wptr-(mp->b_rptr+offset));
>
> Or maybe there is a way to do this with printf???
>
> thanks,
> max
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org
Hi Chip, Chip Bennett wrote:> First, the length on tracemem is a constant because the output from one > clause must be the same length every time it executes. With ASCII > strings, you can fake it, because you can set the maximum length of > strings to whatever you want. When the used length of a string varies > each time the same clause is executed, this isn''t a problem because D > always records the full length of the string in the switch buffer, not > just the used length. The full length never varies. > > However, the problem with this for binary data, is that all of the > string format items in printf stop when a null character (''\0'') is > reached: not a good thing for binary data. > > I have a possible solution, but I don''t think you''re going to like it. > I''ve thought about this before, and considered how I might solve it. If > you know the buffer you want to trace is between say 1 and 8000 bytes, > include enough additional probe specs and clauses for the same function > over and over to display the whole thing, but trace it 100 bytes at a > time. So for a maximum of 8000 bytes, you''d need 80 clauses. Then use > a counter in a predicate to limit the number of clauses executed for > each pass. It''s crude, I know. >Yes, I thought of that. The problem is that I can not assume that a given dump has, say 100 bytes in it. I would have to have a separate probe for each byte (ugh). I think I''ll end up dumping the maximum size using tracemem, and then let an application whittle it down based on a length I can place into the output.> I considered a profile probe that fires over and over with a predicate > that stops the output when the end of the buffer is reached, but the > buffer would likely be modified before you''d get a chance to get all of > the data traced. > > We need a tracemem that has two parameters: buffer len, a variable, a > max length, a constant. Tracemem would then always record the full > length in the switch buffer, but only the actual data would be > displayed, along with the length. >Yes! That would be nice... Thanks much, max> Good luck! > > Chip > > > >> -----Original Message----- >> From: dtrace-discuss-bounces at opensolaris.org [mailto:dtrace-discuss- >> bounces at opensolaris.org] On Behalf Of max at bruningsystems.com >> Sent: Friday, November 21, 2008 7:10 AM >> To: dtrace-discuss at opensolaris.org >> Subject: [dtrace-discuss] tracemem question >> >> Hi All, >> I am sure this has been asked before (in fact, I think I asked it over >> 2 >> years ago). >> I am snooping tcp traffic on the e1000g using dtrace. Almost >> everything >> works (I print mac header, >> ip header, and tcp header). I would like to use something like >> tracemem() to dump the payload. >> However, tracemem() won''t let me specify anything but a constant as >> > the > >> length. Has anyone >> succeeded in dumping an arbitrary number of hex bytes? What I want is >> something >> like: >> tracemem(mp->b_rptr+offset, mp->b_wptr-(mp->b_rptr+offset)); >> >> Or maybe there is a way to do this with printf??? >> >> thanks, >> max >> >> _______________________________________________ >> dtrace-discuss mailing list >> dtrace-discuss at opensolaris.org >> > > > >