Howdy, I was using Brendan''s awesome execsnoop script today, and noticed that curpsinfo->ps_args is limited to 80-characters in procfs.h. Does anyone happen to know if there is a way to retrieve an argument string that is greater than 80-characters? Thanks, - Ryan -- UNIX Administrator http://daemons.net/~matty
G''Day Matty, On Fri, 13 Jan 2006, Matty wrote:> > Howdy, > > I was using Brendan''s awesome execsnoop script today, and noticed that > curpsinfo->ps_args is limited to 80-characters in procfs.h. Does anyone > happen to know if there is a way to retrieve an argument string that is > greater than 80-characters?curpsinfo is there to look like procfs''s psinfo, /usr/include/sys/procfs.h, #define PRARGSZ 80 /* number of chars of arguments */ typedef struct psinfo { [...] char pr_psargs[PRARGSZ]; /* initial characters of arg list */ Which is limited to 80 chars. DTrace really gets it from the user struct (see /usr/lib/dtrace/procfs.d) which has the same limitation, /usr/include/sys/user.h, #define PSARGSZ 80 /* Space for exec arguments (used by ps(1)) */ It''s an FAQ, I''ve been asked about this behaviour many times. ucb''s ps (and pargs) read the full listing from /proc/PID/as. I once tried to write a DTrace script to get the full argument listing, but needed loops to do it properly. I didn''t find a workaround as there hasn''t been a great reason why this is needed (yet). PS - remember the "-e" switch on execsnoop for parseable output if you want to do more with it. Normally execsnoop prints args with %s, the -e option uses %S. It would be default if it wasn''t for the trailing \0... no worries, Brendan [Sydney, Australia]
> I once tried to write a DTrace script to get the full argument listing, > but needed loops to do it properly. I didn''t find a workaround as there > hasn''t been a great reason why this is needed (yet).Does anyone else happen to know if there is a way to snag this with DTrace? If not, would it be possible to add support for this (I will file an RFE if this is feasible)?> PS - remember the "-e" switch on execsnoop for parseable output if you > want to do more with it. Normally execsnoop prints args with %s, the -e > option uses %S. It would be default if it wasn''t for the trailing \0...That is a super useful option. execsnoop (along with DTrace) helped me solve a tricky problem today, and because of that I have moved execsnoop to #2 on my list of favorite DTrace scripts ( right behind iopattern ). Thanks for writing this awesome script Brendan! - Ryan -- UNIX Administrator http://daemons.net/~matty
> I once tried to write a DTrace script to get the full argument listing, > but needed loops to do it properly. I didn''t find a workaround as there > hasn''t been a great reason why this is needed (yet).Does anyone else happen to know if there is a way to snag this info from within DTrace (without using stop(), /usr/ucb/ps and prun)? If not, would it be possible to add support for this (I will file an RFE if this is feasible)?> PS - remember the "-e" switch on execsnoop for parseable output if you > want to do more with it. Normally execsnoop prints args with %s, the -e > option uses %S. It would be default if it wasn''t for the trailing \0...That is a super useful option. execsnoop (along with DTrace) helped me solve a tricky problem today, and because of that I have moved execsnoop to #2 on my list of favorite DTrace scripts ( right behind iopattern ). Thanks for writing this awesome script Brendan! - Ryan -- UNIX Administrator http://daemons.net/~matty