dtrace discuss - Apr 2006 - dtrace and send()

All,


I am trying to track down what I may be doing wrong.  I have an apache
+mod_jk +tomcat setup.  When the apache server obtains a Cookie:
header with too many key=value pairs, the content-type is set to text/ 
plain.
  ''v=1; y=F; u=d; a=b; j=k; b=c; c=d; e=f; g=h; h=i; i=j;
etc..''

Truss of apache reports:

5375:   close(136)                                      = 0
5375:   time()                                          = 1145496342
5375:   time()                                          = 1145496342
5375:   send(14, "12 401AE0203\0\b H T T P".., 434, 0)  = 434
5375:   recv(14, " A B\002", 4, 0)                      = 4
5375:   recv(14, "0501", 2, 0)                          = 2
5375:   time()                                          = 1145496342
5375:   write(99, " 2 4 . 2 0 5 . 9 1 . 1 2".., 77)     = 77
5375:   shutdown(13, 1, 1)                              = 0

File handle 14 is the ajp13 (modjk) connector.  I think the problem is
apache or the connector.

I was hoping I could see the all the args to the send() syscall.

I wrote a dtrace script trying to accomplish this, but it doesn''t seem
to work.  I wanted to know, if this is possible?

My script is:

syscall::send:entry
/execname == "web.httpd"/
{
    self->send = arg1;
    trace(copyinstr(self->send));
}

syscall::send:return
/execname == "web.httpd"/
{
    trace(copyinstr(self->send));
    self->send = 0;
}

However, when I connect to the server, and run my tests.  All I get back
are :

    2    424                       send:entry
               0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
0123456789abcdef
           0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
4..............
          10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................

    2    425                      send:return
               0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
0123456789abcdef
           0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
4..............
          10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
          f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................

When I use this:

syscall::send:entry
/execname == "web.httpd"/
{
   self->send = arg1;
   printf("%s",(copyinstr(self->send)));
}

syscall::send:return
/execname == "web.httpd"/
{
   self->send = 0;
}


I get.....

CPU     ID                    FUNCTION:NAME
   1    424                       send:entry 4?
   1    424                       send:entry 4?

This doesn''t seem right.  When I remove the predicates for
web.httpd I see other network traffic just fine.

Any ideas...  I wanted to see what send() was sending to the
socket.

Thanks -
John

On Thu, 20 Apr 2006, John Dewey wrote:
> All,
>
>
> I am trying to track down what I may be doing wrong.  I have an apache
> +mod_jk +tomcat setup.  When the apache server obtains a Cookie:
> header with too many key=value pairs, the content-type is set to
text/plain.
> ''v=1; y=F; u=d; a=b; j=k; b=c; c=d; e=f; g=h; h=i; i=j;
etc..''
Which version of Apache are you using?
> Truss of apache reports:
>
> 5375:   close(136)                                      = 0
> 5375:   time()                                          = 1145496342
> 5375:   time()                                          = 1145496342
> 5375:   send(14, "12 401AE0203\0\b H T T P".., 434, 0)  = 434
> 5375:   recv(14, " A B\002", 4, 0)                      = 4
> 5375:   recv(14, "0501", 2, 0)                          = 2
> 5375:   time()                                          = 1145496342
> 5375:   write(99, " 2 4 . 2 0 5 . 9 1 . 1 2".., 77)     = 77
> 5375:   shutdown(13, 1, 1)                              = 0
>
> File handle 14 is the ajp13 (modjk) connector.  I think the problem is
> apache or the connector.
> I was hoping I could see the all the args to the send() syscall.
>
> I wrote a dtrace script trying to accomplish this, but it doesn''t
seem
> to work.  I wanted to know, if this is possible?
If you add "-r all -w all -v all" to the truss options, you should see
the
decoded structure contents as well as the buffers passed to read and 
write.

> My script is:
>
> syscall::send:entry
> /execname == "web.httpd"/
> {
>  self->send = arg1;
>  trace(copyinstr(self->send));
> }
>
> syscall::send:return
> /execname == "web.httpd"/
> {
>  trace(copyinstr(self->send));
>  self->send = 0;
> }
>
> However, when I connect to the server, and run my tests.  All I get back
> are :
>
>  2    424                       send:entry
>             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
> 0123456789abcdef
>         0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
> 4..............
>        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>
>  2    425                      send:return
>             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
> 0123456789abcdef
>         0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
> 4..............
>        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>        f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>
> When I use this:
>
> syscall::send:entry
> /execname == "web.httpd"/
> {
> self->send = arg1;
> printf("%s",(copyinstr(self->send)));
> }
>
> syscall::send:return
> /execname == "web.httpd"/
> {
> self->send = 0;
> }
>
>
> I get.....
>
> CPU     ID                    FUNCTION:NAME
> 1    424                       send:entry 4?
> 1    424                       send:entry 4?
>
> This doesn''t seem right.  When I remove the predicates for
> web.httpd I see other network traffic just fine.
>
> Any ideas...  I wanted to see what send() was sending to the
> socket.
>
> Thanks -
> John
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org

Hi John,

The copyinstr() action will stop copying in data once it sees a \0 in the
string. From the truss(1) output below, it looks like the string being sent
to send(2) has a \0 embedded in it. If all sends are more or less of that
form, you might be able to skip past the non-ASCII header and then copyinst()
the ''HTTP...'' stuff.

Adam

On Thu, Apr 20, 2006 at 07:28:35PM -0700, John Dewey
wrote:
> All,
> 
> 
> I am trying to track down what I may be doing wrong.  I have an apache
> +mod_jk +tomcat setup.  When the apache server obtains a Cookie:
> header with too many key=value pairs, the content-type is set to text/ 
> plain.
>  ''v=1; y=F; u=d; a=b; j=k; b=c; c=d; e=f; g=h; h=i; i=j;
etc..''
> 
> Truss of apache reports:
> 
> 5375:   close(136)                                      = 0
> 5375:   time()                                          = 1145496342
> 5375:   time()                                          = 1145496342
> 5375:   send(14, "12 401AE0203\0\b H T T P".., 434, 0)  = 434
> 5375:   recv(14, " A B\002", 4, 0)                      = 4
> 5375:   recv(14, "0501", 2, 0)                          = 2
> 5375:   time()                                          = 1145496342
> 5375:   write(99, " 2 4 . 2 0 5 . 9 1 . 1 2".., 77)     = 77
> 5375:   shutdown(13, 1, 1)                              = 0
> 
> File handle 14 is the ajp13 (modjk) connector.  I think the problem is
> apache or the connector.
> 
> I was hoping I could see the all the args to the send() syscall.
> 
> I wrote a dtrace script trying to accomplish this, but it doesn''t
seem
> to work.  I wanted to know, if this is possible?
> 
> My script is:
> 
> syscall::send:entry
> /execname == "web.httpd"/
> {
>    self->send = arg1;
>    trace(copyinstr(self->send));
> }
> 
> syscall::send:return
> /execname == "web.httpd"/
> {
>    trace(copyinstr(self->send));
>    self->send = 0;
> }
> 
> However, when I connect to the server, and run my tests.  All I get back
> are :
> 
>    2    424                       send:entry
>               0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
> 0123456789abcdef
>           0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
> 4..............
>          10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> 
>    2    425                      send:return
>               0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
> 0123456789abcdef
>           0: 12 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .
> 4..............
>          10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
>          f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> 
> When I use this:
> 
> syscall::send:entry
> /execname == "web.httpd"/
> {
>   self->send = arg1;
>   printf("%s",(copyinstr(self->send)));
> }
> 
> syscall::send:return
> /execname == "web.httpd"/
> {
>   self->send = 0;
> }
> 
> 
> I get.....
> 
> CPU     ID                    FUNCTION:NAME
>   1    424                       send:entry 4?
>   1    424                       send:entry 4?
> 
> This doesn''t seem right.  When I remove the predicates for
> web.httpd I see other network traffic just fine.
> 
> Any ideas...  I wanted to see what send() was sending to the
> socket.
> 
> Thanks -
> John
> 
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org
-- 
Adam Leventhal, Solaris Kernel Development       http://blogs.sun.com/ahl