High, I did some experiments with dtrace and stumbled across DTraceToolkit, where tcpsnoop and tcptop are my favourites. However on a Solaris 10 with the latest patches it does not work on some architectures. The most interesting part is that I get sensible output on Solaris 10 for Sparc running on a Fujitsu-Siemens PrimePower 850, but on a Sun Fire V440 I just get nonsense. Both systems share the same install server and patch sets and uname -a shows the same kernel version. On Solaris 10 for x86 (i386, not x86_64) I get nonsense, too: For example if I telnet to the SSH daemon on Port 22: UID PID LADDR LPORT DR RADDR RPORT SIZE CMD 1001 24557 0.0.255.255 92 -> 0.0.255.255 49320 54 telnet 1001 24557 0.0.255.255 92 <- 0.0.255.255 49320 66 telnet 1001 24557 0.0.255.255 92 -> 0.0.255.255 49320 54 telnet 0 273 0.0.255.255 92 <- 0.0.255.255 49320 54 sshd 0 273 0.0.255.255 92 -> 0.0.255.255 49320 54 sshd 0 273 0.0.255.255 92 <- 0.0.255.255 49320 54 sshd 1001 498 0.0.255.255 95 -> 0.0.255.255 49320 879 Xvnc UID and PID are correct, the IP addresses used are 192.168.0.92 for telnet/ssh and 192.168.0.95 for Xvnc, and my subnet mask is 255.255.255.0. Okay, the IPs are wrong, because the numbers in (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12]; might have changed, but I wonder why the ports are wrong as well. I don''t know which patch it was caused by, but an old lsof (compiled on Solaris 7) has the same problem - except on the PrimePower 850. Any ideas why the port numbers are wrong and where to get the correct ones? And on x86 I had a second problem:> dtrace -Cs tcpsnoop.derror: cpp: /dev/fd/4 No such file or directory dtrace: failed to compile script tcpsnoop.d: Preprocessor failed to process input program Calling the preprocessor myself, I can see that __i386 is not defined. Is that something in my installation or is that a bug on 32-bit x86? Gerhard -- * Origin: Fido over IP (2:240/2188.575)
Brendan Gregg - Sun Microsystems
2007-Jul-05 18:19 UTC
[dtrace-discuss] tcptop/tcpsnoop on Solaris 10
G''Day Gerhard, On Thu, Jul 05, 2007 at 07:54:37PM +0200, Gerhard Strangar wrote:> High, > > I did some experiments with dtrace and stumbled across DTraceToolkit, > where tcpsnoop and tcptop are my favourites.Glad you like them. tcpsnoop/tcptop are the tip of the iceberg - there are dozens of fascinating and useful scripts I''d like to write in this field - but I''ve choosen not to until stable providers exist. Those scripts rely on the fbt provider which (for unavoidable reasons) is an unstable interface. As the kernel changes (between minor releases and patches), fbt chages; and as fbt changes, tcpsnoop/tcptop break. It has happened several times in the past 3 years, and will keep happening. I''m currently working on stable net providers which will allow tcptop/tcpsnoop (and LOADS more such scripts) to be written in a *much* more stable way. I''m sorry that these have broken, again; I''ve taken one look at what it would take to fix them for this build, and I''ll probably take another look soon. The future should be much brighter - once stable providers are integrated. cheers, Brendan -- Brendan [CA, USA]