dtrace discuss - Aug 2008 - File creation and syscalls below specified directory

Hello,

I have the following directory structure:
A
	A1
		A11
		A12
		A13
	A2
		A21
		A22
			A221
			A222
		A23
B
...

Can I watch file creations and syscalls like open, close, ...
related to files existing _below_ e.g. A2 directory ?
   

Regards
przemol 

-- 
http://przemol.blogspot.com/





















---------------------------------------------------------------------- 
Mapa Polski w Twoim telefonie!
Sprawdz >> http://link.interia.pl/f1ee8

Hello przemolicc,

Thursday, August 21, 2008, 12:28:10 PM, you wrote:

ppf> Hello,

ppf> I have the following directory structure:
ppf> A
ppf>         A1
ppf>                 A11
ppf>                 A12
ppf>                 A13
ppf>         A2
ppf>                 A21
ppf>                 A22
ppf>                         A221
ppf>                         A222
ppf>                 A23
ppf> B
ppf> ...

ppf> Can I watch file creations and syscalls like open, close, ...
ppf> related to files existing _below_ e.g. A2 directory ?
ppf>    

When you have a path passed as a string to syscall (like with open())
then you can use as a predicate something like this:

syscall::open:entry
/stringof(copyin(arg0,7)) == "/mnt/A2"/


If it is a syscall where you got only fd then even by using self->fd
keep track of it from open to close or use something like:

/stringof(copyin(fds[arg0].fi_pathname,7)) == "/mnt/A2"


Unless some better string manipulation functions were integrated into
dtrace (and probably they were).


-- 
Best regards,
 Robert Milkowski                            mailto:milek at task.gda.pl
                                       http://milek.blogspot.com

On Thu, Aug 21, 2008 at 04:24:54PM +0100, Robert Milkowski
wrote:
> Hello przemolicc,
> 
> Thursday, August 21, 2008, 12:28:10 PM, you wrote:
> 
> ppf> Hello,
> 
> ppf> I have the following directory structure:
> ppf> A
> ppf>         A1
> ppf>                 A11
> ppf>                 A12
> ppf>                 A13
> ppf>         A2
> ppf>                 A21
> ppf>                 A22
> ppf>                         A221
> ppf>                         A222
> ppf>                 A23
> ppf> B
> ppf> ...
> 
> ppf> Can I watch file creations and syscalls like open, close, ...
> ppf> related to files existing _below_ e.g. A2 directory ?
> ppf>    
> 
> When you have a path passed as a string to syscall (like with open())
> then you can use as a predicate something like this:
> 
> syscall::open:entry
> /stringof(copyin(arg0,7)) == "/mnt/A2"/
> 
> 
> If it is a syscall where you got only fd then even by using self->fd
> keep track of it from open to close or use something like:
> 
> /stringof(copyin(fds[arg0].fi_pathname,7)) == "/mnt/A2"
fi_pathname is a kernel string;  no copyin necessary.  You probably want
to use substr() in any case:

/substr(fds[arg0].fi_pathname, 0, 7) == "/mnt/A2"/
> Unless some better string manipulation functions were integrated into
> dtrace (and probably they were).
They were, but I''m not sure how documented they are.  There are:

basename()
dirname()
index()
rindex()
strjoin()
strlen()
strstr()
substr()

I highly recommend browsing usr/src/lib/libdtrace/common/dt_open.c.

Cheers,
- jonathan

Hello Jonathan,

Thursday, August 21, 2008, 5:10:37 PM, you wrote:

JA> On Thu, Aug 21, 2008 at 04:24:54PM +0100, Robert Milkowski
wrote:
>> Hello przemolicc,
>> 
>> Thursday, August 21, 2008, 12:28:10 PM, you wrote:
>> 
>> ppf> Hello,
>> 
>> ppf> I have the following directory structure:
>> ppf> A
>> ppf>         A1
>> ppf>                 A11
>> ppf>                 A12
>> ppf>                 A13
>> ppf>         A2
>> ppf>                 A21
>> ppf>                 A22
>> ppf>                         A221
>> ppf>                         A222
>> ppf>                 A23
>> ppf> B
>> ppf> ...
>> 
>> ppf> Can I watch file creations and syscalls like open, close, ...
>> ppf> related to files existing _below_ e.g. A2 directory ?
>> ppf>    
>> 
>> When you have a path passed as a string to syscall (like with open())
>> then you can use as a predicate something like this:
>> 
>> syscall::open:entry
>> /stringof(copyin(arg0,7)) == "/mnt/A2"/
>> 
>> 
>> If it is a syscall where you got only fd then even by using self->fd
>> keep track of it from open to close or use something like:
>> 
>> /stringof(copyin(fds[arg0].fi_pathname,7)) == "/mnt/A2"
JA> fi_pathname is a kernel string;  no copyin necessary.  You probably want

Ahhh.. I was doing from memory without checking. Thanks for
correction.

JA> to use substr() in any case:

JA> /substr(fds[arg0].fi_pathname, 0, 7) == "/mnt/A2"/
>> Unless some better string manipulation functions were integrated into
>> dtrace (and probably they were).
JA> They were, but I''m not sure how documented they are.  There are:

JA> basename()
JA> dirname()
JA> index()
JA> rindex()
JA> strjoin()
JA> strlen()
JA> strstr()
JA> substr()

JA> I highly recommend browsing usr/src/lib/libdtrace/common/dt_open.c.

I knew it! :)
Thank you.

-- 
Best regards,
 Robert Milkowski                            mailto:milek at task.gda.pl
                                       http://milek.blogspot.com