Gurus,
Have Sun T2000 with Solaris10 U7 and hundreds of user process. Someone is making
queries(about two a second from snooping...)
Globally I am trying to find gethostbyname
$ dtrace -n syscall:::gethostbyname''{@[execname] = count()}''
dtrace: invalid probe specifier syscall:::gethostbyname{@[execname] = count()}:
probe description syscall:::gethostbyname does not match any probes
$ dtrace -n syscall::gethostbyname:entry''{@[execname] =
count()}''
dtrace: invalid probe specifier syscall::gethostbyname:entry{@[execname] =
count()}: probe description syscall::gethostbyname:entry does not match any
probes
Thanks,
DTrace Newbie
--
This message posted from opensolaris.org
Mike Chanslor wrote:> Gurus, > > Have Sun T2000 with Solaris10 U7 and hundreds of user process. Someone is making queries(about two a second from snooping...) > > Globally I am trying to find gethostbyname > > $ dtrace -n syscall:::gethostbyname''{@[execname] = count()}'' > dtrace: invalid probe specifier syscall:::gethostbyname{@[execname] = count()}: probe description syscall:::gethostbyname does not match any probes > > $ dtrace -n syscall::gethostbyname:entry''{@[execname] = count()}'' > dtrace: invalid probe specifier syscall::gethostbyname:entry{@[execname] = count()}: probe description syscall::gethostbyname:entry does not match any probesgethostbyname is a library call, not a system call; you can trace library calls with the pid provider, but sadly that only works as a per-process basis, so you can''t just replace "syscall" with "pid..." above and be done. I can''t help much more, but maybe focussing on the network tools can gain you some more knowledge here. HTH Michael -- Michael Schuster http://blogs.sun.com/recursion Recursion, n.: see ''Recursion''
Mike, gethostbyname(3NSL) is not a syscall, it''s a library function. Two DNS lookups per second is really nothing. Phil Mike Chanslor wrote:> Gurus, > > Have Sun T2000 with Solaris10 U7 and hundreds of user process. Someone is making queries(about two a second from snooping...) > > Globally I am trying to find gethostbyname > > $ dtrace -n syscall:::gethostbyname''{@[execname] = count()}'' > dtrace: invalid probe specifier syscall:::gethostbyname{@[execname] = count()}: probe description syscall:::gethostbyname does not match any probes > > $ dtrace -n syscall::gethostbyname:entry''{@[execname] = count()}'' > dtrace: invalid probe specifier syscall::gethostbyname:entry{@[execname] = count()}: probe description syscall::gethostbyname:entry does not match any probes > > > Thanks, > DTrace Newbie >
I''m assuming you are using some version of Solaris >= s10u4. If so, you can use the nscd.d dtrace script located here: http://hub.opensolaris.org/bin/view/Project+sparks/dtrace and it should help track down what is happening. nscd.d will monitor nscd, which is normally where all getXbyYs actually get processed and nscd.d can help track the requests being made. Normally nscd (svc:/system/name-service-cache:default) should not be disabled. If it is, that may be the root of your problem. If so, you should re-enable it. nscd should be caching all dns lookups by default, so in general you should have a high cache hit rate, and the dns server should not be overloaded from requests generated by a single machine. Also double check your nscd.conf script to make sure nscd''s hosts cache has not been turned off. Doug. Michael Schuster wrote:> Mike Chanslor wrote: >> Gurus, >> >> Have Sun T2000 with Solaris10 U7 and hundreds of user process. Someone >> is making queries(about two a second from snooping...) >> >> Globally I am trying to find gethostbyname >> >> $ dtrace -n syscall:::gethostbyname''{@[execname] = count()}'' >> dtrace: invalid probe specifier syscall:::gethostbyname{@[execname] = >> count()}: probe description syscall:::gethostbyname does not match any >> probes >> >> $ dtrace -n syscall::gethostbyname:entry''{@[execname] = count()}'' >> dtrace: invalid probe specifier >> syscall::gethostbyname:entry{@[execname] = count()}: probe description >> syscall::gethostbyname:entry does not match any probes > > > gethostbyname is a library call, not a system call; you can trace > library calls with the pid provider, but sadly that only works as a > per-process basis, so you can''t just replace "syscall" with "pid..." > above and be done. > > I can''t help much more, but maybe focussing on the network tools can > gain you some more knowledge here. > > HTH > Michael
Two queries/second/process should not kill a DNS server. A mail server with spam control can conservatively make dozens of calls per second. I get more hits from Comcast''s new bot sniffer/port scanner than that. It looks like their DNS servers have dual duty... resolve dns requests and search for infected PCs. That said, if you forward a lot of lookups to an outside DNS server, you might be nice and insert a dns cache (for example DJB''s dnscache). Since spam bots tend to send LOTS of spam concurrently, it makes it that you only forward the request for the first one and your local cache returns results for the duplicate queries. Gary -- This message posted from opensolaris.org