[ Pobierz całość w formacie PDF ]

3611 0 eth0 0 1 0 0 Xorg
PID UID DEV XMIT_PK RECV_PK XMIT_KB RECV_KB COMMAND
0 0 eth0 3 42 0 2 swapper
11178 0 eth0 43 1 3 0 synergyc
11362 0 eth0 0 7 0 0 firefox
3897 0 eth0 0 1 0 0 multiload-apple
[...]
4.1.2. Tracing Functions Called in Network Socket Code
This section describes how to trace functions called from the kernel's net/socket.c file. This task
helps you identify, in finer detail, how each process interacts with the network at the kernel level.
socket-trace.stp
37
Red Hat Enterprise Linux 5 SystemTap Beginners Guide
#! /usr/bin/env stap
probe kernel.function("*@net/socket.c").call {
printf ("%s -> %s\n", thread_indent(1), probefunc())
}
probe kernel.function("*@net/socket.c").return {
printf ("%s
}
socket-trace.stp is identical to Example 3.6,  thread_indent.stp , which was earlier used in SystemTap
Functions to illustrate how thread_indent() works.
Example 4 .2. socket-trace.stp Sample Output
[...]
0 Xorg(3611): -> sock_poll
3 Xorg(3611):
0 Xorg(3611): -> sock_poll
3 Xorg(3611):
0 gnome-terminal(11106): -> sock_poll
5 gnome-terminal(11106):
0 scim-bridge(3883): -> sock_poll
3 scim-bridge(3883):
0 scim-bridge(3883): -> sys_socketcall
4 scim-bridge(3883): -> sys_recv
8 scim-bridge(3883): -> sys_recvfrom
12 scim-bridge(3883):-> sock_from_file
16 scim-bridge(3883):
20 scim-bridge(3883):-> sock_recvmsg
24 scim-bridge(3883):
28 scim-bridge(3883):
31 scim-bridge(3883):
35 scim-bridge(3883):
[...]
Example 4.2,  socket-trace.stp Sample Output contains a 3-second excerpt of the output for socket-
trace.stp. For more information about the output of this script as provided by thread_indent(), refer
to SystemTap Functions Example 3.6,  thread_indent.stp .
4.1.3. Monitoring Incoming TCP Connections
This section illustrates how to monitor incoming TCP connections. This task is useful in identifying any
unauthorized, suspicious, or otherwise unwanted network access requests in real time.
tcp_connections.stp
38
Chapter 4. Useful SystemTap Scripts
#! /usr/bin/env stap
probe begin {
printf("%6s %16s %6s %6s %16s\n",
"UID", "CMD", "PID", "PORT", "IP_SOURCE")
}
probe kernel.function("tcp_accept").return?,
kernel.function("inet_csk_accept").return? {
sock = $return
if (sock != 0)
printf("%6d %16s %6d %6d %16s\n", uid(), execname(), pid(),
inet_get_local_port(sock), inet_get_ip_source(sock))
}
While tcp_connections.stp is running, it will print out the following information about any incoming TCP
connections accepted by the system in real time:
Current UID
CMD - the command accepting the connection
PID of the command
Port used by the connection
IP address from which the TCP connection originated
Example 4 .3. tcp_connections.stp Sample Output
UID CMD PID PORT IP_SOURCE
0 sshd 3165 22 10.64.0.227
0 sshd 3165 22 10.64.0.227
4.2. Disk
The following sections showcase scripts that monitor disk and I/O activity.
4.2.1. Summarizing Disk Read/Write Traffic
This section describes how to identify which processes are performing the heaviest disk reads/writes to
the system.
disktop.stp
39
Red Hat Enterprise Linux 5 SystemTap Beginners Guide
#!/usr/bin/env stap
#
# Copyright (C) 2007 Oracle Corp.
#
# Get the status of reading/writing disk every 5 seconds,
# output top ten entries
#
# This is free software,GNU General Public License (GPL);
# either version 2, or (at your option) any later version.
#
# Usage:
# ./disktop.stp
#
global io_stat,device
global read_bytes,write_bytes
probe vfs.read.return {
if ($return>0) {
if (devname!="N/A") {/*skip read from cache*/
io_stat[pid(),execname(),uid(),ppid(),"R"] += $return
device[pid(),execname(),uid(),ppid(),"R"] = devname
read_bytes += $return
}
}
}
probe vfs.write.return {
if ($return>0) {
if (devname!="N/A") { /*skip update cache*/
io_stat[pid(),execname(),uid(),ppid(),"W"] += $return
device[pid(),execname(),uid(),ppid(),"W"] = devname
write_bytes += $return
}
}
}
probe timer.ms(5000) {
/* skip non-read/write disk */
if (read_bytes+write_bytes) {
printf("\n%-25s, %-8s%4dKb/sec, %-7s%6dKb, %-7s%6dKb\n\n",
ctime(gettimeofday_s()),
"Average:", ((read_bytes+write_bytes)/1024)/5,
"Read:",read_bytes/1024,
"Write:",write_bytes/1024)
/* print header */
printf("%8s %8s %8s %25s %8s %4s %12s\n",
"UID","PID","PPID","CMD","DEVICE","T","BYTES")
}
/* print top ten I/O */
foreach ([process,cmd,userid,parent,action] in io_stat- limit 10)
printf("%8d %8d %8d %25s %8s %4s %12d\n",
userid,process,parent,cmd,
device[process,cmd,userid,parent,action],
action,io_stat[process,cmd,userid,parent,action])
/* clear data */
delete io_stat
40
Chapter 4. Useful SystemTap Scripts
delete device
read_bytes = 0
write_bytes = 0
}
probe end{
delete io_stat
delete device
delete read_bytes
delete write_bytes
}
disktop.stp outputs the top ten processes responsible for the heaviest reads/writes to disk.
Example 4.4,  disktop.stp Sample Output displays a sample output for this script, and includes the
following data per listed process:
UID  user ID. A user ID of 0 refers to the root user.
PID  the ID of the listed process.
PPID  the process ID of the listed process's parent process.
CMD  the name of the listed process.
DEVICE  which storage device the listed process is reading from or writing to.
T  the type of action performed by the listed process; W refers to write, while R refers to read.
BYTES  the amount of data read to or written from disk.
The time and date in the output of disktop.stp is returned by the functions ctime() and
gettimeofday_s(). ctime() derives calendar time in terms of seconds passed since the Unix
epoch (January 1, 1970). gettimeofday_s() counts the actual number of seconds since Unix epoch,
which gives a fairly accurate human-readable timestamp for the output.
In this script, the $return is a local variable that stores the actual number of bytes each process reads
or writes from the virtual file system. $return can only be used in return probes (e.g.
vfs.read.return and vfs.read.return).
Example 4 .4 . disktop.stp Sample Output
[...]
Mon Sep 29 03:38:28 2008 , Average: 19Kb/sec, Read: 7Kb, Write: 89Kb
UID PID PPID CMD DEVICE T BYTES
0 26319 26294 firefox sda5 W 90229
0 2758 2757 pam_timestamp_c sda5 R 8064
0 2885 1 cupsd sda5 W 1678
Mon Sep 29 03:38:38 2008 , Average: 1Kb/sec, Read: 7Kb, Write: 1Kb
UID PID PPID CMD DEVICE T BYTES
0 2758 2757 pam_timestamp_c sda5 R 8064
0 2885 1 cupsd sda5 W 1678
4.2.2. Tracking I/O Time For Each File Read or Write
This section describes how to monitor the amount of time it takes for each process to read from or write
41
Red Hat Enterprise Linux 5 SystemTap Beginners Guide
to any file. This is useful if you wish to determine what files are slow to load on a given system.
iotime.stp
42
Chapter 4. Useful SystemTap Scripts
global start
global entry_io
global fd_io
global time_io
function timestamp:long() {
return gettimeofday_us() - start
}
function proc:string() {
return sprintf("%d (%s)", pid(), execname())
}
probe begin {
start = gettimeofday_us()
}
global filenames
global filehandles
global fileread
global filewrite
probe syscall.open {
filenames[pid()] = user_string($filename)
}
probe syscall.open.return {
if ($return != -1) {
filehandles[pid(), $return] = filenames[pid()] [ Pobierz całość w formacie PDF ]