-
Notifications
You must be signed in to change notification settings - Fork 0
/
sofdsnoop_example.txt
69 lines (55 loc) · 3.14 KB
/
sofdsnoop_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Demonstrations of sofdsnoop, the Linux eBPF/bcc version.
sofdsnoop traces FDs passed through unix sockets
# ./sofdsnoop.py
ACTION TID COMM SOCKET FD NAME
SEND 2576 Web Content 24:socket:[39763] 51 /dev/shm/org.mozilla.ipc.2576.23874
RECV 2576 Web Content 49:socket:[809997] 51
SEND 2576 Web Content 24:socket:[39763] 58 N/A
RECV 2464 Gecko_IOThread 75:socket:[39753] 55
Every file descriptor that is passed via unix sockets os displayed
on separate line together with process info (TID/COMM columns),
ACTION details (SEND/RECV), file descriptor number (FD) and its
translation to file if available (NAME).
The file descriptor (fd) value is bound to a process. The SEND
lines display the fd value within the sending process. The RECV
lines display the fd value of the sending process. That's why
there's translation to name only on SEND lines, where we are
able to find it in task proc records.
This works by tracing sendmsg/recvmsg system calls to provide
the socket fds, and scm_send_entry/scm_detach_fds to provide
the file descriptor details.
A -T option can be used to include a timestamp column,
and a -n option to match on a command name. Regular
expressions are allowed. For example, matching commands
containing "server" with timestamps:
# ./sofdsnoop.py -T -n Web
TIME(s) ACTION TID COMM SOCKET FD NAME
0.000000000 SEND 2576 Web Content 24:socket:[39763] 51 /dev/shm/org.mozilla.ipc.2576.25404 (deleted)
0.000413000 RECV 2576 Web Content 49:/dev/shm/org.mozilla.ipc.2576.25404 (deleted) 51
0.000558000 SEND 2576 Web Content 24:socket:[39763] 58 N/A
0.000952000 SEND 2576 Web Content 24:socket:[39763] 58 socket:[817962]
A -p option can be used to trace only selected process:
# ./sofdsnoop.py -p 2576 -T
TIME(s) ACTION TID COMM SOCKET FD NAME
0.000000000 SEND 2576 Web Content 24:socket:[39763] 51 N/A
0.000138000 RECV 2576 Web Content 49:N/A 5
0.000191000 SEND 2576 Web Content 24:socket:[39763] 58 N/A
0.000424000 RECV 2576 Web Content 51:/dev/shm/org.mozilla.ipc.2576.25319 (deleted) 49
USAGE message:
usage: sofdsnoop.py [-h] [-T] [-p PID] [-t TID] [-n NAME] [-d DURATION]
Trace file descriptors passed via socket
optional arguments:
-h, --help show this help message and exit
-T, --timestamp include timestamp on output
-p PID, --pid PID trace this PID only
-t TID, --tid TID trace this TID only
-n NAME, --name NAME only print process names containing this name
-d DURATION, --duration DURATION
total duration of trace in seconds
examples:
./sofdsnoop # trace passed file descriptors
./sofdsnoop -T # include timestamps
./sofdsnoop -p 181 # only trace PID 181
./sofdsnoop -t 123 # only trace TID 123
./sofdsnoop -d 10 # trace for 10 seconds only
./sofdsnoop -n main # only print process names containing "main"