-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathopenclose.d
executable file
·28 lines (24 loc) · 1.01 KB
/
openclose.d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/sbin/dtrace -s
/*
* Test only the open() and close() system call's use of the
* fi_pathname member of the fds[] array.
*
* Usage: openclose.d (either sudo or as root)
*/
#pragma D option quiet
#pragma D option switchrate=100hz
#pragma D option dynvarsize=16m
#pragma D option bufsize=16m
#pragma D option strsize=1024
syscall::open:return
/pid != $pid/
{
printf("{\"event\": \"%s:%s:%s:\", \"time\": %d, \"pid\": %d, \"ppid\": %d, \"tid\": %d, \"uid\": %d, \"exec\": \"%s\", \"dir\": \"%s\",\"path\": \"%s\", \"fd\": %d }\n",
probeprov, probemod, probefunc, walltimestamp, pid, ppid, tid, uid, execname, fds[arg1].fi_dirname, fds[arg1].fi_pathname, arg1);
}
syscall::close:entry
/pid != $pid/
{
printf("{\"event\": \"%s:%s:%s:\", \"time\": %d, \"pid\": %d, \"ppid\": %d, \"tid\": %d, \"uid\": %d, \"exec\": \"%s\", \"dir\": \"%s\",\"path\": \"%s\", \"fd\": %d }\n",
probeprov, probemod, probefunc, walltimestamp, pid, ppid, tid, uid, execname, fds[arg0].fi_dirname, fds[arg0].fi_pathname, arg0);
}