Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Exploring OS X with dtrace UNIX
One of the new 10.5 tools for developers is a program called dtrace -- you'll need the Developer Tools installed to use this tool. From man dtrace, you can learn...
The dtrace command is a generic front-end to the DTrace facility. The command implements a simple interface to invoke the D language compiler, the ability to retrieve buffered trace data from the DTrace kernel facility, and a set of basic routines to format and print traced data.

Users new to DTrace are encouraged to read: How To Use DTrace. Sun Microsystems, 2005.
Wow, doesn't that sound thrilling!? You're right, it doesn't. But it turns out that dtrace can be useful for things that even mere mortals may be interested in. And the folks at MacTech have put together a (fairly geeky) dtrace how-to that provides some concrete examples of how you might put it to use. Read on for one example from there article, showing you how to watch file system activity in real time.

Ever wondered what programs are accessing which files on your system? You can see that info in real time with dtrace. Launch it with this command, so it's waiting for input in Terminal:
sudo dtrace -s /dev/stdin
Then paste in this code, press Return once to get a blank line, and then press Control-D:
syscall::open*:entry
{
   printf("%s %s", execname, copyinstr(arg0));
}
You'll then see something like dtrace: script '/dev/stdin' matched 3 probes, which refers to three different "open" constructs. What happens next is that you see file accesses start flowing by in real time, complete with info on which app is making the requests (press Control-C to stop it). Here's a portion of my output (without the CPU and ID columns):
open:entry mdworker /Users/robg
open:entry mdworker /Users/.DS_Store
open:entry mds .
open:entry Finder /.vol/234881026/190925/.DS_Store
open:entry WindowServer /var/log/windowserver.log
A couple of entries related to Spotlight (md...), the Finder, and the window server. Info like this could be useful if you were troubleshooting a drive-related problem.

The MacTech article contains a number of other examples (though many are over my head). dtrace seems to be yet another tool for the troubleshooting arsenal.
    •    
  • Currently 4.29 / 5
  You rated: 4 / 5 (7 votes cast)
 
[52,143 views]  

10.5: Exploring OS X with dtrace | 12 comments | Create New Account
Click here to return to the '10.5: Exploring OS X with dtrace' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Exploring OS X with dtrace
Authored by: erm on Oct 31, '07 01:50:37PM
Well, yeah, we're all about geeky.

We typically don't put our print articles on-line this quickly, but I'm thrilled that we were able to do so for such a milestone release of OS X. dtrace is just one of the many new things under the hood in Leopard. This article is just a sample of what we do every month.

For those of you that miss ktrace, pop open Terminal and check out dtruss, a ktrace-like replacement built on dtrace.
--
Ed Marczak, Executive Editor, MacTech Magazine
http://www.mactech.com

---
erm

[ Reply to This | # ]

10.5: Exploring OS X with dtrace
Authored by: nKhona on Oct 31, '07 01:54:18PM
lsof - LiSt Open Files is another great way to do this same thing.

http://en.wikipedia.org/wiki/Lsof

[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: kaih on Oct 31, '07 02:02:05PM

No, they're subtly different.

lsof will take a "snapshot" and give you a one-time view of all file handles (and this includes things like TCP ports) that are open at the instant the program was run.

using dtrace, you will see file system activity in realtime - it's more similar to:

sudo fs_usage | grep -i open


---
k:.



[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: ebrandwine on Oct 31, '07 02:03:08PM

Sorta. Not really. lsof is wonderful, but it prints a static dump of what's happening on the system right now. The dtrace example given above will print every file as it's opened. You can leave it running in a terminal, and spy on your system.

A much more complex example, one that's basically impossible with other tracing tools, is e.g. to print out details of all filesystem changes that happen within 100ms of a network connection being established. I've used this in production to figure out where a commercial product was stuffing connection data on disk.

(My day job is administering Solaris systems, FWIW)

ericb



[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: antifuchs on Oct 31, '07 04:59:55PM

dtrace is really cool. Apple even put a few utility dtrace scripts into /usr/bin.

For those of us who are missing ktrace (I am), there's dtruss. There's dapptrace which traces user and library functions an application calls (but doesn't work for me), and dappprof for profiling user and library code. Also, there's diskhits, which outputs the times and locations a file was actually read and written on the disk (doesn't count cache misses).

I think that's pretty awesome - replacing 4-ish utilities with one that's sufficiently extensible. (-:

These utilities (dtruss, dapptrace, dappprofile, diskhits) come with man pages; check them out with "man utility-name" on the terminal.



[ Reply to This | # ]
One more thing...
Authored by: antifuchs on Oct 31, '07 05:05:51PM

...several, actually. There are a /lot/ more utilities packaged, I listed only the ones that I discovered in the last few days. To discover more, it helps to know that these utilities have man pages and these have "DTrace" in their summary line:

the command "man -k dtrace" on the Terminal will display these man pages together with their summary.



[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: barretpj on Nov 01, '07 05:34:52AM
No need for hard work doing manual script creation - there's a host of "DTrace OneLiners" already included in Leopard (probably need XCode Tools installed).
man -k dtrace
will list them To list file opens, for example
sudo filebyproc.d
or
sudo opensnoop


[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: marook on Nov 01, '07 07:25:11AM

Nice geek hint, but why not mention that Apple is also shipping a GUI tool to work with all of this?

The app is called 'Instruments':

/Developer/Applications/Instruments

Now, THAT is a cool toy!

---
/Marook



[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: bldantes on Jan 21, '08 08:43:21AM

Well, one used to be able to run ktrace/kdump to analyze one's own processes. But all of these dtrace tools appear to require superuser privileges -- which is incredibly annoying and even prohibitive in some situations. For the dtruss script in particular, does anyone know of a way to run this as a normal user?

The man pages mention something about setting the dtrace_kernel, dtrace_user or dtrace_proc privileges. But I can find no mention of how to set such beasts. Sun's pages (the origin of dtrace) mention the ppriv and usermod commands -- but those don't appear to be around.

What happened to deprecating a command over one major release before removing it? Thanks a lot, Apple.



[ Reply to This | # ]
10.5: Exploring OS X with dtrace
Authored by: mackyle on Apr 12, '08 11:38:48AM
For the dtruss script in particular, does anyone know of a way to run this as a normal user?
sudo chmod u+s /usr/sbin/dtrace

will allow dtruss to work as an ordinary user. It also makes dtrace suid root which means any user on the system can run dtrace with full privileges.

[ Reply to This | # ]

10.5: Exploring OS X with dtrace
Authored by: mackyle on Apr 12, '08 11:41:19AM
For the dtruss script in particular, does anyone know of a way to run this as a normal user?
sudo chmod u+s /usr/sbin/dtrace

will allow dtruss to work as an ordinary user. It also makes dtrace suid root which means any user on the system can run dtrace with full privileges.

[ Reply to This | # ]

10.5: Exploring OS X with dtrace
Authored by: mzs on Jan 27, '09 04:26:49PM

HOLY MOTHER OF PWN BATMAN!

$ file /usr/bin/dtruss
/usr/bin/dtruss: Bourne shell script text executable

Don't EVER make a shell script suid root.



[ Reply to This | # ]