This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: monitoring files opened/closed by a process


Hi Bruno,

On Fri, 2009-06-26 at 20:20 -0700, Bruno G. Sousa wrote:
> now I need to monitor strings that are being written to files by certain
> process.
> [...]
> probe syscall.write.return
> {
>   if (pid() == target()) {
>     printf("%s(%d) wrote %s\n", execname(),pid(),"something")
>   }
> }

So the syscall.write probe (like all syscall probes) also makes
available the variable 'argstr'. This contains a string representation
of the syscall arguments (it also, as all other syscall probes, defines
the variable name, which is the name of the syscall). So you can get
most information about such a syscall you can do something like:

probe syscall.write
{
  if (pid() == target())
    {
      printf("%s(%d) %s: %s\n", execname(), pid(), name, argstr)
    }
}

You want this at the syscall.write.return. return does make available
the retstr, which gives you are string representation of the return
value. Since you don't have the argstr (nor the buf_uaddr) that the
syscall call probe defines, you will have to construct something
yourself. Look in tapset/syscalls2.stp, where you can see syscall.write
makes available buf_uaddr (a pointer to a buffer into user space), that
is then used with (see string.stp) the user_string() function, which
fetches the string (up to a MAXSTRINGLEN), and the text_str() function,
which escapes any non-printable characters. You can do the same in the
return probe. But you will have to use the source variable name $buf.
You can use the special return probe value $return to get the number of
bytes written:

probe syscall.write.return
{
  if (pid() == target())
    {
      printf("%s(%d) wrote %s\n", execname(), pid(),
             text_str(user_string_n($buf, $return)));
    }
}

(Sidenote, the $buf variable is actually read at the syscall entry call,
and then cached for use in the return probe. This doesn't matter in this
case, but might surprise you if the variable used is changed in the
function you probe. At least it surprised me.)

Hope that helps,

Mark


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]