http://files.cnblogs.com/daizhj/DTrace.pdf
//////////////////
syscall
dtrace -ln 'syscall::write*:' //顯示可使用的probe
dtrace -ln 'syscall::*read*:entry' //顯示可使用的probe
dtrace -n 'syscall::write:entry {@dist[execname] = quantize(arg0)}' //之后CTRL+C
dtrace -n 'syscall::socket:entry {@dist[execname] = quantize(arg0)}' //之后CTRL+C
dtrace -n 'syscall:::entry { @sc[execname, probefunc] = count(); }' #dtrace -n 'syscall:::entry'
dtrace -n 'syscall::open:entry { printf("%s %s", execname, copyinstr(arg0)); }'
dtrace -n 'syscall::fork*: { trace(pid); }'
dtrace -n 'syscall::exec*: { trace(execname); }'
Showing Read Byte Distributions by Process
dtrace -n 'syscall::read:return { @[execname] = quantize(arg0); }'
一秒打印一次進程數
dtrace -n 'profile-997 { @[execname] = count(); } tick-1s { printa(@); trunc(@); }'
Most function calls will return from the same thread that they enter,6 so a thread- local variable can be used to associate these events. Here a time stamp is saved on the write(2) entry so that the time can be calculated on return:
dtrace -n 'syscall::write:entry { self->s = timestamp; } syscall::write:return /self->s/
syscall Provider
dtrace -n 'syscall:::entry { @[probefunc] = count(); }'
Which processes are executing the most system calls?
dtrace -n 'syscall:::entry { @[pid, execname] = count(); }'
What system calls are a given process name executing (for example, firefox-bin)?
dtrace -n 'syscall:::entry /execname == "firefox"/ { @[probefunc] = count(); }'
dtrace -qn 'syscall::read:entry,syscall::write:entry /fds[arg0].fi_fs == "sockfs"/ { @[probefunc] = sum(arg2); } tick-1sec { printa(@); trunc(@); }' #暫無打印
dtrace -n 'syscall::read:entry,syscall::write:entry /execname == "firefox" && fds[arg0].fi_fs == "sockfs"/ { @[execname,pid] = count(); }' #暫無打印
/////////////////////////
指定進程的MALLOC調用情況
dtrace -n 'pid$target::malloc:entry { @[ustack()] = quantize(arg0); }' -p 513
//////////////////////
Disk I/O
dtrace -n 'io:::start { @[execname, pid] = count(); }'
bash-3.2# dtrace -qn 'syscall:::entry /execname == "firefox"/
{ @[pid, probefunc] = count(); } END { trunc(@, 10); printa(@); }'
dtrace -n 'syscall::pread*:entry,syscall::pwrite*:entry /execname == "java"/
{ @[fds[arg0].fi_fs] = count(); }'
dtrace -n 'syscall::pread*:entry,syscall::pwrite*:entry /execname == "java"/
{ @[fds[arg0].fi_pathname] = count(); }'
/////////////////////////
Memory
Tracking process user stack sizes:
Tracking which processes are growing their address space heap segment:
Tracking memory page faults by process name:
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
Tracking pages paged in by process name:
dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'
Tracking pages paged out by process name:
dtrace -n 'vminfo:::pgpgout { @pg[execname] = sum(arg0); }'
sched Provider
dtrace -n 'sched:::on-cpu { @[pid, execname] = count(); }'
Tracking process user stack sizes:
dtrace -n 'sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);}'
Tracking which processes are growing their address space heap segment:
dtrace -n 'fbt::brk:entry { @mem[execname] = count(); }'
fbt Provider
Tracking which processes are growing their address space stack segment:
dtrace -n 'fbt::grow:entry { @mem[execname] = count(); }'
///////////////////////////////////////////////////////
I/O
Which processes are executing common I/O system calls?
dtrace -n 'syscall::*read:entry,syscall::*write:entry { @rw[execname,probefunc] =
count(); }'
Which file system types are targeted for reads and writes?
dtrace -n 'syscall::*read:entry,syscall::*write:entry { @fs[execname, probefunc,fds[arg0].fi_fs] = count(); }'
Which files are being read, and by which processes?
dtrace -n 'syscall::*read:entry { @f[execname, fds[arg0].fi_pathname] = count(); }'
Which files are being written, and by which processes?
dtrace -n 'syscall::*write:entry { @f[execname, fds[arg0].fi_pathname] = count(); }'
Which processes are generating network I/O (Solaris)?
dtrace -n 'fbt:sockfs::entry { @[execname, probefunc] = count(); }' #暫時無法使用
What is the rate of disk I/O being issued?
dtrace -n 'io:::start { @io = count(); } tick-1sec { printa("Disk I/Os per second: %@d \n", @io); trunc(@io); }'
檢查socket 調用情況
dtrace -n 'syscall::socket:entry { @[execname] = quantize(arg0); }'
dtrace -n 'syscall::write:entry /execname=="VineSample"/ { @[execname] = quantize(arg0); }'
//////////////////////////////////////////////////////
lquantize解釋:https://blogs.oracle.com/swan/entry/dtrace%E7%AE%80%E4%BB%8B_3
使用lquantize(所指定表達式的值的線性頻率分布),我們了解需要調查的表達式的分布情況。比如,我們想知道系統調用write打開的文件描述符(file descriptor)的線性分布情況。
'syscall::write:entry{@fds[execname]=lquantize(arg0,0,100,1)}' #參數說明:標量表達式,下限,上限,步長值
dtrace: description 'syscall::write:entry' matched 1 probe
\^C
dtrace
value ------------- Distribution ------------- count
0 | 0
1 |@@@@@@@@@@@@@@@@@@@@ 1
2 | 0
sshd
value ------------- Distribution ------------- count
3 | 0
4 |@@@@@@@@@@@@@@@@@@@@ 1
5 | 0
6 | 0
7 | 0
8 |@@@@@@@@@@@@@@@@@@@@ 1
9 | 0
在上例中,我們可以看到,在該時間內,sshd進程對文件描述符4操作了1次,對文件描述符8操作了1次。雖然不具有實際意義,但可以幫助我們理解lquantize的作用。
如果要聚合的表達式的值非常大,使用lquantize可能會輸出太多信息,這種情況下可以使用quantize(所指定表達式的值的二次方冪頻率分布)來聚合。
下面是一個統計執行程序系統調用的時間分布的D腳本: time.d
#!/usr/sbin/dtrace -s
syscall:::entry
{
self->ts=timestamp;
}
syscall:::return
/self->ts/
{
@time[execname]=quantize(timestamp-self->ts);
}
執行一段時間,按Ctrl+C中斷。限於篇幅,下面只列出部分信息。
# ./time.d
dtrace: script './time.d' matched 462 probes
\^C
sendmail
value ------------- Distribution ------------- count
1024 | 0
2048 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 7
4096 |@@@@ 1
8192 |@@@@ 1
16384 | 0
sshd
value ------------- Distribution ------------- count
1024 | 0
2048 |@@@@@@@@@@@@@@@@@@@ 7
4096 |@@@@@ 2
8192 |@@@@@ 2
16384 |@@@@@ 2
32768 | 0
65536 |@@@@@ 2
131072 | 0
以sendmail程序為例:
系統調用執行時間(從entry到return)在大於等於2048納秒並小於4096納秒區間共有7次,在大於等於4096納秒小於8192納秒區間共有1次,在大於等於8192納秒小於16384納秒區間共有1次。