3 Example DTrace Usage

The following examples illustrate current functionality in DTrace. These examples assume that /usr/sbin is in the $PATH.

Example 3-1 List probes

sudo dtrace -l

The output looks similar to:

DTrace 2.0.0 [Pre-Release with limited functionality]
ID   PROVIDER    MODULE                     FUNCTION NAME
1     dtrace                                        BEGIN
2     dtrace                                        END
3     dtrace                                        ERROR
4        fbt   vmlinux     trace_initcall_finish_cb entry
5        fbt   vmlinux     trace_initcall_finish_cb return
...

On this particular system, there were:

  • 3 dtrace probes

  • 87890 fbt probes (based on kprobes)

  • 1262 sdt probes (based on Linux tracepoints)

  • 666 syscall probes

Example 3-2 Using the -S option

This script uses the -S option to output the compiled D code as an eBPF program. The -e option exits after compilation. 

sudo dtrace -Sen 'write:entry { trace(1) }'

The output looks similar to:

Disassembly of clause ::write:entry, <dt_clause_0>:
INS  OFF    OPCODE                  INSTRUCTION
0000 00000: 7b a 1 fff8 00000000    stdw [%fp-8], %r1
0001 00008: bf 0 a 0000 00000000    mov  %r0, %fp
0002 00016: 07 0 0 0000 ffffffa0    add  %r0, -96
0003 00024: 7b a 0 fff0 00000000    stdw [%fp-16], %r0
0004 00032: 79 0 a fff8 00000000    lddw %r0, [%fp-8]
0005 00040: 79 9 0 0018 00000000    lddw %r9, [%r0+24]
0006 00048: 79 0 0 0010 00000000    lddw %r0, [%r0+16]
0007 00056: 7a 0 0 0028 00000000    stdw [%r0+40], 0
0008 00064: 7a 0 0 0030 00000000    stdw [%r0+48], 0
0009 00072: 7a 0 0 0018 00000000    stdw [%r0+24], 0
0010 00080: 62 0 0 0000 ffffffff    stw  [%r0+0], -1              ! = EPID
0011 00088: 62 0 0 0008 ffffffff    stw  [%r0+8], -1              ! = CLID
0012 00096: 62 9 0 0000 ffffffff    stw  [%r9+0], -1              ! = EPID
0013 00104: 62 9 0 0004 00000000    stw  [%r9+4], 0
[...]

Example 3-3 DTrace script

sudo dtrace -n '
syscall::write:*
{       
    this->x = 3;                /* clause-local variables */
    this->y = 8;
    trace(this->x * this->y);
    trace(&`max_pfn);
}'

In the example script:

  • Probe all write() system call probes simultaneously using a wildcard.

  • Probe with recording the address of a kernel identifier (max_pfn) and other data items.

  • Associate several probes with a single action.

  • Clause-local variables are used.

  • The trace() action is used to report output.