Try sudo bash
to launch a root shell, and then running dtrace directly without the sudo.
Here's an example to ponder:
root@macbook:~> sudo dtrace -n 'syscall::read:entry /execname != "dtrace"/ { @reads[execname, fds[arg0].fi_pathname] = count(); }'
dtrace: description 'syscall::read:entry ' matched 1 probe
^C
root@macbook:~> dtrace -n 'syscall::read:entry /execname != "dtrace"/ { @reads[execname, fds[arg0].fi_pathname] = count(); }'
dtrace: description 'syscall::read:entry ' matched 1 probe
^C
bash ??/<unknown (NULL v_name)>/ttys022 1
fseventsd <unknown (not a vnode)> 1
mds <unknown (not a vnode)> 1
Terminal <unknown (not a vnode)> 2
firefox <unknown (not a vnode)> 2
activitymonitor <unknown (not a vnode)> 3
Terminal ??/<unknown (NULL v_name)>/ptmx 5
Activity Monito <unknown (not a vnode)> 8
Google Chrome H <unknown (not a vnode)> 13
Google Chrome <unknown (not a vnode)> 15
Google Chrome ??/<unknown (NULL v_name)>/urandom 72
Bizzarely, the use of sudo
while already root causes the DTrace probes to not fire. I'm guessing sudo interferes with the DTrace privileges. This is new to me (obviously, I've only ever run dtrace
from a root shell on Mac OS X to start with). I'm sure someone else can explain this better.