dtrace: doesn't catch any write sys call

StackOverflow https://stackoverflow.com/questions/16051417

  •  04-04-2022
  •  | 
  •  

Question

I'm new to dtrace and trying to write some a basic dtrace scripting. I found a example to catch read(2) and write(2) syscall on seperate terminal as following,

 syscall::read:entry,
 syscall::write:entry
 /pid==4217/
 {

 }

The specified pid number is from the other terminal's pid id. When I saw the example, it supposed to show some read and write syscall if I run this script with dtrace. But I only observed read syscall but not write syscall.

So if I understand correctly, on the terminal I observe (pid 4217), if I type something on that terminal, kernel will read its character so read syscall suppose to be occurred. If I type something like "ls" and hit enter, kernel will read and execute it, and write some output to the terminal, thus write syscall suppose to be called. But I don't see any write syscall somehow. Why is that?

Was it helpful?

Solution 2

I agree with @PaulFox, this is probably a mistaken pid value. When the terminal is paused before you press enter, the terminal is in the middle of a read syscall. However, when it prints the terminal prompt (after you press enter and ls runs), it does that by making a write syscall. Note that the output from ls is NOT where the write syscall is coming from! That pid would be the process id of the running ls command.

To test that the write syscall actually is working, run this:

# dtrace -n 'syscall::write:entry {printf("hello")}'

Then try it with your terminal (replace 'bash' with whatever you're using) as the target:

# dtrace -n 'syscall::write:entry /pid==$target/ {printf("hello")}' -c 'bash'

And post back if one of those fails to show any writes while you type stuff into your terminal.

Also note there are several versions of the write syscall that your shell might be using (although I would be surprised if it used something other than the ordinary write):

# dtrace -ln 'syscall::*write*:entry'
   ID   PROVIDER            MODULE                          FUNCTION NAME
  147    syscall                                               write entry
  381    syscall                                              writev entry
  447    syscall                                              pwrite entry
  777    syscall                                           aio_write entry
  933    syscall                                      write_nocancel entry
  963    syscall                                     writev_nocancel entry
  969    syscall                                     pwrite_nocancel entry

OTHER TIPS

I would first validate write() works for any other process, e.g. a simple test case. In your example, its possible that (a) its the wrong pid, or its the child doing the writing, or (b) the write call is not used, but could be, e.g. writev() or some other call (try validating with strace maybe).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top