mercredi 11 septembre 2013

probevue to trace accesses to a file

Using probevue to trace who is accessing a file :

A lot of debugging can be done with truss, in order to see what system calls are called by programs.
While it can be a real time saver, it can only run on a pid or a specific command.
What if you want to see, who is doing that particular system call ?
The answer is probevue.
Probevue is a useful dynamic  tracing command, which can be used to trace specific system calls, and it allows to do some code, in order to get specific info.
I have used it for some time, now, and it helped a lot for debugging purposes.
In this example, I want to know, who is writing to a file, and even what it is writing :

darkstar:root:/home/moi# touch /tmp/myfile

this is the content of my probevue file



# PArametre : nom de fichier entre quotes : \"/tmp/tutu\"

int open(char *filename, int m, int p);

int kwrite(int fd, char *s, int size);

int write(int fd, char *s, int size);



        printf ("\n ==> Surveillance des ecritures sur %s <== \n",$1);




        __auto String filename[256];

        filename = get_userstring(__arg1, -1);

        if (filename == $1)


                printf("\n (%s) ouverture de %s par %s (pid: %d) \n",get_function(),filename,__pname,__pid);

                thread:open = 1;




when (thread:open == 1)


        thread:fd = __rv;

        //printf(" (%s) thread:fd = %d\n",get_function(),thread:fd);



when (thread:open == 1)


                __auto String buffer[256];

                buffer = get_userstring(__arg2, 128);

                //printf("file descriptor : %ld \n",thread:fd);

                printf(" (%s) programme %s (%d) a ecrit ",get_function(),__pname, __pid);

                printf(" :  %s ",buffer);

                thread:write = 1;

                thread:open = 0;



when (thread:write ==  1 )


                printf(" (%s) rc = %d \n",get_function(),__errno);

                thread:write = 0;

Execute it :

darkstar:root:/home/moi# ./pvwrite3 \"/tmp/myfile\"

 ==> Surveillance des ecritures sur /tmp/myfile <==
And try access in another window :

darkstar:root:/home/moi# echo AAAAAAAAAAAAAAAAAASSSSSDDDDDSQDaaa > /tmp/myfile

the result should be, in the first window :

darkstar:root:/home/moi# ./pvwrite3 \"/tmp/myfile\"

 ==> Surveillance des ecritures sur /tmp/myfile <==

 (kopen) ouverture de /tmp/myfile par ksh (pid: 53870698)

 (kwrite) programme ksh (53870698) a ecrit  :  AAAAAAAAAAAAAAAAAASSSSSDDDDDSQDaaa

  (kwrite) rc = 0
In order to work correctly, the system should be in AIX 6.1 TL7 minimum.  The script can work in lower AIX TL, but needs to be adapted.
I will post other useful scripts, asap.

Aucun commentaire:

Enregistrer un commentaire