Listing ioctl calls from userspace to kernelspace

Question

Might be my question sounds more naive.

But I wanted to know if it is possible to list the ioctl calls made from user space to kernel space in Linux.

Answer 1

Use LTTng. This is a modern Linux kernel tracer (works in user land too) that installs in seconds (available as packages) if you're using Ubuntu, Fedora, Arch Linux, Debian or openSUSE. Otherwise, it's still easy getting the tarballs and following the install procedures.

Tracing

You create a trace like this:

$ sudo lttng create mySession
Session mySession created.
Traces will be written in /home/user/lttng-traces/mySession-20120619-103600
$ sudo lttng enable-event -k -a --syscall
All kernel system calls are enabled in channel channel0
$ sudo lttng start
Tracing started for session mySession

Then do your normal stuff. All system calls, including ioctl, are recorded/captured by LTTng with interesting parameters. A trace is being written to the /home/user/lttng-traces/mySession-20120619-103600 directory. When you're finished recording, do:

$ sudo lttng stop
Tracing stopped for session mySession
$ sudo lttng destroy
Session mySession destroyed at /home/ephipro

Although destroy doesn't sound good here, it does not actually destroy the trace files; it simply flushes everything and frees any link to the files.

sudo is needed everywhere since you are tracing kernel events. You don't want any user to see all the system calls and their parameters for obvious security reasons.

Viewing the trace

Two main viewers are available now. Babeltrace will give you a text output of all captured events. You should be able to get it using apt-get (babeltrace), otherwise just get the latest tarball. Then just use grep to extract the ioctl calls from the huge dump Babeltrace outputs:

$ sudo babeltrace /home/user/lttng-traces/mySession-20120619-103600 | grep ioctl
[10:36:41.795425690] (+0.000001403) sys_ioctl: { 1 }, { fd = 18, cmd = 62981, arg = 0 }
[10:36:41.795435996] (+0.000000610) sys_ioctl: { 1 }, { fd = 18, cmd = 2148070920, arg = 139928632507464 }
[10:36:41.795573431] (+0.000008840) sys_ioctl: { 1 }, { fd = 18, cmd = 62982, arg = 4096 }
[10:36:41.795591089] (+0.000000854) sys_ioctl: { 1 }, { fd = 18, cmd = 62981, arg = 38520960 }
[10:36:41.795595956] (+0.000000434) sys_ioctl: { 1 }, { fd = 18, cmd = 2148070920, arg = 139928632507464 }
[10:36:41.796125261] (+0.000006110) sys_ioctl: { 1 }, { fd = 18, cmd = 62982, arg = 0 }
[10:36:41.796185722] (+0.000000947) sys_ioctl: { 1 }, { fd = 18, cmd = 62981, arg = 38530304 }
[10:36:41.796192688] (+0.000000628) sys_ioctl: { 1 }, { fd = 18, cmd = 2148070920, arg = 139928632507464 }
[10:36:41.797155511] (+0.000003280) sys_ioctl: { 0 }, { fd = 18, cmd = 62982, arg = 0 }
[10:36:41.797202362] (+0.000001995) sys_ioctl: { 0 }, { fd = 18, cmd = 62981, arg = 38529760 }
...

What you see here is at which time the event occured, the event name and all its parameters and values.

Eclipse also features a complete LTTng viewer within the Linux Tools plugins project. The easy steps are:

1. Go to eclipse.org's download page
2. Into Developer Builds (until Eclipse Juno is released in a few days), get Eclipse IDE for C/C++ Developers
3. Extract it and start it

Starting from Eclipse Juno, Linux Tools is embedded into Eclipse IDE for C/C++ Developers.

You may then create a new Tracing project and import the trace. If you open the Tracing perspective, you will have access to useful views to visualize the events. Here's an example of the Histogram and Events views:

Here I used the Events view to keep only ioctl calls and you can clearly see that the content and time stamps match the Babeltrace output.