Understanding output of dtruss

Question

Could anyone point me to a reference on how to understand/interpret the report outputted by dtruss (mac) or dtrace?

I just tried dtruss on a simple program. For example, I got the following output:

PID/THRD  SYSCALL(args)          = return
250/0x103c:  getattrlist("/Volumes/CORE/CORE.app\0", 0x7FFF5E8045D8, 0x7FFF5E804250)         = 0 0
250/0x103c:  geteuid(0x7FFF5E8045E0, 0x0, 0x7FFF5E804A18)        = 501 0
250/0x103c:  geteuid(0x7FFF5E805DF0, 0x0, 0x7FFF5E805E80)        = 501 0
250/0x103c:  geteuid(0x7FFF5E805540, 0x0, 0x7FFF5E805770)        = 501 0
250/0x103c:  getattrlist("/.vol/16777224/21\0", 0x7FFF5E8046D0, 0x7FFF5E803CF0)      = 0 0
250/0x103c:  geteuid(0x7FFF5E805950, 0x0, 0x7FFF5E8059C8)        = 501 0
250/0x103c:  __mac_syscall(0x7FFF8D22057C, 0x50, 0x7FFF5E805990)         = 0 0
250/0x103c:  geteuid(0x7FFF5E805950, 0x0, 0x7FFF5E8059C8)        = 501 0
250/0x103c:  __mac_syscall(0x7FFF8D22057C, 0x51, 0x7FFF5E8059A8)         = -1 Err#30
250/0x103c:  geteuid(0x7FFF5E8057D0, 0x0, 0x7FFF5E805848)        = 501 0
250/0x103c:  getattrlist("/.vol/16777224/21\0", 0x7FFF5E804960, 0x7FFF5E803F80)      = 0 0
250/0x103c:  open("/.vol/16777224/21\0", 0x0, 0x1FF)         = 6 0
250/0x103c:  geteuid(0x7FFF5E805790, 0x0, 0x7FFF5E805920)        = 501 0

I can see all these system calls taking hex parameters. But how am I supposed to decode these? How can find out what file it's actually trying to open, for example?

Answer 1

Your example output does show the pathname for the open() syscall ("/.vol/16777224/21").

dtruss is a shell/DTrace script, similar to the truss tool from Solaris (strace on Linux). These tools are coded to understand how to display arguments in a human readable manner. I coded some of these in the dtruss tool, but it could be improved to understand more. You can make a copy of dtruss and customize it to add some, since it's a shell/DTrace script.

For syscalls which show hexidecimal numbers, you can start by reading the man page to see what the arguments are. For example, geteuid() has no arguments, so dtruss's default behavior of printing 3 as hexidecimal is confusing. It should print none, and show the return value. For example, this can be done by changing the following section:

 /* print 0 arg output */
 syscall::*fork:return
 /self->start/
 {

to:

 /* print 0 arg output */
 syscall::*fork:return,
 syscall::geteuid:return
 /self->start/
 {

Answer 2

dtrace is a low level, but powerful tool that allows you to monitor many kernel level events. What is monitored or displayed is specified in a dtrace script. These system calls are kernel level functions invoked by the program you're monitoring (not the user level functions themselves).

dtrace allows you to monitor/quantify cpu, disk, memory, filesystem, network etc, per process or groups of processes.

One reference is Open Solaris DTrace site, however there are many web based guides and how-tos.

To see which files are opened by processes you would use:

dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'