#!/bin/sh
opt_name=0; opt_pid=0; opt_proj=0; opt_zone=0; opt_time=0; opt_timestr=0
opt_bytes=1; filter=0; pname=.; pid=0; opt_ppid=0
while getopts n:Pp:jtvZ name
do
case $name in
n) opt_name=1; pname=$OPTARG ;;
p) opt_pid=1; pid=$OPTARG ;;
P) opt_ppid=1 ;;
j) opt_proj=1 ;;
t) opt_time=1 ;;
v) opt_timestr=1 ;;
Z) opt_zone=1 ;;
h|?) cat <<-END >&2
USAGE: rwsnoop [-jPtvZ] [-n name] [-p pid]
-j -P -t -v -Z -n name -p PID eg,
rwsnoop rwsnoop -Z rwsnoop -n bash END
exit 1
esac
done
shift $(( $OPTIND - 1 ))
if (( opt_name || opt_pid )); then
filter=1
fi
/usr/sbin/dtrace -n '
/*
* Command line arguments
*/
inline int OPT_proj = '$opt_proj';
inline int OPT_zone = '$opt_zone';
inline int OPT_bytes = '$opt_bytes';
inline int OPT_name = '$opt_name';
inline int OPT_ppid = '$opt_ppid';
inline int OPT_pid = '$opt_pid';
inline int OPT_time = '$opt_time';
inline int OPT_timestr = '$opt_timestr';
inline int FILTER = '$filter';
inline int PID = '$pid';
inline string NAME = "'$pname'";
/*
* Print header
*/
dtrace:::BEGIN
{
/* print header */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "TIMESTR") : 1;
OPT_proj ? printf("%5s ", "PROJ") : 1;
OPT_zone ? printf("%5s ", "ZONE") : 1;
OPT_ppid ? printf("%6s ", "PPID") : 1;
printf("%5s %6s %-12s %1s %7s %s\n",
"UID", "PID", "CMD", "D", "BYTES", "FILE");
}
/*
* Check event is being traced
*/
syscall::*read_nocancel:entry,
syscall::*write_nocancel:entry,
syscall::*read:entry,
syscall::*write:entry
/pid != $pid/
{
/* default is to trace unless filtering, */
self->ok = FILTER ? 0 : 1;
/* check each filter, */
(OPT_name == 1 && NAME == strstr(NAME, execname))? self->ok = 1 : 1;
(OPT_name == 1 && execname == strstr(execname, NAME))? self->ok = 1 : 1;
(OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1;
/* save file descriptor */
self->fd = self->ok ? arg0 : 0;
}
/*
* Save read details
*/
syscall::*read_nocancel:return,
syscall::*read:return
/self->ok/
{
self->rw = "R";
self->size = arg0;
}
/*
* Save write details
*/
syscall::*write_nocancel:entry,
syscall::*write:entry
/self->ok/
{
self->rw = "W";
self->size = arg2;
}
/*
* Process event
*/
syscall::*read_nocancel:return,
syscall::*write_nocancel:entry,
syscall::read:return,
syscall::write:entry,
syscall::pread:return,
syscall::pwrite:entry
/*
syscall::*read:return,
syscall::*write:entry
*/
/self->ok/
{
/*
* Fetch filename
*/
/*
this->filistp = curthread->t_procp->p_user.u_finfo.fi_list;
this->ufentryp = (uf_entry_t *)((uint64_t)this->filistp +
(uint64_t)self->fd * (uint64_t)sizeof(uf_entry_t));
this->filep = this->ufentryp->uf_file;
this->vnodep = this->filep != 0 ? this->filep->f_vnode : 0;
self->vpath = this->vnodep ? (this->vnodep->v_path != 0 ?
cleanpath(this->vnodep->v_path) : "<unknown>") : "<unknown>";
*/
this->fpp = &(curproc->p_fd->fd_ofiles[self->fd]);
this->fg = (struct fileglob *)((*(this->fpp))->f_fglob);
this->vnodep = (struct vnode *)(this->fg->fg_data);
self->vpath = this->vnodep ? (this->vnodep->v_name != 0 ?
this->vnodep->v_name : "<unknown>") : "<unknown>";
/*
* Print details
*/
OPT_time ? printf("%-14d ", timestamp / 1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_proj ? printf("%5d ", curpsinfo->pr_projid) : 1;
OPT_zone ? printf("%5d ", curpsinfo->pr_zoneid) : 1;
OPT_ppid ? printf("%6d ", ppid) : 1;
printf("%5d %6d %-12.12s %1s %7d %s\n",
uid, pid, execname, self->rw, (int)self->size, self->vpath);
self->ok = 0;
self->fd = 0;
self->rw = 0;
self->size = 0;
self->vpath = 0;
}
'