Dtrace打印父进程命令 [英] Dtrace print parent process command
问题描述
我想要一个脚本,该脚本为每个新运行的进程打印其启动命令及其父进程.
I'd like to have a script that for each new running process, prints its starting command, as well as its parent process.
我正在使用以下探针:
proc::posix_spawn:exec-success,proc::__mac_execve:exec-success
在脚本正文中,命令行字符串是从curproc->p_dtrace_argv构建的.
From within the script body, command line string is built from curproc->p_dtrace_argv.
parent pid(ppid)也可用,但是到目前为止,我还没有弄清楚如何提取父进程名称(最好是可以从父argv [0]中获取的全名).
parent pid (ppid) is also available, but so far I haven't managed to figure out how to extract the parent process name (preferably full name that can be taken from parent argv[0]).
推荐答案
您可以在proc:::exec探针中调用exec()之前捕获进程的execname.这将是名为fork()的可执行文件的名称,并将与父进程的execname相匹配.
You can capture the execname of the process prior to the call to exec() in the proc:::exec probe. That will be the name of the executable that called fork() and will match the execname of the parent process.
我在Solaris 11安装上对此进行了测试:
I tested this on a Solaris 11 installation:
#!/usr/sbin/dtrace -s
proc:::exec
{
self->pexecname = execname;
}
proc:::exec-success
/ self->pexecname != 0 /
{
printf( "execname: %s, parent execname: %s", execname, self->pexecname );
self->pexecname = 0;
}
它产生了以下输出:
dtrace: script './exec.d' matched 2 probes
CPU ID FUNCTION:NAME
6 12486 exec_common:exec-success execname: utmp_update, parent execname: gnome-pty-helper
14 12486 exec_common:exec-success execname: bash, parent execname: gnome-terminal
15 12486 exec_common:exec-success execname: ls, parent execname: bash
每个评论已更新
#!/usr/sbin/dtrace -s
proc:::exec
{
self->pexecname = execname;
self->parent_args = (build parent args off curproc here)
}
proc:::exec-success
/ self->pexecname != 0 /
{
printf( "execname: %s, parent execname: %s", execname, self->pexecname );
self->pexecname = 0;
self->parent_args = 0;
}
proc:::exec-failure
/ self->pexecname != 0 /
{
self->pexecname = 0;
self->parent_args = 0;
}
这篇关于Dtrace打印父进程命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
