Discussion:
need dtrace script to monitor file writes
(too old to reply)
G Hazel
2011-02-07 17:37:59 UTC
Permalink
Raw Message
I've got a mystery process writing to my /etc/inet/hosts file. I'd like to
find a dtrace script that can monitor the file and do a "ps -ef" or
equivalent to capture the process that's writing to the file. I'm a dtrace
newbie, and was hoping someone here could point me in the right direction.
I've googled it and found some scripts that apply to zfs, this is just ufs.
Michael Schuster
2011-02-07 17:47:40 UTC
Permalink
Raw Message
Post by G Hazel
I've got a mystery process writing to my /etc/inet/hosts file. I'd like to
find a dtrace script that can monitor the file and do a "ps -ef" or
equivalent to capture the process that's writing to the file.  I'm a dtrace
newbie, and was hoping someone here could point me in the right direction.
I've googled it and found some scripts that apply to zfs, this is just ufs.
which fs is in use here should be irrelevant; I'd monitor the open and
write system calls, maybe starting with something like this (check the
details, I'm typing this from memory):

syscall::open:entry
/arg0 == "/etc/hosts" || arg0 == "/etc/inet/hosts" / /* also check
for "w" permission here */
{
self->s = speculation();
speculate(self->s);
printf("%s opening hosts", execname);
}

/* do the same as above for openat() */
syscall::open:return
/self->s && arg1 == -1/ /* failure */
{
discard(self->s)
self->s = 0;
}

syscall::open:return
/self->s/
{
commit(self->s);
self->s = 0;
}

this should tell you who's successfully opened /etc/inet/hosts

HTH
Michael
Post by G Hazel
_______________________________________________
dtrace-discuss mailing list
--
regards/mit freundlichen Grüssen
Michael Schuster
Nico Williams
2011-02-07 18:05:25 UTC
Permalink
Raw Message
On Mon, Feb 7, 2011 at 11:47 AM, Michael Schuster
Post by Michael Schuster
which fs is in use here should be irrelevant; I'd monitor the open and
write system calls, maybe starting with something like this (check the
syscall::open:entry
/arg0 == "/etc/hosts" || arg0 == "/etc/inet/hosts" /  /* also check
This won't work. You need to copyinstr() the argument, but aside from
that, DTrace probes run in DTrace context, which cannot page things
in. If the argument is not paged in, then you can't get it in
syscall::open:entry. You can get it in syscall::open:return (though
that's not reliable, since the application could have changed it), or
you can get it from the file descriptor's vnode's v_path, though
that's less portable.

Nico
--
_______________________________________________
dt

David Blasingame Oracle
2011-02-07 17:48:11 UTC
Permalink
Raw Message
The dtracetoolkit already has what you are looking for. Try opensnoop
-f /etc/inet/hosts

http://hub.opensolaris.org/bin/view/Community+Group+dtrace/dtracetoolkit

Dave
Post by G Hazel
I've got a mystery process writing to my /etc/inet/hosts file. I'd
like to find a dtrace script that can monitor the file and do a "ps
-ef" or equivalent to capture the process that's writing to the file.
I'm a dtrace newbie, and was hoping someone here could point me in the
right direction. I've googled it and found some scripts that apply
to zfs, this is just ufs.
------------------------------------------------------------------------
_______________________________________________
dtrace-discuss mailing list
Maidak Alexander J
2011-02-10 20:47:48 UTC
Permalink
Raw Message
I've got a mystery process writing to my /etc/inet/hosts file. I'd like to find a dtrace script that can monitor the file and do a "ps -ef" or
equivalent to capture the process that's writing to > the file.  I'm a dtrace newbie, and was hoping someone here could point me in the right
direction.   I've googled it and found some scripts that apply to zfs, this is just ufs.
If you just want to see writes to hosts you can try the fsinfo provider.

#pragma D option quiet

fsinfo:genunix::write /strstr(args[0]->fi_pathname,"hosts") != NULL/ {
printf("%d %s %s\n", pid, execname, args[0]->fi_pathname)
}

This will work with either UFS or ZFS.

Since its UFS the io:: provider could do something similar.

-Alex
Loading...