Changeset View
Changeset View
Standalone View
Standalone View
cddl/usr.sbin/dwatch/dwatch.1
- This file was added.
Property | Old Value | New Value |
---|---|---|
svn:eol-style | null | native \ No newline at end of property |
svn:keywords | null | FreeBSD=%H \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
.\" Copyright (c) 2014-2017 Devin Teske | |||||
.\" All rights reserved. | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | |||||
.\" modification, are permitted provided that the following conditions | |||||
.\" are met: | |||||
.\" 1. Redistributions of source code must retain the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer. | |||||
.\" 2. Redistributions in binary form must reproduce the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer in the | |||||
.\" documentation and/or other materials provided with the distribution. | |||||
.\" | |||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |||||
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |||||
.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |||||
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |||||
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |||||
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||||
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | |||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |||||
.\" POSSIBILITY OF SUCH DAMAGE. | |||||
.\" | |||||
.\" $FreeBSD$ | |||||
.\" | |||||
.Dd October 5, 2017 | |||||
.Dt DWATCH 1 | |||||
.Os | |||||
.Sh NAME | |||||
.Nm dwatch | |||||
.Nd watch processes as they trigger a particular DTrace probe | |||||
.Sh SYNOPSIS | |||||
.Nm | |||||
.Op Fl 1defFmnPqRvVwxy | |||||
.Op Fl B Ar num | |||||
.Op Fl E Ar code | |||||
.Op Fl g Ar group | |||||
.Op Fl j Ar jail | |||||
.Op Fl k Ar name | |||||
.Op Fl K Ar num | |||||
.Op Fl N Ar count | |||||
.Op Fl o Ar output | |||||
.Op Fl O Ar cmd | |||||
.Op Fl p Ar pid | |||||
.Op Fl r Ar regex | |||||
.Op Fl t Ar test | |||||
.Op Fl T Ar time | |||||
.Op Fl u Ar user | |||||
.Op Fl X Ar profile | |||||
.Op Fl z Ar regex | |||||
probe ... | |||||
.Nm | |||||
.Fl l | |||||
.Op Fl fmnPqy | |||||
.Op Fl r Ar regex | |||||
.Op probe ... | |||||
.Nm | |||||
.Fl Q | |||||
.Op Fl 1qy | |||||
.Op Fl r Ar regex | |||||
.Sh DESCRIPTION | |||||
The | |||||
.Nm | |||||
utility uses | |||||
.Xr dtrace 1 | |||||
markj: point* | |||||
Done Inline Actions"hits" sounds a little imprecise, but I'm not sure of a good replacement. "executes" or "encounters", maybe. wblock: "hits" sounds a little imprecise, but I'm not sure of a good replacement. "executes" or… | |||||
to display process info when DTrace triggers a given probe point. | |||||
.Pp | |||||
.Nm | |||||
automates the process of generating DTrace scripts to coalesce trace output by | |||||
date/time, | |||||
process info, | |||||
and | |||||
.Op optionally | |||||
probe-specific data. | |||||
.Pp | |||||
Output format without options is: | |||||
.Pp | |||||
.Dl date/time uid.gid execname[pid]: psargs | |||||
.Pp | |||||
For example, | |||||
the command | |||||
.Ql dwatch BEGIN | |||||
produces the output: | |||||
.Pp | |||||
.Dl INFO Watching 'dtrace:::BEGIN' ... | |||||
.Dl 2017 May 29 08:23:20 0.0 dtrace[60671]: dtrace -s /dev/stdin | |||||
.Pp | |||||
The | |||||
.Fl F | |||||
option causes | |||||
.Nm | |||||
to instead coalesce trace output by date/time, | |||||
process info, | |||||
and function traversal. | |||||
.Pp | |||||
Done Inline ActionsThis could benefit with a "the": Output format with the wblock: This could benefit with a "the":
```Output format with the``` | |||||
Output format with the | |||||
.Ql Fl F | |||||
option is: | |||||
.Pp | |||||
.Dl date/time uid.gid execname[pid]: [=> |<= ]prov:mod:func:name | |||||
.Pp | |||||
For example, | |||||
the command | |||||
.Ql dwatch -F BEGIN | |||||
produces the output: | |||||
.Pp | |||||
.Dl INFO Watching 'dtrace:::BEGIN' ... | |||||
.Dl 2017 May 29 21:34:41 0.0 dtrace[86593]: dtrace:::BEGIN | |||||
.Pp | |||||
The | |||||
.Fl R | |||||
option causes | |||||
.Nm | |||||
to display a process tree containing the parent, | |||||
grandparent, | |||||
and ancestor process info. | |||||
.Pp | |||||
Done Inline Actions"the", as above. wblock: "the", as above. | |||||
Output format with the | |||||
.Ql Fl R | |||||
option is: | |||||
.Pp | |||||
.Dl date/time uid0.gid0 execname[pid0]: psargs0 | |||||
.Dl " -+= pid3 uid3.gid3 psargs3" | |||||
.Dl " \\\-+= pid2 uid2.gid2 psargs2" | |||||
.Dl " \\\-+= pid1 uid1.gid1 psargs1" | |||||
.Dl " \\\-+= pid0 uid0.guid0 psargs0" | |||||
.Pp | |||||
For example, | |||||
the command | |||||
.Ql dwatch -R BEGIN | |||||
produces the output: | |||||
.Pp | |||||
.Dl INFO Watching 'dtrace:::BEGIN' ... | |||||
.Dl 2017 May 29 21:38:54 0.0 dtrace[86899]: dtrace -s /dev/stdin | |||||
.Dl " -+= 86855 604.604 -bash" | |||||
.Dl " \-+= 86857 604.604 /bin/sh /usr/sbin/dwatch -R BEGIN" | |||||
.Dl " \-+= 86897 0.0 sudo dtrace -s /dev/stdin" | |||||
.Dl " \-+= 86899 0.0 dtrace -s /dev/stdin" | |||||
.Pp | |||||
Of particular interest is the ability to filter using regular expressions. | |||||
The | |||||
.Ql Fl g Ar group , | |||||
.Ql Fl p Ar pid , | |||||
.Ql Fl r Ar regex , | |||||
.Ql Fl u Ar user , | |||||
and | |||||
.Ql Fl z Ar regex | |||||
options can be combined with | |||||
.Ql Fl R | |||||
to match on parent process criteria as well as current process info. | |||||
.Pp | |||||
In contrast, | |||||
the | |||||
.Ql Fl j Ar jail , | |||||
and | |||||
.Ql Fl k Ar name | |||||
options apply only to the current process even if | |||||
.Ql Fl R | |||||
is given. | |||||
.Pp | |||||
The | |||||
.Ql Fl E Ar code | |||||
option gives the ability to customize probe-specific data. | |||||
For example, | |||||
the command: | |||||
.Pp | |||||
.Dl dwatch -E 'printf("%s", copyinstr(arg0))' chdir | |||||
.Pp | |||||
displays the path argument sent to | |||||
.Xr chdir 2 | |||||
calls. | |||||
.Pp | |||||
Profiles can be written for more complex routines or convenience. | |||||
To list available profiles use the | |||||
.Ql Fl Q | |||||
option. | |||||
Use the | |||||
.Ql Fl X Ar profile | |||||
option to use a particular profile. | |||||
.Pp | |||||
For example, | |||||
the command | |||||
.Ql dwatch -X kill | |||||
displays arguments sent to | |||||
.Xr kill 2 . | |||||
.Pp | |||||
Since this uses DTrace, only the root user or users with | |||||
.Xr sudo 8 | |||||
access can run this command. | |||||
.Sh OPTIONS | |||||
If a | |||||
.Ar probe | |||||
argument does not contain colon | |||||
.Pq Ql Li ":" | |||||
and none of | |||||
.Ql Fl P , | |||||
.Ql Fl m , | |||||
.Ql Fl f , | |||||
or | |||||
.Ql Fl n | |||||
are given, | |||||
the probe argument is intelligently mapped to its most-likely value. | |||||
Use | |||||
.Ql Nm Fl l Ar name | |||||
to see what probes will match a given name. | |||||
.Bl -tag -width "-c count" | |||||
.It Fl 1 | |||||
Print one line per process/profile | |||||
.Pq Default; disables Ql Fl R . | |||||
.It Fl B Ar num | |||||
Maximum number of arguments to display | |||||
.Pq Default 64 . | |||||
.It Fl d | |||||
Debug. | |||||
Send | |||||
.Xr dtrace 1 | |||||
script to stdout instead of executing. | |||||
.It Fl e | |||||
Exit after compiling request but prior to enabling probes. | |||||
.It Fl E Ar code | |||||
DTrace | |||||
.Ar code | |||||
for event details. | |||||
If `-', | |||||
read from stdin. | |||||
This allows customization of what is printed after date/time and process info. | |||||
By default, | |||||
the name and arguments of the program triggering the probe are shown. | |||||
.It Fl f | |||||
Enable probe matching the specified function name. | |||||
.It Fl F | |||||
Coalesce trace output by function. | |||||
.It Fl g Ar group | |||||
Group filter. | |||||
Only show processes matching | |||||
.Ar group | |||||
name/gid. | |||||
This can be an | |||||
.Xr awk 1 | |||||
regular expression to match a numerical gid. | |||||
.It Fl j Ar jail | |||||
Jail filter. | |||||
Only show processes matching | |||||
.Ar jail | |||||
name/jid. | |||||
.It Fl k Ar name | |||||
Only show processes matching | |||||
.Ar name . | |||||
Can also be of the format | |||||
.Ql Li name* | |||||
to indicate | |||||
.Dq Li begins with , | |||||
.Ql Li *name | |||||
to indicate | |||||
.Dq Li ends with , | |||||
or | |||||
.Ql Li *name* | |||||
to indicate | |||||
.Dq Li contains . | |||||
.It Fl K Ar num | |||||
Maximum directory depth to display | |||||
.Pq Default 64 . | |||||
.It Fl l | |||||
List available probes on standard output and exit. | |||||
.It Fl m | |||||
Enable probe matching the specified module name. | |||||
.It Fl X Ar profile | |||||
Load profile from DWATCH_PROFILES_PATH. | |||||
.It Fl n | |||||
Enable probe matching the specified probe name. | |||||
.It Fl N Ar count | |||||
Exit after | |||||
.Ar count | |||||
matching entries | |||||
.Pq Default 0 for disabled . | |||||
.It Fl o Ar output | |||||
Set output file. | |||||
If | |||||
.Ql Li - , | |||||
the path | |||||
.Ql Li /dev/stdout | |||||
is used. | |||||
.It Fl O Ar cmd | |||||
Execute | |||||
.Ar cmd | |||||
for each event. | |||||
This can be any valid | |||||
.Xr sh 1 | |||||
command. | |||||
The environment variables | |||||
.Ql Li $TAG | |||||
and | |||||
.Ql Li $DETAILS | |||||
are set for the given | |||||
.Ar cmd . | |||||
.It Fl p Ar pid | |||||
Process id filter. | |||||
Only show processes with matching | |||||
.Ar pid . | |||||
This can be an | |||||
.Xr awk 1 | |||||
regular expression. | |||||
.It Fl P | |||||
Enable probe matching the specified provider name. | |||||
.It Fl q | |||||
Quiet. | |||||
Done Inline ActionsThe format is wblock: ```The format is``` | |||||
Hide informational messages and all dtrace(1) errors. | |||||
.It Fl Q | |||||
List available profiles in DWATCH_PROFILES_PATH and exit. | |||||
.It Fl r Ar regex | |||||
Filter. | |||||
Only show blocks matching | |||||
.Xr awk 1 | |||||
regular expression. | |||||
.It Fl R | |||||
Show parent, | |||||
grandparent, | |||||
and ancestor of process. | |||||
Done Inline ActionsNot sure whether "uid" should be capitalized. wblock: Not sure whether "uid" should be capitalized. | |||||
.It Fl t Ar test | |||||
Test clause | |||||
.Pq predicate | |||||
to limit events | |||||
.Pq Default none . | |||||
.It Fl T Ar time | |||||
Done Inline ActionsReport .Nm version on standard output and exit. wblock: ```Report
.Nm
version on standard output and exit.``` | |||||
Timeout. | |||||
The format is | |||||
.Ql Li #[smhd] | |||||
or just | |||||
.Ql Li # | |||||
for seconds. | |||||
.It Fl u Ar user | |||||
User filter. | |||||
Only show processes matching | |||||
.Ar user | |||||
name/uid. | |||||
This can be an | |||||
.Xr awk 1 | |||||
regular expression to match a numerical UID. | |||||
.It Fl v | |||||
Verbose. | |||||
Show all errors from | |||||
.Xr dtrace 1 . | |||||
.It Fl V | |||||
Report | |||||
.Nm | |||||
Done Inline ActionsI would suggest just "This" rather than below, because the list starts immediately after that sentence. wblock: I would suggest just "This" rather than below, because the list starts immediately after that… | |||||
version on standard output and exit. | |||||
.It Fl w | |||||
Permit destructive actions | |||||
Done Inline ActionsShould this be an .Xr chmod 2 ? Same question for the rest of these. wblock: Should this be an `.Xr chmod 2` ?
Same question for the rest of these. | |||||
.Pq copyout*, stop, panic, etc. . | |||||
.It Fl x | |||||
Trace. | |||||
.Ql Li <probe-id> | |||||
when a probe is triggered. | |||||
.It Fl y | |||||
Always treat stdout as console | |||||
.Pq enable colors/columns/etc. . | |||||
.It Fl z Ar regex | |||||
Only show processes matching | |||||
.Xr awk 1 | |||||
regular expression. | |||||
.El | |||||
.Sh PROFILES | |||||
Profiles customize the data printed during events. | |||||
Profiles are loaded from a colon-separated list of directories in | |||||
.Ev DWATCH_PROFILES_PATH . | |||||
This is an incomplete list of profiles with basic descriptions: | |||||
.Bl -tag -width "vop_readdir" | |||||
.It chmod | |||||
Print arguments being passed to | |||||
.Xr chmod 2 | |||||
.It fchmod | |||||
Print arguments being passed to | |||||
.Xr fchmod 2 | |||||
.It fchmodat | |||||
Print arguments being passed to | |||||
.Xr fchmodat 2 | |||||
.It kill | |||||
Print arguments being passed to | |||||
.Xr kill 2 | |||||
.It lchmod | |||||
Print arguments being passed to | |||||
.Xr lchmod 2 | |||||
Done Inline ActionsUse If .Ev DWATCH_PROFILES_PATH is set, wblock: Use
```If
.Ev DWATCH_PROFILES_PATH
is set,``` | |||||
.It nanosleep | |||||
Print arguments being passed to | |||||
Done Inline Actionss/will search/searches/ And it doesn't really say that the list of directories comes from that variable, so: If .Ev DWATCH_PROFILES_PATH is set, .Nm searches for profiles in the colon-separated list of directories in that variable wblock: s/will search/searches/
And it doesn't really say that the list of directories comes from that… | |||||
.Xr nanosleep 2 | |||||
.It vop_create | |||||
Print filesystem paths being created by | |||||
.Xr VOP_CREATE 9 | |||||
Done Inline Actionsprofiles are not loaded. wblock: ```profiles are not loaded.``` | |||||
.It vop_lookup | |||||
Print filesystem paths being looked-up by | |||||
.Xr VOP_LOOKUP 9 | |||||
.It vop_mkdir | |||||
Print directory paths being created by | |||||
.Xr VOP_MKDIR 9 | |||||
.It vop_mknod | |||||
Print device node paths being created by | |||||
.Xr VOP_MKNOD 9 | |||||
Done Inline ActionsExamples usually do not use the synopsis markup, but indent them to make them stand out. Here is one from gpart.8: We create a 472-block (236 kB) boot partition at offset 40, which is the size of the partition table (34 blocks or 17 kB) rounded up to the nearest 4 kB boundary. .Bd -literal -offset indent /sbin/gpart add -b 40 -s 472 -t freebsd-boot ada0 /sbin/gpart bootcode -p /boot/gptboot -i 1 ada0 .Ed .Pp wblock: Examples usually do not use the synopsis markup, but indent them to make them stand out. Here… | |||||
.It vop_readdir | |||||
Print directory paths being read by | |||||
.Xr VOP_READDIR 9 | |||||
.It vop_remove | |||||
Print filesystem paths being removed by | |||||
.Xr VOP_REMOVE 9 | |||||
.It vop_rename | |||||
Print filesystem paths being renamed by | |||||
.Xr VOP_RENAME 9 | |||||
.It vop_rmdir | |||||
Print directory paths being removed by | |||||
.Xr VOP_RMDIR 9 | |||||
.It vop_symlink | |||||
Print symlink paths being created by | |||||
.Xr VOP_SYMLINK 9 | |||||
.El | |||||
.Sh ENVIRONMENT | |||||
Done Inline Actions*generated markj: *generated | |||||
These environment variables affect the execution of | |||||
.Nm : | |||||
.Bl -tag -width "DWATCH_PROFILES_PATH" | |||||
.It Ev DWATCH_PROFILES_PATH | |||||
If | |||||
.Ev DWATCH_PROFILES_PATH | |||||
is set, | |||||
.Nm | |||||
searches for profiles in the colon-separated list of directories in that | |||||
variable instead of the default | |||||
.Ql Li /usr/libexec/dwatch:/usr/local/libexec/dwatch . | |||||
If set to NULL, | |||||
profiles are not loaded. | |||||
.El | |||||
.Sh EXIT STATUS | |||||
.Ex -std | |||||
.Sh EXAMPLES | |||||
Watch processes entering system CPU scheduler. | |||||
.Bd -literal -offset indent | |||||
dwatch on-cpu | |||||
.Ed | |||||
.Pp | |||||
List available profiles, | |||||
one line per profile. | |||||
.Bd -literal -offset indent | |||||
dwatch -1 -Q | |||||
.Ed | |||||
.Pp | |||||
Do not execute | |||||
.Xr dtrace 1 | |||||
but display script on stdout and exit. | |||||
.Bd -literal -offset indent | |||||
dwatch -d fsync | |||||
.Ed | |||||
.Pp | |||||
Compile and test but do not execute code generated with given probe. | |||||
.Bd -literal -offset indent | |||||
dwatch -e test_probe | |||||
.Ed | |||||
.Pp | |||||
Print argument one being passed to each call of zfs_sync(). | |||||
.Bd -literal -offset indent | |||||
dwatch -E 'printf("%i", arg1)' zfs_sync | |||||
.Ed | |||||
.Pp | |||||
Watch all functions named | |||||
.Ql Li read . | |||||
.Bd -literal -offset indent | |||||
dwatch -f read | |||||
.Ed | |||||
.Pp | |||||
Watch all function traversal. | |||||
.Bd -literal -offset indent | |||||
dwatch -F : | |||||
.Ed | |||||
.Pp | |||||
Watch syscall function traversal. | |||||
.Bd -literal -offset indent | |||||
dwatch -F syscall | |||||
.Ed | |||||
.Pp | |||||
Display only processes belonging to wheel super-group. | |||||
.Bd -literal -offset indent | |||||
dwatch -g wheel execve | |||||
.Ed | |||||
.Pp | |||||
Display only processes belonging to groups | |||||
.Ql Li daemon | |||||
or | |||||
.Ql Li nobody . | |||||
.Bd -literal -offset indent | |||||
dwatch -g '1|65534' execve | |||||
.Ed | |||||
.Pp | |||||
Ignore jails, | |||||
displaying only base system processes. | |||||
.Bd -literal -offset indent | |||||
dwatch -j 0 execve | |||||
.Ed | |||||
.Pp | |||||
Display only processes running inside the jail named | |||||
.Ql Li myjail . | |||||
.Bd -literal -offset indent | |||||
dwatch -j myjail execve | |||||
.Ed | |||||
.Pp | |||||
Watch syscall function traversal by ruby processes. | |||||
.Bd -literal -offset indent | |||||
dwatch -k 'ruby*' -F syscall | |||||
.Ed | |||||
.Pp | |||||
Watch syscall function traversal by processes containing | |||||
.Ql Li daemon | |||||
in their name. | |||||
.Bd -literal -offset indent | |||||
dwatch -k '*daemon*' -F syscall | |||||
.Ed | |||||
.Pp | |||||
Display a list of unique functions available. | |||||
.Bd -literal -offset indent | |||||
dwatch -l -f | |||||
.Ed | |||||
.Pp | |||||
List available probes for functions ending in | |||||
.Ql Li read . | |||||
.Bd -literal -offset indent | |||||
dwatch -l -f '*read' | |||||
.Ed | |||||
.Pp | |||||
List available probes ending in | |||||
.Dq Li read . | |||||
.Bd -literal -offset indent | |||||
dwatch -l -r 'read$' | |||||
.Ed | |||||
.Pp | |||||
Display a list of unique providers. | |||||
.Bd -literal -offset indent | |||||
dwatch -l -P | |||||
.Ed | |||||
.Pp | |||||
Watch paths being removed by | |||||
.Xr VOP_REMOVE 9 . | |||||
.Bd -literal -offset indent | |||||
dwatch -X vop_remove | |||||
.Ed | |||||
.Pp | |||||
Watch signals being passed to | |||||
.Xr kill 2 . | |||||
.Bd -literal -offset indent | |||||
dwatch -X kill | |||||
.Ed | |||||
.Pp | |||||
Watch the name | |||||
.Ql Li read | |||||
instead of the function | |||||
.Ql Li read . | |||||
The | |||||
.Nm | |||||
selection algorithm will commonly favor the function named | |||||
.Ql Li read | |||||
when not given a type | |||||
.Pq using So Fl P Sc , So Fl m Sc , So Fl f Sc , or So Fl n Sc | |||||
because there are more probes matching the function named | |||||
.Ql Li read | |||||
than probes matching | |||||
.Ql Li read | |||||
for any other type. | |||||
.Bd -literal -offset indent | |||||
dwatch -n read | |||||
.Ed | |||||
.Pp | |||||
Display the first process to call | |||||
.Xr kill 2 | |||||
and then exit. | |||||
.Bd -literal -offset indent | |||||
dwatch -N 1 kill | |||||
.Ed | |||||
.Pp | |||||
Watch processes forked by pid 1234. | |||||
.Bd -literal -offset indent | |||||
dwatch -p 1234 execve | |||||
.Ed | |||||
.Pp | |||||
Watch processes forked by either pid 1234 or pid 5678. | |||||
.Bd -literal -offset indent | |||||
dwatch -p '1234|5678' execve | |||||
.Ed | |||||
.Pp | |||||
Watch the provider | |||||
.Ql Li random | |||||
instead of the function | |||||
.Ql Li random . | |||||
The | |||||
.Nm | |||||
selection algorithm will commonly favor the function named | |||||
.Ql Li random | |||||
when not given a type | |||||
.Pq using So Fl P Sc , So Fl m Sc , So Fl f Sc , or So Fl n Sc | |||||
because there are more probes matching the function named | |||||
.Ql Li random | |||||
than probes matching the provider named | |||||
.Ql Li random . | |||||
.Bd -literal -offset indent | |||||
dwatch -P random | |||||
.Ed | |||||
.Pp | |||||
Display available profiles matching | |||||
.Ql Li vop . | |||||
.Bd -literal -offset indent | |||||
dwatch -Q -r vop | |||||
.Ed | |||||
.Pp | |||||
Watch | |||||
.Xr VOP_LOOKUP 9 | |||||
paths containing | |||||
.Ql Li /lib/ . | |||||
.Bd -literal -offset indent | |||||
dwatch -r /lib/ -X vop_lookup | |||||
.Ed | |||||
.Pp | |||||
Show process tree for each command as it is executed. | |||||
.Bd -literal -offset indent | |||||
dwatch -R execve | |||||
.Ed | |||||
.Pp | |||||
Watch processes forked by pid 1234 or children thereof. | |||||
.Bd -literal -offset indent | |||||
dwatch -R -p 1234 execve | |||||
.Ed | |||||
.Pp | |||||
Display processes calling | |||||
.Xr write 2 | |||||
with | |||||
.Dq nbytes | |||||
less than 10. | |||||
.Bd -literal -offset indent | |||||
dwatch -t 'arg2<10' -E 'printf("%d",arg2)' write | |||||
.Ed | |||||
.Pp | |||||
Watch | |||||
.Ql Li statfs | |||||
for 5 minutes and exit. | |||||
.Bd -literal -offset indent | |||||
dwatch -T 5m statfs | |||||
.Ed | |||||
.Pp | |||||
Display only processes belonging to the root super-user. | |||||
.Bd -literal -offset indent | |||||
dwatch -u root execve | |||||
.Ed | |||||
.Pp | |||||
Display only processes belonging to users | |||||
.Ql Li daemon | |||||
or | |||||
.Ql Li nobody . | |||||
.Bd -literal -offset indent | |||||
dwatch -u '1|65534' execve | |||||
.Ed | |||||
.Pp | |||||
Print version and exit. | |||||
.Bd -literal -offset indent | |||||
dwatch -V | |||||
.Ed | |||||
.Pp | |||||
View the first 100 scheduler preemptions. | |||||
.Bd -literal -offset indent | |||||
dwatch -y -N 100 preempt | less -R | |||||
.Ed | |||||
.Pp | |||||
Display processes matching either | |||||
.Dq Li mkdir | |||||
or | |||||
.Dq Li rmdir . | |||||
.Bd -literal -offset indent | |||||
dwatch -z '(mk|rm)dir' execve | |||||
.Ed | |||||
.Sh SEE ALSO | |||||
.Xr dtrace 1 | |||||
.Sh HISTORY | |||||
.Nm | |||||
first appeared in | |||||
.Fx 12.0-CURRENT . | |||||
.Sh AUTHORS | |||||
.An Devin Teske Aq Mt dteske@FreeBSD.org |
point*