Useful one-liners
There are some further small commands that it’s useful to know about. The following command prints the number of system calls per running program: $ sudo dtrace -n 'syscall:::entry { @num[execname] = count(); }' dtrace: description 'syscall:::entry ' matched 661 probes ^C
sudo ... sshd 25 dtrace 3233
If your system is running slow for some reason, this should be the first command you run in order to find out which program might be the cause of the problem.
The following command not only traces all open() system calls but also prints the name and the path of the process that called open(): $ sudo dtrace -n 'syscall::open:entry { printf("%s %s", execname, copyinstr(arg0)); }' dtrace: description 'syscall::open:entry ' matched 2 probes dtrace: error on enabled probe ID 2 (ID 361374: syscall:x64:open:entry): invalid address (0x7f9babcb20f8) in action #2 at DIF offset 28 CPU ID FUNCTION:NAME 0 361374 open:entry vminfo /var/run/utmp 0 361374 open:entry vminfo /var/run/utmp
The following command is truly impressive and really shows the power of DTrace. It prints Read Byte Distribution grouped by Process: $ sudo dtrace -n 'syscall::read:return { @[execname] = quantize(arg0); }'
Similarly, you can find out Write Byte Distribution grouped by Process: $ sudo dtrace -n 'syscall::write:return { @[execname] = quantize(arg0); }'
The next DTrace command traces disk I/O and prints the process ID, the process name and size of the I/O operation in bytes: $ sudo dtrace -n 'io:::start { printf("%d %s %d", pid, execname, args[0]->b_bcount); }' dtrace: description 'io:::start ' matched 2 probes CPU ID FUNCTION:NAME
1
The following DTrace command counts outbound connections by tracing the connect() call: $ sudo dtrace -n 'syscall::connect:entry { @[execname] = count(); }'
Similarly, the next command counts inbound connections by tracing the accept() call: $ sudo dtrace -n 'syscall::accept:return { @[execname] = count(); }'
The following command counts both socket reads and writes by tracing read() and write(), grouped by process name: $ sudo dtrace -n 'syscall::read:entry,syscall::write:entry { @ [execname] = count(); }' dtrace: description 'syscall::read:entry,syscall::write:entry ' matched 4 probes ^C gmain dtrace ... sshd 6 vminfo 55
The last one-liner counts function calls related to ext4: $ sudo dtrace -n 'fbt::ext4_*:entry { @[probefunc] = count(); }' dtrace: description 'fbt::ext4_*:entry ' matched 458 probes ^C 1 3 ext4_bread ext4_data_block_valid ... ext4_readdir ext4_htree_store_dirent ext4_getattr ext4_has_inline_data As computer systems become more and more powerful, software becomes more and more complicated, and so in turn does troubleshooting it. The time you spend learning DTrace, or any other similar tool, will be time well spent.
Remember, in addition, that DTrace is the kind of tool that should be learned by doing not by reading, so start practising it now!
1