Add shmsnoop/sofdsnoop tools v2 (iovisor#2045)

* tools: Add shmsnoop to spy on shm* syscalls Adding shmsnoop tool to trace System V shared memory syscalls: shmget, shmat, shmdt, shmctl # ./shmsnoop.py PID COMM SYS RET ARGs 19813 server SHMGET 10000 key: 0x78020001, size: 20, shmflg: 0x3b6 (IPC_CREAT|0666) 19813 server SHMAT 7f1cf8b1f000 shmid: 0x10000, shmaddr: 0x0, shmflg: 0x0 19816 client SHMGET 10000 key: 0x78020001, size: 20, shmflg: 0x1b6 (0666) 19816 client SHMAT 7f4fd8ee7000 shmid: 0x10000, shmaddr: 0x0, shmflg: 0x0 19816 client SHMDT 0 shmaddr: 0x7f4fd8ee7000 19813 server SHMDT 0 shmaddr: 0x7f1cf8b1f000 19813 server SHMCTL 0 shmid: 0x10000, cmd: 0, buf: 0x0 Every call the shm* syscall (SHM column) is displayed on separate line together with process info (PID/COMM columns) and argument details: return value (RET column) and syscall arguments (ARGs column). The ARGs column contains 'arg: value' couples that represent given syscall arguments as described in their manpage. It supports standard options to filter on pid/tid, to specify duration of the trace and command name filter, like: ./shmsnoop # trace all shm*() syscalls ./shmsnoop -T # include timestamps ./shmsnoop -p 181 # only trace PID 181 ./shmsnoop -t 123 # only trace TID 123 ./shmsnoop -d 10 # trace for 10 seconds only ./shmsnoop -n main # only print process names containing "main" * tools: Add sofdsnoop to spy on fds passed through socket The sofdsnoop traces FDs passed through unix sockets. # ./sofdsnoop ACTION TID COMM SOCKET FD NAME SEND 2576 Web Content 24:socket:[39763] 51 /dev/shm/org.mozilla.ipc.2576.23874 RECV 2576 Web Content 49:socket:[809997] 51 SEND 2576 Web Content 24:socket:[39763] 58 N/A RECV 2464 Gecko_IOThread 75:socket:[39753] 55 Every file descriptor that is passed via unix sockets os displayed on separate line together with process info (TID/COMM columns), ACTION details (SEND/RECV), file descriptor number (FD) and its translation to file if available (NAME). examples: ./sofdsnoop # trace file descriptors passes ./sofdsnoop -T # include timestamps ./sofdsnoop -p 181 # only trace PID 181 ./sofdsnoop -t 123 # only trace TID 123 ./sofdsnoop -d 10 # trace for 10 seconds only ./sofdsnoop -n main # only print process names containing "main"
yezhengmao1 · Nov 16, 2018 · b511422 · b511422
1 parent d51219a
commit b511422
Show file tree

Hide file tree

Showing 9 changed files with 974 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -132,6 +132,8 @@ pair of .c and .py files, and some are directories of files.
 - tools/[runqlat](tools/runqlat.py): Run queue (scheduler) latency as a histogram. [Examples](tools/runqlat_example.txt).
 - tools/[runqlen](tools/runqlen.py): Run queue length as a histogram. [Examples](tools/runqlen_example.txt).
 - tools/[runqslower](tools/runqslower.py): Trace long process scheduling delays. [Examples](tools/runqslower_example.txt).
+- tools/[shmsnoop](tools/shmsnoop.py): Trace System V shared memory syscalls. [Examples](tools/shmsnoop_example.txt).
+- tools/[sofdsnoop](tools/sofdsnoop.py): Trace FDs passed through unix sockets. [Examples](tools/sofdsnoop_example.txt).
 - tools/[slabratetop](tools/slabratetop.py): Kernel SLAB/SLUB memory cache allocation rate top. [Examples](tools/slabratetop_example.txt).
 - tools/[softirqs](tools/softirqs.py): Measure soft IRQ (soft interrupt) event time. [Examples](tools/softirqs_example.txt).
 - tools/[solisten](tools/solisten.py): Trace TCP socket listen. [Examples](tools/solisten_example.txt).

diff --git a/man/man8/shmsnoop.8 b/man/man8/shmsnoop.8
@@ -0,0 +1,74 @@
+.TH shmsnoop 8 "2018-09-24" "USER COMMANDS"
+.SH NAME
+shmsnoop \- Trace System V shared memory syscalls. Uses Linux eBPF/bcc.
+.SH SYNOPSIS
+.B shmsnoop [\-h] [\-T] [\-p] [\-t] [\-d DURATION] [\-n NAME]
+.SH DESCRIPTION
+shmsnoop traces System V shared memory syscalls: shmget, shmat, shmdt, shmctl
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH OPTIONS
+.TP
+\-h
+Print usage message.
+.TP
+\-T
+Include a timestamp column.
+.TP
+\-p PID
+Trace this process ID only (filtered in-kernel).
+.TP
+\-t TID
+Trace this thread ID only (filtered in-kernel).
+.TP
+\-d DURATION
+Total duration of trace in seconds.
+.TP
+\-n NAME
+Only print command lines matching this command name (regex)
+.SH EXAMPLES
+.TP
+Trace all shm* syscalls:
+#
+.B shmsnoop
+.TP
+Trace all shm* syscalls, and include timestamps:
+#
+.B shmsnoop \-T
+.TP
+Only trace shm* syscalls where the process contains "server":
+#
+.B shmsnoop \-n server
+.SH FIELDS
+.TP
+TIME(s)
+Time of shm syscall return, in seconds.
+.TP
+PID
+Process ID
+.TP
+COMM
+Parent process/command name.
+.TP
+RET
+Return value of shm syscall.
+.TP
+ARGS
+"arg: value" couples that represent given syscall arguments as described in their manpage
+.SH SOURCE
+This is from bcc.
+.IP
+https://github.com/iovisor/bcc
+.PP
+Also look in the bcc distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Jiri Olsa
+.SH SEE ALSO
+opensnoop(1)
diff --git a/man/man8/spfdsnoop.8 b/man/man8/spfdsnoop.8
@@ -0,0 +1,85 @@
+.TH sofdsnoop 8 "2018-11-08" "USER COMMANDS"
+.SH NAME
+sofdsnoop \- Trace FDs passed through unix sockets. Uses Linux eBPF/bcc.
+.SH SYNOPSIS
+.B sofdsnoop [-h] [-T] [-p PID] [-t TID] [-n NAME] [-d DURATION]
+.SH DESCRIPTION
+sofdsnoop traces FDs passed through unix sockets
+
+Every file descriptor that is passed via unix sockets os displayed
+on separate line together with process info (TID/COMM columns),
+ACTION details (SEND/RECV), file descriptor number (FD) and its
+translation to file if available (NAME).
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH OPTIONS
+.TP
+\-h
+Print usage message.
+.TP
+\-T
+Include a timestamp column.
+.TP
+\-p PID
+Trace this process ID only (filtered in-kernel).
+.TP
+\-t TID
+Trace this thread ID only (filtered in-kernel).
+.TP
+\-d DURATION
+Total duration of trace in seconds.
+.TP
+\-n NAME
+Only print command lines matching this command name (regex)
+.SH EXAMPLES
+.TP
+Trace all sockets:
+#
+.B sofdsnoop
+.TP
+Trace all sockets, and include timestamps:
+#
+.B sofdsnoop \-T
+.TP
+Only trace sockets where the process contains "server":
+#
+.B sofdsnoop \-n server
+.SH FIELDS
+.TP
+TIME(s)
+Time of SEDN/RECV actions, in seconds.
+.TP
+ACTION
+Operation on the fd SEND/RECV.
+.TP
+TID
+Process TID
+.TP
+COMM
+Parent process/command name.
+.TP
+SOCKET
+The socket carrier.
+.TP
+FD
+file descriptor number
+.TP
+NAME
+file name for SEND lines
+.SH SOURCE
+This is from bcc.
+.IP
+https://github.com/iovisor/bcc
+.PP
+Also look in the bcc distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Jiri Olsa
+.SH SEE ALSO
+opensnoop(1)
diff --git a/snapcraft/snapcraft.yaml b/snapcraft/snapcraft.yaml
@@ -189,6 +189,12 @@ apps:
  perlstat:
  command: wrapper perlstat
  aliases: [perlstat]
+ shmsnoop:
+ command: wrapper shmsnoop
+ aliases: [shmsnoop]
+ sofdsnoop:
+ command: wrapper sofdsnoop
+ aliases: [sofdsnoop]
  phpcalls:
  command: wrapper phpcalls
  aliases: [phpcalls]

diff --git a/tests/python/test_tools_smoke.py b/tests/python/test_tools_smoke.py
@@ -262,6 +262,14 @@ def test_runqlat(self):
  def test_runqlen(self):
  self.run_with_duration("runqlen.py 1 1")
 
+ @skipUnless(kernel_version_ge(4,8), "requires kernel >= 4.8")
+ def test_shmsnoop(self):
+ self.run_with_int("shmsnoop.py")
+
+ @skipUnless(kernel_version_ge(4,8), "requires kernel >= 4.8")
+ def test_sofdsnoop(self):
+ self.run_with_int("sofdsnoop.py")
+
  def test_slabratetop(self):
  self.run_with_duration("slabratetop.py 1 1")