tools/trace.py: add process name filtering

porting from opensnoop Signed-off-by: tty5 <[email protected]>
yingtaojuzi · Dec 6, 2019 · 9ce7b7e · 9ce7b7e
1 parent e7ddcbc
commit 9ce7b7e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/man/man8/trace.8 b/man/man8/trace.8
@@ -58,6 +58,9 @@ Print CPU id.
 \-c CGROUP_PATH
 Trace only functions in processes under CGROUP_PATH hierarchy.
 .TP
+\-n NAME
+Only print process names containing this name.
+.TP
 \-B
 Treat argument of STRCMP helper as a binary value
 .TP

diff --git a/tools/trace.py b/tools/trace.py
@@ -58,7 +58,7 @@ def configure(cls, args):
  cls.build_id_enabled = args.sym_file_list is not None
 
  def __init__(self, probe, string_size, kernel_stack, user_stack,
- cgroup_map_name):
+ cgroup_map_name, name):
  self.usdt = None
  self.streq_functions = ""
  self.raw_probe = probe
@@ -73,7 +73,7 @@ def __init__(self, probe, string_size, kernel_stack, user_stack,
  self.probe_name = re.sub(r'[^A-Za-z0-9_]', '_',
  self.probe_name)
  self.cgroup_map_name = cgroup_map_name
-
+ self.name = name
  # compiler can generate proper codes for function
  # signatures with "syscall__" prefix
  if self.is_syscall_kprobe:
@@ -571,6 +571,8 @@ def print_event(self, bpf, cpu, data, size):
  # Cast as the generated structure type and display
  # according to the format string in the probe.
  event = ct.cast(data, ct.POINTER(self.python_struct)).contents
+ if self.name and bytes(self.name) not in event.comm:
+ return
  values = map(lambda i: getattr(event, "v%d" % i),
  range(0, len(self.values)))
  msg = self._format_message(bpf, event.tgid, values)
@@ -649,6 +651,8 @@ class Tool(object):
  Trace the open syscall and print a default trace message when entered
 trace 'do_sys_open "%s", arg2'
  Trace the open syscall and print the filename being opened
+trace 'do_sys_open "%s", arg2' -n main
+ Trace the open syscall and only print event that process names containing "main"
 trace 'sys_read (arg3 > 20000) "read %d bytes", arg3'
  Trace the read syscall and print a message for reads >20000 bytes
 trace 'r::do_sys_open "%llx", retval'
@@ -725,6 +729,8 @@ def __init__(self):
  parser.add_argument("-c", "--cgroup-path", type=str, \
  metavar="CGROUP_PATH", dest="cgroup_path", \
  help="cgroup path")
+ parser.add_argument("-n", "--name", type=str,
+ help="only print process names containing this name")
  parser.add_argument("-B", "--bin_cmp", action="store_true",
  help="allow to use STRCMP with binary values")
  parser.add_argument('-s', "--sym_file_list", type=str, \
@@ -762,7 +768,7 @@ def _create_probes(self):
  self.probes.append(Probe(
  probe_spec, self.args.string_size,
  self.args.kernel_stack, self.args.user_stack,
- self.cgroup_map_name))
+ self.cgroup_map_name, self.args.name))
 
  def _generate_program(self):
  self.program = """

diff --git a/tools/trace_example.txt b/tools/trace_example.txt
@@ -50,6 +50,17 @@ The individual reads are visible, with the custom format message printed for
 each read. The parenthesized expression "(arg3 > 20000)" is a filter that is
 evaluated for each invocation of the probe before printing anything.
 
+Process name filter is porting from tools/opensnoop
+
+# trace 'do_sys_open "%s", arg2' -UK -n out
+PID TID COMM FUNC -
+9557 9557 a.out do_sys_open temp.1
+ do_sys_open+0x1 [kernel]
+ do_syscall_64+0x5b [kernel]
+ entry_SYSCALL_64_after_hwframe+0x44 [kernel]
+ __open_nocancel+0x7 [libc-2.17.so]
+ __libc_start_main+0xf5 [libc-2.17.so]
+
 You can also trace user functions. For example, let's simulate the bashreadline
 script, which attaches to the readline function in bash and prints its return
 value, effectively snooping all bash shell input across the system:
@@ -288,6 +299,7 @@ optional arguments:
  number of events to print before quitting
  -t, --timestamp print timestamp column (offset from trace start)
  -T, --time print time column
+ -n NAME, --name NAME only print process names containing this name
  -C, --print_cpu print CPU id
  -B, --bin_cmp allow to use STRCMP with binary values
  -K, --kernel-stack output kernel stack trace
@@ -304,6 +316,8 @@ trace do_sys_open
  Trace the open syscall and print a default trace message when entered
 trace 'do_sys_open "%s", arg2'
  Trace the open syscall and print the filename being opened
+trace 'do_sys_open "%s", arg2' -n main
+ Trace the open syscall and only print event that process names containing "main"
 trace 'sys_read (arg3 > 20000) "read %d bytes", arg3'
  Trace the read syscall and print a message for reads >20000 bytes
 trace 'r::do_sys_open "%llx", retval'