dtrace

the code dtrace -n 'syscall::read:entry /execname != "dtrace"/ { @reads[execname, fds[arg0].fi_pathname] = count(); }' dtrace: description 'syscall::read:entry ' matched 1 probe ^C bash /proc/1709/psinfo 1 loader /zp/space/f2 1 nscd /etc/user_attr 1 bash /export/home/mauroj/.bash_history 2 loader /zp/space/f3 2 nscd /etc/group 2 su /etc/default/su 8 su /devices/pseudo/sy@0:tty 9 bash /dev/pts/5 66 Xorg /devices/pseudo/conskbd@0:kbd 152 gnome-terminal /devices/pseudo/clone@0:ptm 254 the dtrace code fds[arg0].fi_pathname how to see the dtrace call arguments what's mean,i try to use trace -lv

I wanted to use DTrace to see "what syscalls are made by my shell script". I made a very simple shell script, shell.sh , and gave it execute privileges: #!/bin/bash grep 1 <<< 123 I cd 'd into its directory, and ran this simple DTrace script: sudo dtrace -n 'syscall:::entry /pid == $target/ { @[probefunc] = count(); }' -c ./trace-me.sh I get this error output: dtrace: failed to execute ./trace-me.sh: unknown error What happened here? I've run csrutil enable --without dtrace . The DTrace script runs fine if I remove the -c arg (and replace $target with a pid). Is this just another Mac gotcha? I

I'm trying to use dtrace through libdtrace (on Snow Leopard; 10.6.4). I want to catch the printed output of my dtrace script within my own program. One way to do so would be to have the output go to a temporary file and read it from there. However, libdtrace supports a callback function to catch the output directly which I'd prefer. I assumed the callback would just pass me formatted strings that I could consume, but this does not seem to be the case. For example, in the below test program, I'd expect the printout to be "process pid = 86138". However, it always prints out "process pid = 1"

I was trying to see which syscall ps uses to get the command line of a process on OS X 10.11 (El Capitan), and ran into the following error: # dtruss ps -p 43520 -o args dtrace: failed to execute ps: dtrace cannot control executables signed with restricted entitlements Googling resulted in the suggestion that making a copy of ps would allow me to bypass this, but that didn't work for me. Why can't I run dtruss on arbitrary binaries anymore, and is there any way for me to restore the old behavior? The issue has to do with the code signature. If you make a copy and then re-sign it with your own

On Mac OS X, I can find the HotSpot probes of running Java programs by running: cody.mello@ashur ~ (1) % sudo dtrace -ln 'hotspot*:::' Password: Invalid connection: com.apple.coresymbolicationd ID PROVIDER MODULE FUNCTION NAME 165084 hotspot46 libjvm.dylib _ZN13instanceKlass15initialize_implE19instanceKlassHandleP6Thread [instanceKlass::initialize_impl(instanceKlassHandle, Thread*)] class-initialization-clinit 165085 hotspot46 libjvm.dylib _ZN13instanceKlass15initialize_implE19instanceKlassHandleP6Thread [instanceKlass::initialize_impl(instanceKlassHandle, Thread*)] class-initialization