/* * Copyright (C) 2006 Daniel Berrange, Red Hat Inc. * * This copyrighted material is made available to anyone wishing to use, * modify, copy, or redistribute it subject to the terms and conditions * of the GNU General Public License v.2. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software Foundation, * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ global start function get_usertime:long() %{ THIS->__retvalue = current->utime + current->signal->utime; %} function get_systime:long() %{ THIS->__retvalue = current->stime + current->signal->stime; %} function timestamp:long() { return gettimeofday_ms() - start } function proc:string() { return sprintf("%d (%s)", pid(), execname()) } probe begin { start = gettimeofday_ms() } probe syscall.fork.return { printf("%d %s fork %d\n", timestamp(), proc(), $return) } probe syscall.execve { printf("%d %s exec %s\n", timestamp(), proc(), kernel_string($filename)) } global filenames global filehandles global fileread global filewrite probe syscall.open { filenames[pid()] = user_string($filename) } probe syscall.open.return { if ($return != -1) { filehandles[pid(), $return] = filenames[pid()] fileread[pid(), $return] = 0 filewrite[pid(), $return] = 0 } else { printf("%d %s access %s fail\n", timestamp(), proc(), filenames[pid()]) } filenames[pid()] = "" } probe syscall.read { if ($count > 0) { fileread[pid(), $fd] += $count } } probe syscall.write { if ($count > 0) { filewrite[pid(), $fd] += $count } } probe syscall.close { if (filehandles[pid(), $fd] != "") { printf("%d %s access %s read: %d write: %d\n", timestamp(), proc(), filehandles[pid(), $fd], fileread[pid(), $fd], filewrite[pid(), $fd]) } fileread[pid(), $fd] = 0 filewrite[pid(), $fd] = 0 filehandles[pid(), $fd] = "" } probe syscall.exit { printf("%d %s exit user: %d sys: %d\n", timestamp(), proc(), get_usertime(), get_systime()) }