DTrace

 

DTrace is a utility that allows you to monitor executing code. It is software, usually written into kernel modules, which can be turned on to read the status of executing code in a kernel module as the code executes. A piece of DTrace code is designed to collect a set of information on the status of a particular value associated with a particular function of a particular kernel module. This value may be a variable or may be a status indicator, such as the fact that a function has begun executing in the CPU or has finished executing in the CPU. DTrace can collect information on the timing of execution, such as when the flag is set or what the setting of the flag is at any time, and it can collect information on the process that called the code, on the uid and gid of the owner of the process, and many other things.

 

Each piece of software that can do this is called a probe.

 

The DTrace utility uses four-tuples to describe probes. A four-tuple consists of four parts, written in order and separated by colons: the provider, the module, the function and the name. DTrace code can be written to monitor all kinds of activities. These activities have been subdivided into “providers” based on the kind of information collected by the code. This subdivision is artificial (though reasonable) so if you were to divide up all DTrace code based on the type of information it collects, you might do it slightly differently than Sun did.  Categorizing all DTrace functions into “providers” allows you to look at, for example, all of some activity related to input and output using convenient notation. Instead of having to specify that you want input/output related information for the sd kernel module, the st kernel module, the exec kernel module, etc. you can just specify that you want all information collected by the io provider, and not worry about which modules will be included. As a result, if you want to know which provider monitors file locking (lockstat) you must look it up in the documentation.

 

The “module” is the name of the kernel module in which the monitored executables exist. These modules can be seen in the output of the command “modinfo.” The “function”  is the function call in the module’s code (or in the code of another module accessed by this module) that is being monitored. A function is a defined set of statements in a C program which performs a particular task.  For example, the sd (storage disk) kernel module includes a function to open access to a disk, called sdopen. That function executes when disk access is required. When disk access is concluded, the sd kernel module executes a function called sdclose.

 

The “name” is a string applied to some value set during the execution of the code. For example, when a function begins execution, a flag is set called “entry.” When it terminates, the “return” flag is set. As a result, many providers monitor the names “entry” and “return.” Some pieces of code contain variables, which are set and reset to various values during the course of execution of the code.  All of these things are “names.”

 

Probes exist for particular names in functions of kernel modules because they are written to monitor those names. No probe exists unless it has been specifically written, so there is no independent way to know what probes exist. You must list them in the output of the command dtrace -l.