DTrace: predicates

You don’t have conditional statements like if..then..else in DTrace, instead of them predicates are used.

Predicates are slash (/) wrapped conditions which are put right after the lines of probe definitions, defining whether DTrace should or should not executre the code of such probes.

Here’s an example. The following script will print the list of all system calls, excluding write, for all the processes currently running on our system. Since DTrace tracks events on a thread-level, you can see in this example that some PIDs are the same. This is because these lines were printed by probes fired for different threads of the same process:

[Read more…]

DTrace: pid provider

Quite ofter we’d like to know what happens to a particular process on a system, and if we’re using DTrace for our investigation, we’d probably use the $target variable (I’ve already spoken about it in the past) or simply specify the process identifier (pid) in some predicates of our probes, thus pointing to DTrace that we’re after only a certain process. $target variable still can and should be used when creating our probes with pid provider.

For DTrace beginners it’s quite a common and good practice. But there is a better way: using the pid provider.

pid provider in DTrace

As it’s explained in the official DTrace guide, pid provider isn’t just a provider, but in fact is a whole class of providers. And, as the name suggests, it provides us with probes related to a certain process.

[Read more…]