opensnoop: -d option for duration

702de38d · Paul Chaignon · 44463d53 · 702de38d · 702de38d · 702de38d
Commit 702de38d authored Jan 28, 2018 by Paul Chaignon
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 4 deletions

man/man8/opensnoop.8 man/man8/opensnoop.8 +8 -1

tools/opensnoop.py tools/opensnoop.py +9 -2

tools/opensnoop_example.txt tools/opensnoop_example.txt +16 -1

No files found.
--- a/man/man8/opensnoop.8
+++ b/man/man8/opensnoop.8
@@ -2,7 +2,7 @@
 .SH NAME
 opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B opensnoop [\-h] [\-T] [\-x] [\-p PID] [\-t TID] [\-n name]
+.B opensnoop [\-h] [\-T] [\-x] [\-p PID] [\-t TID] [\-d DURATION] [\-n name]
 .SH DESCRIPTION
 opensnoop traces the open() syscall, showing which processes are attempting
 to open which files. This can be useful for determining the location of config
@@ -36,6 +36,9 @@ Trace this process ID only (filtered in-kernel).
 \-t TID
 Trace this thread ID only (filtered in-kernel).
 .TP
+\-d DURATION
+Total duration of trace in seconds.
+.TP
 \-n name
 Only print processes where its name partially matches 'name'
 .SH EXAMPLES
@@ -44,6 +47,10 @@ Trace all open() syscalls:
 #
 .B opensnoop
 .TP
+Trace all open() syscalls, for 10 seconds only:
+#
+.B opensnoop -d 10
+.TP
 Trace all open() syscalls, and include timestamps:
 #
 .B opensnoop \-T

--- a/tools/opensnoop.py
+++ b/tools/opensnoop.py
@@ -4,7 +4,7 @@
 # opensnoop Trace open() syscalls.
 #           For Linux, uses BCC, eBPF. Embedded C.
 #
-# USAGE: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
+# USAGE: opensnoop [-h] [-T] [-x] [-p PID] [-d DURATION] [-t TID] [-n NAME]
 #
 # Copyright (c) 2015 Brendan Gregg.
 # Licensed under the Apache License, Version 2.0 (the "License")
@@ -17,6 +17,7 @@ from __future__ import print_function
 from bcc import BPF
 import argparse
 import ctypes as ct
+from datetime import datetime, timedelta

 # arguments
 examples = """examples:
@@ -25,6 +26,7 @@ examples = """examples:
    ./opensnoop -x        # only show failed opens
    ./opensnoop -p 181    # only trace PID 181
    ./opensnoop -t 123    # only trace TID 123
+    ./opensnoop -d 10     # trace for 10 seconds only
    ./opensnoop -n main   # only print process names containing "main"
 """
 parser = argparse.ArgumentParser(
@@ -39,10 +41,14 @@ parser.add_argument("-p", "--pid",
    help="trace this PID only")
 parser.add_argument("-t", "--tid",
    help="trace this TID only")
+parser.add_argument("-d", "--duration",
+    help="total duration of trace in seconds")
 parser.add_argument("-n", "--name",
    help="only print process names containing this name")
 args = parser.parse_args()
 debug = 0
+if args.duration:
+    args.duration = timedelta(seconds=int(args.duration))

 # define BPF program
 bpf_text = """
@@ -179,5 +185,6 @@ def print_event(cpu, data, size):

 # loop with callback to print_event
 b["events"].open_perf_buffer(print_event, page_cnt=64)
-while 1:
+start_time = datetime.now()
+while not args.duration or datetime.now() - start_time < args.duration:
    b.kprobe_poll()
--- a/tools/opensnoop_example.txt
+++ b/tools/opensnoop_example.txt
@@ -89,6 +89,18 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
 file or directory.


+A maximum tracing duration can be set with the -d option. For example, to trace
+for 2 seconds:
+
+# ./opensnoop -d 2
+PID    COMM               FD ERR PATH
+2191   indicator-multi    11   0 /sys/block
+2191   indicator-multi    11   0 /sys/block
+2191   indicator-multi    11   0 /sys/block
+2191   indicator-multi    11   0 /sys/block
+2191   indicator-multi    11   0 /sys/block
+
+
 The -n option can be used to filter on process name using partial matches:

 # ./opensnoop -n ed
@@ -123,7 +135,7 @@ to the '-n' option.
 USAGE message:

 # ./opensnoop -h
-usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
+usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n NAME]

 Trace open() syscalls

@@ -133,6 +145,8 @@ optional arguments:
  -x, --failed          only show failed opens
  -p PID, --pid PID     trace this PID only
  -t TID, --tid TID     trace this TID only
+  -d DURATION, --duration DURATION
+                        total duration of trace in seconds
  -n NAME, --name NAME  only print process names containing this name

 examples:
@@ -141,4 +155,5 @@ examples:
    ./opensnoop -x        # only show failed opens
    ./opensnoop -p 181    # only trace PID 181
    ./opensnoop -t 123    # only trace TID 123
+    ./opensnoop -d 10     # trace for 10 seconds only
    ./opensnoop -n main   # only print process names containing "main"