Does ftrace allow capture of system call arguments to the Linux kernel, or only function names?

Asked 22/12, 2014 at 18:55 Answered 23/12, 2014 at 17:57

The goal is to examine arguments passed to specific system calls (e.g. exec, open, etc.) by any process.

From the official documentation, no capability to log function arguments is described (looked mostly at the "function" tracer, as I don't need the graph).

I wanted to make sure I'm not overlooking something and wasting time using something more exotic if I could actually do this within the framework of ftrace.

Galatians answered 22/12, 2014 at 18:55 Comment(1)

If you're only looking for system calls from user space, plus their arguments, then you want the simple userland utility strace. – Cardiovascular 23/12, 2014 at 14:31

I have limited experience with ftrace, although I have used it for for function stack traces and latency issues. (People with more experience can possibly suggest) Its pretty much the same experience using trace-cmd and kernelshark.

However, if you want to trace syscalls, function params, kernel APIs and return values etc. within the kernel space a better choice would be to go with systemtap. It has an extensive list of Samples & Doc which is good for function call tracing, argument values passed etc. You may want to look at some samples and taylor them to your requirement. See general/para-callgraph-verbose.stp and process/sleeptime.stp

general/para-callgraph-verbose.stp - Callgraph Tracing with Verbose Arguments keywords: TRACE CALLGRAPH

Print a timed per-thread microsecond-timed callgraph, complete with pretty-printed function parameters and return values. The first parameter names the function probe points to trace. The optional second parameter names the probe points for trigger functions, which acts to enable tracing for only those functions that occur while the current thread is nested within the trigger.

stap para-callgraph-verbose.stp 'kernel.function("*@fs/proc*.c")' \
'kernel.function("vfs_read")' -c "cat /proc/sys/vm/* || true"

process/strace.stp - Trace system calls keywords: _BEST PROCESS SYSCALL

The script loosely emulates strace, when applied to individual processes or hierarchies (via -c/-x), or the entire system (without -c/-x). A few output configuration parameters may be set with -G.

stap strace.stp -c "sleep 1"

Note you will need to install the correct version of the debug kernel and kernel-devel rpms/deb for stap to work correctly. For this just use stap-prep and install the dependencies shown depending on the flavour you are on.

Hummingbird answered 23/12, 2014 at 9:59 Comment(3)

Tracing system calls is made simpler with: sourceware.org/systemtap/examples/#process/strace.stp - no kernel debug symbols required e.g. – Humblebee 29/12, 2014 at 15:56

@Humblebee thanks for the update. strace.stp was not available with my version of systemtap-examples. I will update the thread. – Hummingbird 29/12, 2014 at 17:18

(often samples included in later versions of stap do run fine on earlier ones.) – Humblebee 31/12, 2014 at 11:28

Give "STRACE" a shot. It monitors the interaction betn userspace and kernel.

A sample output can be found here : http://www.thegeekstuff.com/2011/11/strace-examples/

Alternatively, Since you are saying specific system calls, i am assuming you are interested in only a couple of them.

If you have to use FTRACE alone, you can add your own trace event in the relevant header files in include/trace/events/.h, using TRACE_EVENT macro and call this new trace function during the sytem call handler inside the kernel.

Of course, this requires some code modification, but should be easy enough to get you going quickly.

Mechanic answered 23/12, 2014 at 17:57 Comment(1)

Downvoted because strace looks at one specific process, while I'm looking for a tool that looks at all processes on the system. – Galatians 26/1, 2015 at 16:26

Recommended topics

Hot tags