The
command displays the kernel trace files produced with
ktrace(1)
in human readable format.
By default, the file
ktrace.out
in the current directory is displayed.
The options are as follows:
-d
Display all numbers in decimal.
-E
Display elapsed timestamps (time since beginning of trace).
-f trfile
Display the specified file instead of
ktrace.out
-H
List the thread ID (tid) of the thread with each trace record, if available.
If no thread ID is available, 0 will be printed.
-l
Loop reading the trace file, once the end-of-file is reached, waiting for
more data.
-m maxdata
Display at most
maxdata
bytes when decoding
I/O
-n
Suppress ad hoc translations.
Normally
tries to decode many system calls into a more human readable format.
For example,
ioctl(2)
values are replaced with the macro name and
errno
values are replaced with the
strerror(3)
string.
Suppressing this feature yields a more consistent output format and is
easily amenable to further processing.
-p pid
Display only trace events that correspond to the process
pid
This may be useful when there are multiple processes recorded in the
same trace file.
-R
Display relative timestamps (time since previous entry).
-r
When decoding STRU records, display structure members such as UIDs,
GIDs, dates etc. symbolically instead of numerically.
-s
Suppress display of I/O data.
-T
Display absolute timestamps for each entry (seconds since epoch).
The first field is the PID of the process being traced.
The second field is the name of the program being traced.
The third field is the operation that the kernel performed
on behalf of the process.
If thread IDs are being printed, then an additional thread ID column will be
added to the output between the PID field and program name field.
In the first line above, the kernel executes the
writev(2)
system call on behalf of the process so this is a
CALL
operation.
The fourth field shows the system call that was executed,
including its arguments.
The
writev(2)
system call takes a file descriptor, in this case 1, or standard
output, then a pointer to the iovector to write, and the number of
iovectors that are to be written.
In the second line we see the operation was
GIO
for general I/O, and that file descriptor 1 had
seven bytes written to it.
This is followed by the seven bytes that were written, the string
Qq Li ktrace
with a carriage return and line feed.
The last line is the
RET
operation, showing a return from the kernel, what system call we are
returning from, and the return value that the process received.
Seven bytes were written by the
writev(2)
system call, so 7 is the return value.
The possible operations are:
Name Ta Operation Ta Fourth field
CALL Ta enter syscall Ta syscall name and arguments
RET Ta return from syscall Ta syscall name and return value
NAMI Ta file name lookup Ta path to file
GENIO Ta general I/O Ta fd, read/write, number of bytes
