Created
January 21, 2013 20:44
-
-
Save labeneator/4589177 to your computer and use it in GitHub Desktop.
Syscall tracing in osx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sh-3.2# date; syscallbypid.d; date | |
| Sun Jan 20 22:42:47 SAST 2013 | |
| Tracing... Hit Ctrl-C to end. | |
| ^C | |
| PID CMD SYSCALL COUNT | |
| 1 launchd fork 1 | |
| ... | |
| ... | |
| 61275 dtrace workq_kernreturn 82 | |
| 87 eTSrv stat64 86 | |
| 1632 PKIMonitor stat64 86 | |
| 13 opendirectoryd psynch_mutexdrop 87 | |
| 13 opendirectoryd psynch_mutexwait 87 | |
| 1621 Dropbox __sysctl 87 | |
| 51682 firefox stat64 87 | |
| 51682 firefox madvise 89 | |
| 61052 dtrace kevent 90 | |
| 61275 dtrace kevent 100 | |
| 1632 PKIMonitor lseek 104 | |
| 51682 firefox lseek 104 | |
| 61276 SfntMonD stat64 105 | |
| 61052 dtrace ioctl 117 | |
| 61275 dtrace ioctl 121 | |
| 87 eTSrv __semwait_signal 127 | |
| 13 opendirectoryd sendto_nocancel 130 | |
| 51682 firefox psynch_cvwait 131 | |
| 13 opendirectoryd read_nocancel 132 | |
| 13 opendirectoryd __sysctl 137 | |
| 1 launchd getuid 139 | |
| 52577 GoogleTalkPlugi psynch_cvwait 142 | |
| 64 mds workq_kernreturn 160 | |
| 64 mds kevent 165 | |
| 13 opendirectoryd workq_kernreturn 189 | |
| 13 opendirectoryd recvfrom_nocancel 198 | |
| 12 mDNSResponder recvfrom 202 | |
| 13 opendirectoryd close_nocancel 228 | |
| 12 mDNSResponder bind 232 | |
| 12 mDNSResponder socket 232 | |
| 12 mDNSResponder sendto 248 | |
| 51682 firefox mmap 258 | |
| 87 eTSrv close 278 | |
| 87 eTSrv read 278 | |
| 12 mDNSResponder recvmsg 284 | |
| 12 mDNSResponder close 296 | |
| 1616 Flux geteuid 312 | |
| 13 opendirectoryd kevent 343 | |
| 655 Terminal __semwait_signal 355 | |
| 87 eTSrv open 530 | |
| 87 eTSrv lseek 556 | |
| 1624 applet workq_kernreturn 788 | |
| 12 mDNSResponder fcntl 824 | |
| 1624 applet sigaltstack 1075 | |
| 1624 applet sigprocmask 1075 | |
| 1630 System Events sigaltstack 1075 | |
| 1630 System Events sigprocmask 1075 | |
| 1624 applet kevent 1128 | |
| 12 mDNSResponder kevent 1137 | |
| 12 mDNSResponder setsockopt 1276 | |
| 117 WindowServer sigaltstack 1310 | |
| 117 WindowServer sigprocmask 1310 | |
| Sun Jan 20 22:43:00 SAST 2013 | |
| # Total of 13 seconds. Looking for ~130 recvmesg or 130 sendmsg. | |
| # This looks suspicious | |
| 13 opendirectoryd sendto_nocancel 130 | |
| 51682 firefox psynch_cvwait 131 | |
| 13 opendirectoryd read_nocancel 132 | |
| # More dtruss | |
| sh-3.2# dtruss -p 13 -e -a -d | |
| PID/THRD RELATIVE ELAPSD CPU SYSCALL(args) = return | |
| 13/0x3c0f3: 39029 161 2 kevent(0xE, 0x0, 0x0) = 1 0 | |
| 13/0x3c0f3: 39034 6 2 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39039 3 1 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39044 6 3 select_nocancel(0xE, 0x105CBA180, 0x0) = 1 0 | |
| 13/0x3c0f3: 39047 4 2 kevent(0x7, 0x105CB9C50, 0x1) = 0 0 | |
| 13/0x3c0f3: 39050 3 1 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39052 3 1 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39054 3 1 select_nocancel(0xE, 0x105CBA180, 0x0) = 0 0 | |
| 13/0x3c0f3: 39055 2 0 kevent(0xE, 0x105CB9C50, 0x1) = 0 0 | |
| 13/0x3c0f3: 39059 5 2 psynch_mutexdrop(0x7FFF72990920, 0x4F1CC03, 0x4F1CB00) = 0 0 | |
| 13/0x3c0f3: 39063 4 1 kevent(0xE, 0x0, 0x0) = 1 0 | |
| 13/0x3c088: 89565 43 6 psynch_mutexwait(0x7FFF72990920, 0x4F1D003, 0x4F1CE00) = 82956291 0 | |
| 13/0x3c088: 89572 8 4 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c088: 89578 6 2 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c088: 89585 10 5 close_nocancel(0x7) = 0 0 | |
| 13/0x3c088: 89595 11 7 open_nocancel("/etc/hosts\0", 0x0, 0x1B6) = 7 0 | |
| 13/0x3c088: 89598 5 1 fstat64(0x7, 0x1058E6218, 0x1058E62DC) = 0 0 | |
| 13/0x3c088: 89602 6 2 read_nocancel(0x7, "##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1\tlocalhost\n255.255.255.255\tbroadcasthost\n::1 localhost \nfe80::1%lo0\tlocalhost\n\0", 0x1000) = 236 0 | |
| 13/0x3c088: 89632 17 13 __sysctl(0x1058E72A0, 0x6, 0x0) = 0 0 | |
| 13/0x3c088: 89641 10 7 __sysctl(0x1058E72A0, 0x6, 0x7F8453803600) = 0 0 | |
| 13/0x3c088: 89648 5 1 read_nocancel(0x7, "\0", 0x1000) = 0 0 | |
| 13/0x3c088: 89654 8 4 close_nocancel(0x7) = 0 0 | |
| 13/0x3c088: 89663 11 7 open_nocancel("/etc/hosts\0", 0x0, 0x1B6) = 14 0 | |
| 13/0x3c088: 89666 5 1 psynch_mutexwait(0x7FFF727AC1E0, 0x6A4C403, 0x6A4C200) = 111461379 0 | |
| 13/0x3c088: 89667 4 0 psynch_mutexdrop(0x7FFF727AC1E0, 0x6A4C503, 0x6A4C400) = 0 0 | |
| 13/0x3c088: 89670 5 2 fstat64(0xE, 0x1058E6218, 0x1058E62DC) = 0 0 | |
| 13/0x3c0f3: 39370 507641 17 kevent(0x7, 0x0, 0x0) = 1 0 | |
| 13/0x3c0f3: 39383 18 7 kevent(0x7, 0x0, 0x0) = 1 0 | |
| 13/0x3c0f3: 39395 11 7 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39403 7 3 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39413 10 5 select_nocancel(0xE, 0x105CBA180, 0x0) = 1 0 | |
| 13/0x3c0f3: 39421 9 3 kevent(0x7, 0x105CB9C50, 0x1) = 0 0 | |
| 13/0x3c0f3: 39434 13 6 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39440 8 3 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39446 8 4 select_nocancel(0xE, 0x105CBA180, 0x0) = 0 0 | |
| 13/0x3c0f3: 39451 4 2 kevent(0xE, 0x105CB9C50, 0x1) = 0 0 | |
| 13/0x3c0f3: 39458 7 4 psynch_mutexdrop(0x7FFF72990920, 0x4F1D403, 0x4F1D300) = 0 0 | |
| 13/0x3c0f3: 39463 7 3 kevent(0x7, 0x0, 0x0) = 1 0 | |
| 13/0x3c088: 89680 21 8 read_nocancel(0xE, "##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1\tlocalhost\n255.255.255.255\tbroadcasthost\n::1 localhost \nfe80::1%lo0\tlocalhost\n\0", 0x1000) = 236 0 | |
| # Some analysis yields 15 recvs and 18 sends in ~ 1.5 seconds. Looks like we are getting somewhere. | |
| $ grep 0x3c0f3 dns | grep recv | sort -k 2 |wc -l | |
| 15 | |
| $ grep 0x3c0f3 dns | grep recv | sort -k 2 | |
| 13/0x3c0f3: 39528 11 6 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39535 6 3 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39549 4 1 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39552 4 1 recvfrom_nocancel(0xD, 0x7F845304DF80, 0x3E) = 62 0 | |
| 13/0x3c0f3: 39911 10 4 recvfrom_nocancel(0xF, 0x105CBA140, 0x4) = 4 0 | |
| 13/0x3c0f3: 40088 12 7 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40095 7 3 recvfrom_nocancel(0xD, 0x7F8451683690, 0x3E) = 62 0 | |
| 13/0x3c0f3: 40113 5 2 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40116 5 1 recvfrom_nocancel(0xD, 0x7F8451683690, 0x3E) = 62 0 | |
| 13/0x3c0f3: 40391 90 10 recvfrom_nocancel(0x7, 0x105CBA140, 0x4) = 4 0 | |
| 13/0x3c0f3: 40460 210 5 recvfrom_nocancel(0x7, 0x105CBA140, 0x4) = 4 0 | |
| 13/0x3c0f3: 40875 131 8 recvfrom_nocancel(0xF, 0x105CBA140, 0x4) = 4 0 | |
| 13/0x3c0f3: 40938 26 4 recvfrom_nocancel(0xF, 0x105CBA140, 0x4) = 4 0 | |
| 13/0x3c0f3: 40991 15 9 recvfrom_nocancel(0xD, 0x105CBA150, 0x1C) = 28 0 | |
| 13/0x3c0f3: 41000 8 3 recvfrom_nocancel(0xD, 0x7F8451683690, 0x3E) = 62 0 | |
| $ grep 0x3c0f3 dns | grep send | sort -k 2 | wc -l | |
| 18 | |
| $ grep 0x3c0f3 dns | grep send | sort -k 2 | |
| 13/0x3c0f3: 39589 17 11 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39597 9 4 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c0f3: 39895 13 8 sendto_nocancel(0xD, 0x7F84515772B0, 0x44) = 68 0 | |
| 13/0x3c0f3: 39902 10 6 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 | |
| 13/0x3c0f3: 39966 7 4 sendto_nocancel(0xD, 0x7F84515772B0, 0x44) = 68 0 | |
| 13/0x3c0f3: 39969 6 2 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 | |
| 13/0x3c0f3: 40160 18 12 sendto_nocancel(0xD, 0x7F8451697970, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40168 7 3 sendto_nocancel(0xD, 0x7F8451697970, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40373 7 4 sendto_nocancel(0xD, 0x7F8451646A10, 0x44) = 68 0 | |
| 13/0x3c0f3: 40379 8 4 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 | |
| 13/0x3c0f3: 40448 7 4 sendto_nocancel(0xD, 0x7F8451646A10, 0x44) = 68 0 | |
| 13/0x3c0f3: 40452 6 3 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 | |
| 13/0x3c0f3: 40623 20 13 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40631 10 4 sendto_nocancel(0xD, 0x7F8453045250, 0x1C) = 28 0 | |
| 13/0x3c0f3: 40858 10 5 sendto_nocancel(0xD, 0x7F84515777B0, 0x44) = 68 0 | |
| 13/0x3c0f3: 40865 10 5 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 | |
| 13/0x3c0f3: 40928 7 4 sendto_nocancel(0xD, 0x7F8451646A10, 0x44) = 68 0 | |
| 13/0x3c0f3: 40931 5 2 sendmsg_nocancel(0xD, 0x105CBA0F0, 0x0) = 1 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment