Full tracing of gethostbyXXX calls.
By user12625760 on Jul 07, 2008
The gethostbyname.d “one liner” is now no longer anywhere near a one liner as to not be funny. It does however do all the things you would want it to do. Printing the entire hostent1 structure on success and all the h_error values on failure.
: enoexec.eu FSS 257 $; pfexec /usr/sbin/dtrace -32 -CZs gethostbyXXXX.d -c getent hosts www.ibm.com 126.96.36.199 www.ibm.com www.ibm.com.cs186.net Look up: www.ibm.com: took 3276803us Host: www.ibm.com h_alias: www.ibm.com.cs186.net h_address: 188.8.131.52 : enoexec.eu FSS 258 $; pfexec /usr/sbin/dtrace -32 -CZs gethostbyXXXX.d -c getent hosts this.host.does.not.exist.sun.com Look up: this.host.does.not.exist.sun.com: took 31789us gethostbyname_r failed. h_errno: 1: Host not found : enoexec.eu FSS 259 $; pfexec /usr/sbin/dtrace -32 -CZs gethostbyXXXX.d -c getent hosts 127.0.0.1 127.0.0.1 localhost Look up: 127.0.0.1 took 247882us: Host: localhost h_address: 127.0.0.1 : enoexec.eu FSS 260 $;
I learned some useful things while writing this:
Writing userland scripts is much harder than kernel scripts. If your script has “#include <xxxx.h> in it then you are entering a world of hurt. Specifically make sure you set the data model of dtrace to match that of the application you are scripting.
The various copyin() routines write into scratch memory. Scratch memory is only good during the current clause so if you want to move the data from clause to clause you need to store it. Thanks again to Jon for pointing this out.
How cool would “follow fork” be for dtrace? Very.
It would be really nice to bundle this script up as “getXXXbyYYY.d and include all the other getXXXbyYYY routines that there are (getpwbyname, getpwbyuid etc etc) however even this script is on the edge of producing DIF that is to large for the standard settings so having more probes would make it unworkable. Anyway they make a good exercise for the reader.
The script is here: gethostbyXXXX.d
1Well only the first 10 host name aliases and the first 10 IP addresses are printed. Adding more is trivial but you will need to up the size of the DIF that the kernel is prepared to accept.