$30 off During Our Annual Pro Sale. View Details »

Welcome to the Matrix

Benoit Jacquemont
March 29, 2018
760

Welcome to the Matrix

Better understanding a process behaviour by sniffing its interactions with the kernel and other libraries.

Benoit Jacquemont

March 29, 2018
Tweet

Transcript

  1. Benoit Jacquemont
    @bjacquemont

    View Slide

  2. Our nice little program
    Our nice little program

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. Not convinced?
    Not convinced?
    echo file_get_contents('/dev/zero');

    View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. Your programs
    Your programs never
    never have
    have
    direct access to the "real
    direct access to the "real
    world".
    world".

    View Slide

  21. View Slide

  22. View Slide

  23. strace
    strace
    The syscalls sni er
    The syscalls sni er
    Attaching to an already running
    process
    Running directly a program
    $ strace -p
    $ strace

    View Slide

  24. Stracing "Hello World"
    Stracing "Hello World"
    hello_world.php
    echo "Hello World\n";
    $ strace php hello_world.php

    View Slide

  25. About le descriptors
    About le descriptors
    File handle identi er
    0: Standard Input
    1: Standard Output
    2: Error Output
    >= 3: Any other
    le/stream

    View Slide

  26. Filtering strace output
    Filtering strace output
    Unix style
    Built-in lters
    Mix
    Dump to le for latter analysis
    $ strace 2>&1 | grep -e "read\|open" | cut ...
    $ strace -e "read,open"
    $ strace -e "read,open" 2>&1 | cut ...
    $ strace -e "read,open" -o strace.out

    View Slide

  27. Let's get real!
    Let's get real!

    View Slide

  28. Where are the #!?$ PHP con g les?
    Where are the #!?$ PHP con g les?
    $ strace -e open php -i > /dev/null

    View Slide

  29. Why my homepage is so slow?
    Why my homepage is so slow?

    View Slide

  30. File descriptors (again)
    File descriptors (again)
    list open les(lsof) is your friend!
    $ lsof -p

    View Slide

  31. What my process is doing?
    What my process is doing?

    View Slide

  32. Why this le is not processed?
    Why this le is not processed?

    View Slide

  33. I'm processing a huge le, where my
    I'm processing a huge le, where my
    process is at?
    process is at?

    View Slide

  34. Sni ng syscalls gives us a
    Sni ng syscalls gives us a
    better
    better understanding of a
    understanding of a
    process behaviour
    process behaviour

    View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. ltrace
    ltrace
    The library calls sni er
    The library calls sni er
    Attaching to an already running
    process
    Running directly a process
    $ ltrace -p
    $ ltrace

    View Slide

  39. My webservice call seems to get
    My webservice call seems to get
    strange response...
    strange response...

    View Slide

  40. Does my program uses the right DB
    Does my program uses the right DB
    parameters?
    parameters?

    View Slide

  41. strace and ltrace
    strace and ltrace
    shortcomings
    shortcomings
    performance impact
    some binaries not "ltraceable" due to a binutils bug in
    some distribs

    View Slide

  42. Tips and Tricks
    Tips and Tricks
    dump full trace into a le and lter/analyze later
    use -s to show longer parts of string
    use -f to attach to child processes
    use -c to display a summary of call count and time
    use -y to display the path associated to the le
    descriptor
    use -T to display the time spent on each call

    View Slide

  43. What about other OS?
    What about other OS?
    FreeBSD: truss
    MacOS X: dtruss
    Windows:
    NtTrace

    View Slide

  44. Going further...
    Going further...
    perf-trace: strace on steroids
    gdb: the universal debugger
    perf: lightweight performance
    pro ling

    View Slide

  45. Take aways about
    Take aways about
    strace/ltrace
    strace/ltrace
    strace and ltrace give great insights on the program
    behavior
    Often allow a rst and fast diagnostic
    They are complementary tools to your existing
    toolbox

    View Slide

  46. Thank you!
    Thank you!
    Questions?
    Questions?
    @bjacquemont
    github.com/BitOne

    View Slide