Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Welcome to the Matrix

Benoit Jacquemont
March 29, 2018
940

Welcome to the Matrix

Better understanding a process behaviour by sniffing its interactions with the kernel and other libraries.

Benoit Jacquemont

March 29, 2018
Tweet

Transcript

  1. Your programs Your programs never never have have direct access

    to the "real direct access to the "real world". world".
  2. strace strace The syscalls sni er The syscalls sni er

    Attaching to an already running process Running directly a program $ strace -p <process_id> $ strace <my_program>
  3. About le descriptors About le descriptors File handle identi er

    0: Standard Input 1: Standard Output 2: Error Output >= 3: Any other le/stream
  4. Filtering strace output Filtering strace output Unix style Built-in lters

    Mix Dump to le for latter analysis $ strace <prog> 2>&1 | grep -e "read\|open" | cut ... $ strace -e "read,open" <prog> $ strace -e "read,open" <prog> 2>&1 | cut ... $ strace -e "read,open" -o strace.out <xxxx>
  5. Where are the #!?$ PHP con g les? Where are

    the #!?$ PHP con g les? $ strace -e open php -i > /dev/null
  6. I'm processing a huge le, where my I'm processing a

    huge le, where my process is at? process is at?
  7. Sni ng syscalls gives us a Sni ng syscalls gives

    us a better better understanding of a understanding of a process behaviour process behaviour
  8. ltrace ltrace The library calls sni er The library calls

    sni er Attaching to an already running process Running directly a process $ ltrace -p <process_id> $ ltrace <my_command>
  9. My webservice call seems to get My webservice call seems

    to get strange response... strange response...
  10. Does my program uses the right DB Does my program

    uses the right DB parameters? parameters?
  11. strace and ltrace strace and ltrace shortcomings shortcomings performance impact

    some binaries not "ltraceable" due to a binutils bug in some distribs
  12. Tips and Tricks Tips and Tricks dump full trace into

    a le and lter/analyze later use -s to show longer parts of string use -f to attach to child processes use -c to display a summary of call count and time use -y to display the path associated to the le descriptor use -T to display the time spent on each call
  13. Going further... Going further... perf-trace: strace on steroids gdb: the

    universal debugger perf: lightweight performance pro ling
  14. Take aways about Take aways about strace/ltrace strace/ltrace strace and

    ltrace give great insights on the program behavior Often allow a rst and fast diagnostic They are complementary tools to your existing toolbox