How do I find what processes (with args) are being run on OS X (Leopard) during a period of time?
I am trying to find out what processes a particular process is exec'ing on an OS X machine (including arguments). I have not used DTrace before, but thought it should be trivial. After looking around for examples, I found this, which looks exactly like what I want:
$ sudo dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
Only, it doesn't work properly. One of the sites that listed that command had sample output which looked perfect, but when I try to run it on OS X, I get the following:
dtrace: description 'proc:::exec-success ' matched 2 probes
CPU ID FUNCTION:NAME
0 18616 posix_spawn:exec-success
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 6d 64 77 6f 72 6b 65 72 00 73 6b 00 00 00 00 00 mdworker.sk.....
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 70 e5 20 0a 00 00 00 00 01 00 00 00 ....p. .........
40: 00 00 00 00 00 00 00 00 00 00 00 00 cc 42 1c 0a .............B..
0 18610 __mac_execve:exec-success
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 67 2b 2b 2d 34 2e 30 00 61 73 6b 00 00 00 00 00 g++-4.0.ask.....
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00 ...... .........
40: 00 00 00 00 00 00 00 00 00 00 00 00 8c 4d 7b 0b .............M{.
0 18610 __mac_execve:exec-success
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 69 36 38 36 2d 61 70 70 6c 65 2d 64 61 72 77 69 i686-apple-darwi
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00 ...... .........
40: 00 00 00 00 00 00 00 00 00 00 00 00 14 8a 7b 0b ..............{.
3 18610 __mac_execve:exec-success
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
0: 63 6f 6c 6c 65 63 74 32 00 70 70 6c 65 2d 64 61 collect2.pple-da
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 f0 e3 20 0a 00 00 00 00 01 00 00 00 ...... .........
40: 00 00 00 00 00 00 00 00 00 00 00 00 78 70 7b 0b ............xp{.
i.e. only argv[0] is shown with random rubbish after it. Also, if argv[0] is longer than 16 characters, it's truncated!
Is there a way to get DTrace to do what I want on OS X? Or is there some other way to find the commands and args being called by something on OS X?
Thanks.
Solution 1:
Snow Leopard ships with a DTrace sample script called /usr/bin/newproc.d. It does want you want - however only globally. To restrict it to a single process you could try something like this:
cp /usr/bin/newproc.d ~/newproc.d
Add a new predicate by changing the following lines
19: proc:::exec-success
20: {
into this:
19: proc:::exec-success
20: / ppid == $target /
21: {
Now execute the new script like this:
sudo ~/newproc.d -p <PID>
PID is the process id of the process to watch. Please tell me if this works for you. I have only tested this briefly with a bash process.