How do I find what processes (with args) are being run on OS X (Leopard) during a period of time?

Question

I am trying to find out what processes a particular process is exec'ing on an OS X machine (including arguments). I have not used DTrace before, but thought it should be trivial. After looking around for examples, I found this, which looks exactly like what I want:

$ sudo dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'

Only, it doesn't work properly. One of the sites that listed that command had sample output which looked perfect, but when I try to run it on OS X, I get the following:

dtrace: description 'proc:::exec-success ' matched 2 probes
CPU     ID                    FUNCTION:NAME
  0  18616         posix_spawn:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 6d 64 77 6f 72 6b 65 72 00 73 6b 00 00 00 00 00  mdworker.sk.....
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 70 e5 20 0a 00 00 00 00 01 00 00 00  ....p. .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 cc 42 1c 0a  .............B..

  0  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 67 2b 2b 2d 34 2e 30 00 61 73 6b 00 00 00 00 00  g++-4.0.ask.....
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 8c 4d 7b 0b  .............M{.

  0  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 69 36 38 36 2d 61 70 70 6c 65 2d 64 61 72 77 69  i686-apple-darwi
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 14 8a 7b 0b  ..............{.

  3  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 63 6f 6c 6c 65 63 74 32 00 70 70 6c 65 2d 64 61  collect2.pple-da
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 f0 e3 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 78 70 7b 0b  ............xp{.

i.e. only argv[0] is shown with random rubbish after it. Also, if argv[0] is longer than 16 characters, it's truncated!

Is there a way to get DTrace to do what I want on OS X? Or is there some other way to find the commands and args being called by something on OS X?

Thanks.

score 8 · Accepted Answer · answered Nov 20 '10 at 13:20

8

Snow Leopard ships with a DTrace sample script called /usr/bin/newproc.d. It does want you want - however only globally. To restrict it to a single process you could try something like this:

cp /usr/bin/newproc.d ~/newproc.d

Add a new predicate by changing the following lines

19: proc:::exec-success
20: {

into this:

19: proc:::exec-success
20: / ppid == $target /
21: {

Now execute the new script like this:

sudo ~/newproc.d -p <PID>

PID is the process id of the process to watch. Please tell me if this works for you. I have only tested this briefly with a bash process.

answered Nov 20 '10 at 13:20

knweiss

3,955
23
20

Thanks, but the machine in question is running Leopard and I don't have access to it at the moment. I will check if the newproc.d script is available on the machine. If so, I'll try your modifications, although global is fine too. – Wodin Nov 20 '10 at 14:10
I've just had a look now and, on Leopard, the newproc.d script exists, but (except for the comment at the top and the shebang line) contains only this: proc:::exec-success { trace(stringof(curpsinfo->pr_psargs)); } – Wodin Nov 22 '10 at 07:06
Output does not have the arguments. – Wodin Nov 22 '10 at 07:07
1

I've just checked the script on Snow Leopard. Although the comment at the top has not been changed (it still says "This is a DTrace OneLiner from the DTraceToolkit") it is much longer. Another comment has been added as follows: "Updated to capture arguments in OS X. Unfortunately this isn't straight forward..." This script does work. It truncates the arguments if there are too many, but that's OK. Your patch does appear to work as advertised. Thanks. – Wodin Nov 22 '10 at 07:17
Interesting! I wouldn't have expected that there are difference between Leopard and Snow Leopard. Good to know. (Upvote?) – knweiss Nov 22 '10 at 17:49
2

If you want to log more than 5 arguments, you can edit `newproc.d` and copy and paste the repeated `syscall::bsdthread_register:return / this->argc / { ... }` block a few more times. – Aldaviva Dec 06 '17 at 03:22

How do I find what processes (with args) are being run on OS X (Leopard) during a period of time?

1 Answers1