查看当前内核版本是哪一个,然后使用
找到内核构建的详细信息,然后去对应发布网站上找kernel-debuginfo和kernel-debuginfo-common包。
完成安装后可以通过下面命令测试systemtap
进行测试,看看systemtap有无安装成功。
下面命令演示查看__lookup_hash()函数返回时刻可以查看到的变量
在上表中显示了lookup_hash在文件中的行号,显示了名为$return 的变量,其实这个return变量就是systemtap表示函数返回值的。而$name,$base,$flag我们对着linux源码看发现这是__lookup_hash的三个入参。
下面命令可以查看__lookup_hash函数入口可以查看的变量
也可以通过statement方式查看内核符号表里有的__lookup_hash相关的行
如果查找的内核函数位于某个模块里可以使用下面命令:
通过下面命令可以查看到某个正在运行的进程的函数
上例中看到找到了syscall.Mount函数,并且把它的所有参数和参数类型都打印了出来。
后面可以在stap脚本中,这个函数的上下文里直接使用这些参数,例如通过$source可以访问到参数source
systemtap支持print()和printf()函数,其中printf使用语法和c语言一致。支持%s,%d,%x格式
在systemtap里凡是以$开头的变量都是目标变量,如果目标变量结构体指针或者结构体对象,那么可以使用->直接访问其成员。例如上例中:
常规情况下,printf()打印target变量时刻,只打印其值。如果需要将其成员(指针类型的target需要将其指向的对象的成员展开)可以在target变量后面加$的方式例如:
一般情况下对struct的展开只会到成员值一级,如果相对成员内部继续展开可以在目标变量后面跟$$
在systemtap中支持逻辑if语句格式为:
逻辑语句支持以下比较
==,!=,>=,>,<,<=
上述例子对ls -l下的xmalloc进行堆栈回溯:
-d 可执行文件名
--ldd 指明共享库
-c “ls -l” 执行的子进程体
下面例子将打印__lookup_hash中return返回dentry*里inode指向的i_ino子成员
这一例子中-o zxy.txt的意思就是将结果写入文件zxy.txt中(默认输出到控制台)
下面例子将在内核中使用强制类型转换
这里解释一下,内核中方法强制转换
在用systemtap跟踪内核时使用堆栈打印命令,常常打印不出来另外模块的函数,这是因为这些模块没有被加载。可以在systemtap启动命令使用--all-modules 方法强制将所有模块符号加载起来。
下面例子对用golang写的dockerd进程syscall.Mount调用入口时刻打印syscall.Mount()函数的参数
source的string字段内容
下面例子打印golang写的dockerd进程xxx.Get函数返回时刻的参数情况
}
systemtap对golang支持不够完美,用户需要自己解析基本结构例如golang的string,array和slice这些都需要用户自己解析。string被systemtap识别为struct string,此结构systemtap可以识别的定义可以简化为:
需要注意的是 通过systemtap打印golang string的string->str会多打很多字符,因为string成员str并非按照c语言定义的字符串以表示字符串结束,我们只能结合string的字段len来获取精确的字符串内容
slice完全不被systemtap识别,我们可以将systemtap可以识别的slice简化为此种定义:
其中array就是指向slice存储单元的首地址。
要是我们想获取helo=[]string{“hello”,”world”}这样的字符串slice的内容可以通过systemtap提供的@cast(addr,”type”,”file”)函数将某个地址强转为file中定义的type结构。具体来说可以如下做获取hello的内容
/******************************************************************************\* ping.c - Simple ping utility using SOCK_RAW
*
* This is a part of the Microsoft Source Code Samples.
* Copyright 1996-1997 Microsoft Corporation.
* All rights reserved.
* This source code is only intended as a supplement to
* Microsoft Development Tools and/or WinHelp documentation.
* See these sources for detailed information regarding the
* Microsoft samples programs.
\******************************************************************************/
#pragma pack(4)
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define ICMP_ECHO 8
#define ICMP_ECHOREPLY 0
#define ICMP_MIN 8 // minimum 8 byte icmp packet (just header)
/* The IP header */
typedef struct iphdr {
unsigned int h_len:4// length of the header
unsigned int version:4// Version of IP
unsigned char tos// Type of service
unsigned short total_len// total length of the packet
unsigned short ident// unique identifier
unsigned short frag_and_flags// flags
unsigned char ttl
unsigned char proto// protocol (TCP, UDP etc)
unsigned short checksum// IP checksum
unsigned int sourceIP
unsigned int destIP
}IpHeader
//
// ICMP header
//
typedef struct _ihdr {
BYTE i_type
BYTE i_code/* type sub code */
USHORT i_cksum
USHORT i_id
USHORT i_seq
/* This is not the std header, but we reserve space for time */
ULONG timestamp
}IcmpHeader
#define STATUS_FAILED 0xFFFF
#define DEF_PACKET_SIZE 32
#define MAX_PACKET 1024
#define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s))
#define xfree(p) HeapFree (GetProcessHeap(),0,(p))
void fill_icmp_data(char *, int)
USHORT checksum(USHORT *, int)
void decode_resp(char *,int ,struct sockaddr_in *)
void Usage(char *progname){
fprintf(stderr,"Usage:\n")
fprintf(stderr,"%s <host>[data_size]\n",progname)
fprintf(stderr,"datasize can be up to 1Kb\n")
ExitProcess(STATUS_FAILED)
}
int main(int argc, char **argv){
WSADATA wsaData
SOCKET sockRaw
struct sockaddr_in dest,from
struct hostent * hp
int bread,datasize
int fromlen = sizeof(from)
int timeout = 1000
char *dest_ip
char *icmp_data
char *recvbuf
unsigned int addr=0
USHORT seq_no = 0
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
fprintf(stderr,"WSAStartup failed: %d\n",GetLastError())
ExitProcess(STATUS_FAILED)
}
if (argc <2 ) {
Usage(argv[0])
}
sockRaw = WSASocket (AF_INET,
SOCK_RAW,
IPPROTO_ICMP,
NULL, 0,0)
if (sockRaw == INVALID_SOCKET) {
fprintf(stderr,"WSASocket() failed: %d\n",WSAGetLastError())
ExitProcess(STATUS_FAILED)
}
bread = setsockopt(sockRaw,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,
sizeof(timeout))
if(bread == SOCKET_ERROR) {
fprintf(stderr,"failed to set recv timeout: %d\n",WSAGetLastError())
ExitProcess(STATUS_FAILED)
}
timeout = 1000
bread = setsockopt(sockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,
sizeof(timeout))
if(bread == SOCKET_ERROR) {
fprintf(stderr,"failed to set send timeout: %d\n",WSAGetLastError())
ExitProcess(STATUS_FAILED)
}
memset(&dest,0,sizeof(dest))
hp = gethostbyname(argv[1])
if (!hp){
addr = inet_addr(argv[1])
}
if ((!hp) &&(addr == INADDR_NONE) ) {
fprintf(stderr,"Unable to resolve %s\n",argv[1])
ExitProcess(STATUS_FAILED)
}
if (hp != NULL)
memcpy(&(dest.sin_addr),hp->h_addr,hp->h_length)
else
dest.sin_addr.s_addr = addr
if (hp)
dest.sin_family = hp->h_addrtype
else
dest.sin_family = AF_INET
dest_ip = inet_ntoa(dest.sin_addr)
if (argc >2) {
datasize = atoi(argv[2])
if (datasize == 0)
datasize = DEF_PACKET_SIZE
}
else
datasize = DEF_PACKET_SIZE
datasize += sizeof(IcmpHeader)
icmp_data = xmalloc(MAX_PACKET)
recvbuf = xmalloc(MAX_PACKET)
if (!icmp_data) {
fprintf(stderr,"HeapAlloc failed %d\n",GetLastError())
ExitProcess(STATUS_FAILED)
}
memset(icmp_data,0,MAX_PACKET)
fill_icmp_data(icmp_data,datasize)
while(1) {
int bwrote
((IcmpHeader*)icmp_data)->i_cksum = 0
((IcmpHeader*)icmp_data)->timestamp = GetTickCount()
((IcmpHeader*)icmp_data)->i_seq = seq_no++
((IcmpHeader*)icmp_data)->i_cksum = checksum((USHORT*)icmp_data,
datasize)
bwrote = sendto(sockRaw,icmp_data,datasize,0,(struct sockaddr*)&dest,
sizeof(dest))
if (bwrote == SOCKET_ERROR){
if (WSAGetLastError() == WSAETIMEDOUT) {
printf("timed out\n")
continue
}
fprintf(stderr,"sendto failed: %d\n",WSAGetLastError())
ExitProcess(STATUS_FAILED)
}
if (bwrote <datasize ) {
fprintf(stdout,"Wrote %d bytes\n",bwrote)
}
bread = recvfrom(sockRaw,recvbuf,MAX_PACKET,0,(struct sockaddr*)&from,
&fromlen)
if (bread == SOCKET_ERROR){
if (WSAGetLastError() == WSAETIMEDOUT) {
printf("timed out\n")
continue
}
fprintf(stderr,"recvfrom failed: %d\n",WSAGetLastError())
ExitProcess(STATUS_FAILED)
}
decode_resp(recvbuf,bread,&from)
Sleep(1000)
}
return 0
}
/*
The response is an IP packet. We must decode the IP header to locate
the ICMP data
*/
void decode_resp(char *buf, int bytes,struct sockaddr_in *from) {
IpHeader *iphdr
IcmpHeader *icmphdr
unsigned short iphdrlen
iphdr = (IpHeader *)buf
iphdrlen = iphdr->h_len * 4 // number of 32-bit words *4 = bytes
if (bytes <iphdrlen + ICMP_MIN) {
printf("Too few bytes from %s\n",inet_ntoa(from->sin_addr))
}
icmphdr = (IcmpHeader*)(buf + iphdrlen)
if (icmphdr->i_type != ICMP_ECHOREPLY) {
fprintf(stderr,"non-echo type %d recvd\n",icmphdr->i_type)
return
}
if (icmphdr->i_id != (USHORT)GetCurrentProcessId()) {
fprintf(stderr,"someone else's packet!\n")
return
}
printf("%d bytes from %s:",bytes, inet_ntoa(from->sin_addr))
printf(" icmp_seq = %d. ",icmphdr->i_seq)
printf(" time: %d ms ",GetTickCount()-icmphdr->timestamp)
printf("\n")
}
USHORT checksum(USHORT *buffer, int size) {
unsigned long cksum=0
while(size >1) {
cksum+=*buffer++
size -=sizeof(USHORT)
}
if(size ) {
cksum += *(UCHAR*)buffer
}
cksum = (cksum >>16) + (cksum &0xffff)
cksum += (cksum >>16)
return (USHORT)(~cksum)
}
/*
Helper function to fill in various stuff in our ICMP request.
*/
void fill_icmp_data(char * icmp_data, int datasize){
IcmpHeader *icmp_hdr
char *datapart
icmp_hdr = (IcmpHeader*)icmp_data
icmp_hdr->i_type = ICMP_ECHO
icmp_hdr->i_code = 0
icmp_hdr->i_id = (USHORT)GetCurrentProcessId()
icmp_hdr->i_cksum = 0
icmp_hdr->i_seq = 0
datapart = icmp_data + sizeof(IcmpHeader)
//
// Place some junk in the buffer.
//
memset(datapart,'E', datasize - sizeof(IcmpHeader))
}
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)