如何找到一段时间内在 OS X(Leopard)上运行的进程(带有参数)?

tag-icon tag-icon mac-osx dtrace
如何找到一段时间内在 OS X(Leopard)上运行的进程(带有参数)?

我正在尝试找出 OS X 机器上某个特定进程正在执行哪些进程(包括参数)。我以前没有使用过 DTrace,但认为它应该很简单。在四处寻找示例后,我发现了这个,它看起来正是我想要的:

$ sudo dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'

只是,它不能正常工作。列出该命令的其中一个站点提供了看起来很完美的示例输出,但当我尝试在 OS X 上运行它时,我得到了以下结果:

dtrace: description 'proc:::exec-success ' matched 2 probes
CPU     ID                    FUNCTION:NAME
  0  18616         posix_spawn:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 6d 64 77 6f 72 6b 65 72 00 73 6b 00 00 00 00 00  mdworker.sk.....
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 70 e5 20 0a 00 00 00 00 01 00 00 00  ....p. .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 cc 42 1c 0a  .............B..

  0  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 67 2b 2b 2d 34 2e 30 00 61 73 6b 00 00 00 00 00  g++-4.0.ask.....
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 8c 4d 7b 0b  .............M{.

  0  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 69 36 38 36 2d 61 70 70 6c 65 2d 64 61 72 77 69  i686-apple-darwi
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 e0 e1 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 14 8a 7b 0b  ..............{.

  3  18610        __mac_execve:exec-success 
             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef
         0: 63 6f 6c 6c 65 63 74 32 00 70 70 6c 65 2d 64 61  collect2.pple-da
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        30: 00 00 00 00 f0 e3 20 0a 00 00 00 00 01 00 00 00  ...... .........
        40: 00 00 00 00 00 00 00 00 00 00 00 00 78 70 7b 0b  ............xp{.

即仅显示 argv[0],其后有随机垃圾。此外,如果 argv[0] 长度超过 16 个字符,则会被截断!

有没有办法让 DTrace 在 OS X 上执行我想要的操作?或者是否有其他方法可以找到 OS X 上某些东西调用的命令和参数?

谢谢。

答案1

Snow Leopard 附带了一个名为 的 DTrace 示例脚本/usr/bin/newproc.d。它确实能满足您的需求 - 但仅限于全局。要将其限制为单个进程,您可以尝试以下操作:

cp /usr/bin/newproc.d ~/newproc.d

通过更改以下几行来添加新的谓词

19: proc:::exec-success
20: {

变成这样:

19: proc:::exec-success
20: / ppid == $target /
21: {

现在像这样执行新脚本:

sudo ~/newproc.d -p <PID>

PID 是要监视的进程的进程 ID。请告诉我这是否适合您。我只用一个bash进程对此进行了简短测试。

相关内容