ebook img

Spying on your programs with strace PDF

2018·0.52 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Spying on your programs with strace

8 ul o KA e^ (o > =A c a S vfa £ ° £ a. Š =. Z (° Š a a. ~ A >>S < eeMA > 0v I Z a A o ee ; N M — = w 7a D 5 S o"om anss o Ku sp + e. = VAS urw b Šs<] E Shg nv + 2. S 3 Tod > B 5 x 8 = c S zç "Oo SWwVvajoosg UNOK NO d * a ON |L OG X c Who makes this? Resources + FAQ Hil [^m Sulial T look kind of like this: T we m id Y Tre written like F posts o bout Slrace because T. have an un healthy obsession. They're at we —— — l m e — — m a 1 T found out last year that understanding your 1L- Jvone $.—ca—. -[c—a—te—go—rei ee sM /stro.ce. į Operating system's intecnals a little more makes you (In) Frequently asked questions: sy WAN BETTER N PROGRAMMER Q: Is there strace on OS X? A: No, but try dtruss/dtrace Y Jay h g 9 Q: Can L strae strace? and it was SO FUN and 1 wanted to tell A : Yup! If you do, you ll find ouF that strace uses EVERYONE. So Im telling you | UU,v l the ptrace system call to do its magic. * Should 1 strace my production database? >> NONONONO.T + will slow down your database a LOT. | | blog: Myns.ca : Ts therea way To trace System calls that won't slow down mu programs? Ture moe lygHer: @b@0rk —: : Sometimes you can use ‘perf trace! on like this at | newer Linux versions — — — Meduam. munr. Rum . "Ru 6P: ibi gr Sana mum Rug A S «— <— e— &— «— ung foa SSRS <— <— <— z? ee ee Sed og x bu 12435 hddoy N < <= Nava] 09 $137 [crP DT R [ovv sc «- <— ecde eeu 1002 ANIWAY St Xau O 9w:3. 34} 0 Gngap aw sdjay 41 pun 113007 3HL FONVHD ONY Q3» UDI noÁ uvaw Sasuary uado . “QNIKLANY 40 spo» DINOS Əy} Curpvas ngu kA Sy¥40M wosbosd Wey, 247 ^94 vas hypojo3. PI^?» J puo çS )no Á S1 SO 400A, - sajedwor fw uo swosBosd buisvi4s paysoys jsnf y os $J00Á si Ja40duio» 300 . j9u48ju! ou PUD »joOq OU pry L (0913094 91 YA MIN wost 9014 urea. ANOY-T| ° uo UC) (Und oS pow : SJU} dU LZ DIYS out "|993. 104950 iqipaoui ug aq 93 438} ha 23s snl eut 1 yng fapsvzim œ Saa) p 9 PH TH x KT -4 JayzI0$ hipu pvo suayshs Burposado nequ wa) 0} 0W NOL V hysno:ngo $2347 (soqta VO AWOSAMY zs t P x- — a “ rZ Dod a DIO Swa4S^S but 02ado ao ee `: Q3VZIM > 7525 `o sJnoÀ MON LU POUL A 0750410 hus 0 Ó what is this strace thing 7??? ] Y ! Sometimes Tm looking at the output G | Of arecvfrom and it's like Pessu- tradc e oAfa ra2a QS Y is T i n dox iy] recvirom (6, “And then the monster... ) A ae e Me 3 | Ond OH NO THE SUSPENSE | strace | IS a program on Linux c iStr-asc 8e00 . | will show you the first Spy on that lets yOu inspect what a program | $00 characters of each string. T use Le es 4 . iS doing withoot | LT all the time K Lets qet real. No matter what, strace - a debugger prints too much damn output. Use pe is for --——-K -E- — -or the source code output ! ' Strace -o too. much. sloff. txt. | 3 ———l - ———————————— — - "Dr even Knowing the prog ramming and sort through it later. ——-———À—w—- — language at all (21121 how can it be!) ; Hove no idea which file the file |. descriptor “3” refers to? 1-yi is i G flag in newer versions of strace and Basically strace makes you a l il show you filenames instead of just ' numbers! M\A “I4 reZA Rc Dry S dU Putting it all together: T4544 "EP Want to spy on a ssh session? jt f —— — — — — — —-- — — — Á - E EN i Stroce -f-o ssh.txt ssh julia box.com | — — — — —— — - — a — — — — a ~ æ e — To understand how this works, let's See what files o. Dropbox sync process is opening? l HS akan € (with PID: 230) — — — —í — —--— — — — — 'Strace -f -p230 -e open ; — — =— —=—— — —— = l oux oe tr —— — OL bL. d- 92035 E ————————— Ml puo (Lp/?x]) Old sssavoud 008 put (snç i Gom 40u og e i wrsbosdl aranyes. T1 jp ala 912m psal uo ooÁ os sysom YOmpsoy O) LNVM I MON ONY ODY sSynoH 9 | 2nof |? meu pogo bury} E Jana mouy dI " WHY9OYd 3HL QaluviS LON HQ. I I I į Bussa si ssaosd Wata hrowaw ou? (fo fO 3201 dəəy- Op I pw" swyg 1 y- asn hong [soU 10 L moeg t 9u2a4ut dy} wo); 003. burop. aso asoy} 3»um aos 01 esq | 7S SS S40 49 swn4»id Aged aat p6 U9) noÁ four zum I os gr/d2Ll aU syo»o pod Gury Jomyau puawea| dw! = za jiswseedqn$3 pis wiabod joo saog y i ui dd LISS 20 LL vw» noA fous os hay ssad ack awg ana apo» uns - QS Jajduis. ypnu ‘suado əy} aoh moys tsal lp puo Let MIETEN ! vado 3- anus | Gays UWop JeoÁ Hoa) LS nU uv acf oS Saj! ogu! $9349 Su, Sazivvbvo 41 uo wapsÁs ajf 902 mou la =-=- T fay § puosssapun fuop vof ! puo SAIM IAAP prey YADA mou PUU4S) 3 pum - syeo wasis 34} qo hg pau jaymJahO “nok Jor Soop H sbuiu2 9wos "T P Z“ “ Z Z ZZZ OL a. `X w e45As buosadoy- xk T2444e CT UI) puvuluo) 2992s anh A pynous noA Gym 27 but wait, Sulia, how do m pro 9 rams connect Sometimes a program is Sending network requests to another machine Use all this great stuff the and Í want to Know WHICH MACHINE. Operating system does ¢ S_ t—r—ae— —-—e— —co—n—n—ec—t . `` ,` gou Shows me every IP address a Program connects to. a"m)na gs CUOIOIO® 10100 N What's fun? Spying on network activity 1 Vo V gs Y | Sendto `° is Fun. If you have a HTTP service and Oo o ° + o you're debugging and totally at your o° recvfrom o! infer Lac wits' end, maybe it's time to look at System calls are the Ree Gap l QOUO10l60 101000 What's REALLY EXACTLY being sent LAR UC operating System over the network... these are your pals Q | = to open a file? use and then and wate) to it x x execve On my first dau of work, a Ruby M * Script thot ran some ssh commands Sending dota over o. network? Use wasn't working. Oh nol To open & connection and and But who wants to read code to find pictures of cats. Out why? ugh. —— —— —— - - Le strace -f -e execve ./script.rb E Every program on DUE Com puter is using Sustem calls allthetime to manage memory, told us what the problem ssh Command was, and we fixed it! write Files, do networking, and lots more. 002 ou &jsod sı ip oas! j44p ans I pbusyghrana Pyesa pun pup ah gi pom qvoQ J sio». wapsks nof) ao aq how ayt 3800€) j swosbosd dow buves kag 120p 9: D * 2Jaum Jo qoum 911^ Suam $i oiod anoÑ asns 3J NoÀ Pap M Wed -xau ays vo nod Jo 9901 aptam swo10o1 4 ou os Y? {pvu an, T "SEO buts ovo wm9—e. m.—. . .. A44s4d $41 pvo aie jo 107 ` Səy, La L S SWS ! „uay w Á e "^ n a am 0 —Q m haysy- pry saho\dus uado ə- L nc | "MON LHS +: 923 o) = 1304 348r0J15 poay puo uoda noh {vom L əu:u3o uu Knut) ^9 AVY sop sui d!4S ` Q QQ NIV9 V NOA əsuo nok XT 1A s) papos ou!LL9c ) Ol N3ddVH Ol SQ 32N AINAN LYHL uado Suisn si wrosGord `o sag vorqoont: puo) OUM INS ue»q [ou AIN noh eno "Peu s! IIHS Guisa 404} S|) wapses puo swashs vuosado +0 Pod. 3149 Wo uU N yuryg PUBU 9j S][o2 919 hs 9414 QNO W poss 49 do2 4SIED annotated strace —" stillK a syscall filetoopen read/write permissions When You run strae, You'll see thousands of lines of N open(" awesome.txt’, O_RDWR) =3 descriptor out pot like this: $ strace ls /home/bork/blah execve("/bin/ls", ["ls", "/home/bork/blah"], [/* 48 vars */]) = 0 brk(0) - 0x172c000 The3 here isa file descriptor number; Internally, stat("/usr/local/lib", (st mode-S _IFDIR|0755, st size-4096, ...}) = 0 open("/etc/ld.so.cache", O_RDONLY|0_| CLOEXEC) == 3 Tn tracks open Files with numbers V You can see oll fstat(3, {st_mode=S_IFREG|0644, st_size=180820, ...}) = 0 mmap(NULL, 180820, PROT_READ, MAP_| PRIVATE, 3, 0) = 0Ox7fe04e3f7000 close(3) = 0 the file descriptors for process ID 42 and whot open("/proc/filesystems", O RDONLY) = 3 fstat(3, (st mode-S IFREG|0444, st size mmap(NULL, 4096, PROT READ|PROT WRITE, MAP PRIVATE|MAP ANONYMOUS, -1, 0) = they point to by doing 0x7fe04e423000 read(3, „nodev\tsysfs\nnodev\trootfs\nnodev\tr". ., 1024) = 334 read(3, "", 1024) = 0 close(3) = 0 goose ces Se ‘od weea d^ ° stat(" /home/bork/blah" » {st_mode=S _IFDIR|0775, st_size=4096, ...}) = 0 Is -1 [proc 42/88 | gue H openat(AT_FDCWD, "/home/bork/blah", O RDONLY|O NONBLOCK|O.DIRECTORY|O. CLOEXEC)= 3 getdents(3, /* 3 entries */, 32768) - 80 getdents(3, /* 0 entries */, 32768) = : close(3) E fstat(1, (st mode-S IFCHR[0620, st rdev- dM. 4),...])290 . prot mmap(NULL, 4096, PROT READ|PROT WRITE, MAP PRIVATE|MAP ANONYMOUS, -1, 0) = $ia s ese? what got read numbbeerr o of 0x7fe04e423000 write(1, "awesome fileWn", 13) 1 3 + » x bytes read close(1) 0 read (3, “wow! yay! )=q munmap(0x7fe04e423000, 4096) 0 close(2) 0 exit group(0) ? Studies show this is not self-explanatory TF you don't understand something in your strace out put : (me Asking my Friends if it makes sense and NOPE NoPE) AK let's learn how to interpret strace output X ° ils normal! There are lots of syscalls. 11999, execve(“/usr/bin/ssh’, L"ssh', “jvns-cJa )a * try reading the man ps Tor the system call} 6 `o ~~ i — Gorm AC (man Z open `^ © The process LO (included when you run strace -f) M llo a= < TT ( The name of the system call (execve starts programs M * remember thot jest understanding Q The system calls arguments, in this case a program to read + write+ Open Y execve start and the ar gum ents to start it with Can take You a long way v G) The return valve.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.