DTrace Oneliners (link) command line options-q: records only the actions that are explicitly stated in script. suppresses the default output-F: coalesce trace output by identifying function entry and return. function entry probe reports are indented and their output is prefixed with ->. Function return probe reports are unindented and their output is prefixed with <-. syscall entries use => and <=. -o output: specifies output file when specifying command options in script, make sure the -s option is last. can specify options using #pragma D option [option] DTrace Consumer Options (pg 30 of DTrace User Guide) destructive: allow destructive actions quiet: output only explicitly traced data built-in macro variables $[0-9]+: macro args $egid: effective group-ID $euid: effective user-ID $gid: real group-ID $pid: process id $ppid: parent process id $uid: real user-id commonly used variablespid: current process idexecname: current executable name timestamp: time since boot in ns curthread: ptr to ktherad_t struct representing current thread probemod: module name of current probe probefunc: function name of current probe probename: name of current probe built-in functionstrace(expression): traces result of expression to the directed buffertracemem(address, nbytes): traces nbytes bytes of memory starting at expression address printf(format, ...): formatted trace print printa(aggregation); printa(format, aggregation): aggregate trace process destructive actionsstop( ): the process firing probe will stop upon leaving the kernelraise(signal): raises signal to currently running process copyout(buf, addr, nbytes): copies nbytes from buf to addr (in address space of current thread) copyoutstr(str, addr, maxlen): copies string to addr system(program, ...): causes program to be executed by the system as if it were given to the shell as input kernel destructive actionsbreakpoint( ): induces a kernel breakpoint, causing the system to stop and transfer control to kernel debuggerpanic( ): induces kernel panic, forcing a system crash dump at time of interest chill(nanoseconds): causes DTrace to spin for specified nanoseconds some functions are destructive, interfering with process. must explicitly enable destructive actions with -w option |