2013/What Is That Process Doing?
We’re surrounded by programs we didn’t write. Inevitably they eventually do the wrong thing, or they just don’t do what we need, and we want to find out what they are doing. Learn how to spy on the processes you run.
Speaker: Greg Price
Return to this session's details
Contributed notes(Add your notes here!)
bajr's notes: All processes communicate with system in a way the system can understand. /proc/$PID/ info on running process, according to kernel
o If process is writing a file, the file is probably open, and has an FD for that file. /proc/$PID/fd/ o How far is the process on those files? /proc/$PID/fdinfo/ contains some infoon file size. o Process using deleted file? symlinks are contained in /proc/$PID/fd, these can be thusly accessed o process is misbehaving but perhaps a library's fault? What is this process actually loading? /proc/$PID/maps will list program address space. o There are many other goodies to be found in /proc. Go play.
strace - watches processes over time, reads all interactions with system. (Notes here need help)
o Continuous monitoring o execve() - o mmap() - process accesses memory o access / open / close - process is accessing files o mprotect? o strace is useful if a program seems to be stuck. Use together with /proc to investigate the nature of the hang-up o strace always puts things on stderr o strace -p views an already running process o strace -e file, process o strace -f will follow child processes
tshark - watches network interactions, similar to strace tcpdump - like tshark perf - profiler. "Inside" kernel and/or CPU. Call-graph profile
o perf record -g does call-graph o perf report