1Demonstrations of sofdsnoop, the Linux eBPF/bcc version.
2
3sofdsnoop traces FDs passed through unix sockets
4
5# ./sofdsnoop.py
6ACTION TID    COMM             SOCKET                    FD    NAME
7SEND   2576   Web Content      24:socket:[39763]         51    /dev/shm/org.mozilla.ipc.2576.23874
8RECV   2576   Web Content      49:socket:[809997]        51
9SEND   2576   Web Content      24:socket:[39763]         58    N/A
10RECV   2464   Gecko_IOThread   75:socket:[39753]         55
11
12Every file descriptor that is passed via unix sockets os displayed
13on separate line together with process info (TID/COMM columns),
14ACTION details (SEND/RECV), file descriptor number (FD) and its
15translation to file if available (NAME).
16
17The file descriptor (fd) value is bound to a process. The SEND
18lines display the fd value within the sending process. The RECV
19lines display the fd value of the sending process. That's why
20there's translation to name only on SEND lines, where we are
21able to find it in task proc records.
22
23This works by tracing sendmsg/recvmsg system calls to provide
24the socket fds, and scm_send_entry/scm_detach_fds to provide
25the file descriptor details.
26
27A -T option can be used to include a timestamp column,
28and a -n option to match on a command name. Regular
29expressions are allowed.  For example, matching commands
30containing "server" with timestamps:
31
32# ./sofdsnoop.py -T -n Web
33TIME(s)       ACTION TID    COMM             SOCKET                    FD    NAME
340.000000000   SEND   2576   Web Content      24:socket:[39763]         51    /dev/shm/org.mozilla.ipc.2576.25404 (deleted)
350.000413000   RECV   2576   Web Content      49:/dev/shm/org.mozilla.ipc.2576.25404 (deleted) 51
360.000558000   SEND   2576   Web Content      24:socket:[39763]         58    N/A
370.000952000   SEND   2576   Web Content      24:socket:[39763]         58    socket:[817962]
38
39
40A -p option can be used to trace only selected process:
41
42# ./sofdsnoop.py -p 2576 -T
43TIME(s)       ACTION TID    COMM             SOCKET                    FD    NAME
440.000000000   SEND   2576   Web Content      24:socket:[39763]         51    N/A
450.000138000   RECV   2576   Web Content      49:N/A                    5
460.000191000   SEND   2576   Web Content      24:socket:[39763]         58    N/A
470.000424000   RECV   2576   Web Content      51:/dev/shm/org.mozilla.ipc.2576.25319 (deleted) 49
48
49USAGE message:
50usage: sofdsnoop.py [-h] [-T] [-p PID] [-t TID] [-n NAME] [-d DURATION]
51
52Trace file descriptors passed via socket
53
54optional arguments:
55  -h, --help            show this help message and exit
56  -T, --timestamp       include timestamp on output
57  -p PID, --pid PID     trace this PID only
58  -t TID, --tid TID     trace this TID only
59  -n NAME, --name NAME  only print process names containing this name
60  -d DURATION, --duration DURATION
61                        total duration of trace in seconds
62
63examples:
64    ./sofdsnoop           # trace file descriptors passes
65    ./sofdsnoop -T        # include timestamps
66    ./sofdsnoop -p 181    # only trace PID 181
67    ./sofdsnoop -t 123    # only trace TID 123
68    ./sofdsnoop -d 10     # trace for 10 seconds only
69    ./sofdsnoop -n main   # only print process names containing "main"
70