Hello everybody,

i want to trace system calls for each process running on machine. This trace must be done at kernel level... plz help me anybody how to do it?

You can do so with a specially patched kernel. Here are some links which explain how to do it:

http://en.wikipedia.org/wiki/Linux_Trace_Toolkit

http://www.opersys.com/LTT/dox/ltt-o...elp/index.html

http://www.linuxjournal.com/article/3829

--------------------------
Steve Stites

I might be inclined to look at systemtap. Don't know about tracing everything tho'.
Those 2 will give you plenty of references elsewhere.

Maybe have a look at ftrace - and yes, it came in at 2.6.27

strace ?

hello
i have tried starce and system tap but the problem is when i am doing #strace ls and when i am tracing ls using stap the sequences which i am getting are different. it seems me like stap is printing some more system calls and the number of these extra system calls are quite big(almost two times as in strace). i am using the following stap script

probe syscall.*
{
if(execname() == "ls")
printf ("%s\n",probefunc())
}

Now i am confused that what are these extra system calls.
-----------------------------------------------------------------
trace for ls using strace is

execve
brk
access
open
fstat64
mmap2
close
open
read
fstat64
mmap2
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
close
open
read
fstat64
mmap2
mmap2
mmap2
close
mmap2
set_thread_area
mprotect
mprotect
mprotect
mprotect
mprotect
munmap
set_tid_address
set_robust_list
futex
rt_sigaction
rt_sigaction
rt_sigprocmask
getrlimit
uname
brk
brk
open
fstat64
mmap2
read
read
close
munmap
statfs64
open
fstat64
mmap2
read
read
close
munmap
open
fstat64
mmap2
close
ioctl
ioctl
open
fstat64
fcntl64
getdents64
getdents64
close
fstat64
ioctl
mmap2
write
close
munmap
close
exit_group

------------------------------------------------------------------------------------------------------------
trace for ls using stap script is

sys_close
sys_close
sys_brk
sys_access
sys_open
sys_fstat64
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_mmap2
sys_close
sys_mmap2
sys_set_thread_area
sys_mprotect
sys_mprotect
sys_mprotect
sys_mprotect
sys_mprotect
sys_munmap
sys_set_tid_address
sys_futex
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigprocmask
sys_getrlimit
sys_newuname
sys_brk
sys_brk
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_read
sys_close
sys_munmap
sys_statfs64
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_read
sys_close
sys_munmap
sys_open
sys_fstat64
sys_mmap2
sys_close
sys_ioctl
sys_ioctl
sys_ioctl
sys_ioctl
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_fstat64
sys_mmap2
sys_open
sys_fstat64
sys_fcntl64
sys_fcntl64
sys_getdents64
sys_lstat64
sys_socket
sys_fcntl64
sys_fcntl64
sys_connect
sys_close
sys_socket
sys_fcntl64
sys_fcntl64
sys_connect
sys_close
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_read
sys_close
sys_munmap
sys_open
sys_fstat64
sys_mmap2
sys_close
sys_open
sys_read
sys_fstat64
sys_mmap2
sys_mmap2
sys_close
sys_mprotect
sys_munmap
sys_open
sys_fcntl64
sys_fcntl64
sys_fstat64
sys_mmap2
sys_read
sys_close
sys_munmap
sys_socket
sys_fcntl64
sys_fcntl64
sys_connect
sys_close
sys_socket
sys_fcntl64
sys_fcntl64
sys_connect
sys_close
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_close
sys_munmap
sys_lstat64
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_close
sys_munmap
sys_open
sys_fstat64
sys_mmap2
sys_read
sys_close
sys_munmap
sys_lstat64
sys_lstat64
sys_lstat64
sys_getdents64
sys_close
sys_write
sys_write
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_rt_sigaction
sys_close
sys_munmap
sys_close
sys_exit_group
do_exit


-----------------------------------------------------------------
please help me to understand this difference. I will be very thankful to you.

hi,
i want to log all the system calls & services in the kernel(services are the transanction between modules in the kernel),with which tool i can do it?

Use ftrace. Do the following :

$ mount -t debugfs nodev /sys/kernel/debug
$ cd /sys/kernel_debug/tracing/
$ echo function > current_tracer
$ echo 1 > tracing_on
$ echo 1 > tracing_enabled
$ cat trace|more

You will see kernel function control flow.
Then,
from a new shell
$ ping google.com

return to ftrace shell

$ cat trace|grep "ping-"

You should see kernel action for ping. Cool stuff.