xref: /freebsd/usr.bin/ktrace/ktrace.1 (revision dd21556857e8d40f66bf5ad54754d9d52669ebf7)
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd November 17, 2024
29.Dt KTRACE 1
30.Os
31.Sh NAME
32.Nm ktrace
33.Nd enable kernel process tracing
34.Sh SYNOPSIS
35.Nm
36.Op Fl aCcdi
37.Op Fl f Ar trfile
38.Op Fl g Ar pgrp | Fl p Ar pid
39.Op Fl t Ar trstr
40.Nm
41.Op Fl adi
42.Op Fl f Ar trfile
43.Op Fl t Ar trstr
44.Ar command
45.Sh DESCRIPTION
46The
47.Nm
48utility enables kernel trace logging for the specified processes.
49Kernel trace data is logged to the file
50.Pa ktrace.out .
51The kernel operations that are traced include system calls
52.Pq see Xr intro 2 ,
53file system path lookups
54.Pq Xr namei 9 ,
55signal processing
56.Pq Xr sigaction 2 ,
57and
58.Tn I/O .
59.Pp
60Once tracing is enabled on a process, trace data will be logged until
61either the process exits or the trace point is cleared.
62A traced process can generate enormous amounts of log data quickly;
63It is strongly suggested that users memorize how to disable tracing before
64attempting to trace a process.
65The following command is sufficient to disable tracing on all user-owned
66processes, and, if executed by root, all processes:
67.Pp
68.Dl \&$ ktrace -C
69.Pp
70The trace file is not human readable; use
71.Xr kdump 1
72to decode it.
73.Pp
74The utility may be used only with a kernel that has been built with the
75.Dq KTRACE
76option in the kernel configuration file.
77.Pp
78The options are:
79.Bl -tag -width indent
80.It Fl a
81Append to the trace file instead of recreating it.
82.It Fl C
83Disable tracing on all user-owned processes, and, if executed by root, all
84processes in the system.
85.It Fl c
86Clear the specified trace points associated with the given file or processes.
87.It Fl d
88Descendants; perform the operation for all current children of the
89designated processes.
90See also the
91.Fl i
92option.
93.It Fl f Ar trfile
94Log trace records to
95.Ar trfile
96instead of
97.Pa ktrace.out .
98.It Fl g Ar pgid
99Enable (disable) tracing on all processes in the process group (only one
100.Fl g
101flag is permitted).
102.It Fl i
103Inherit; pass the trace flags to all future children of the designated
104processes.
105See also the
106.Fl d
107option.
108.It Fl p Ar pid
109Enable (disable) tracing on the indicated process id (only one
110.Fl p
111flag is permitted).
112.It Fl t Ar trstr
113Specify the list of trace points to enable or disable, one per letter.
114If an explicit list is not specified, the default set of trace points is used.
115.Pp
116The following trace points are supported:
117.Pp
118.Bl -tag -width flag -compact
119.It Cm c
120trace system calls
121.It Cm f
122trace page faults
123.It Cm i
124trace
125.Tn I/O
126.It Cm n
127trace
128.Xr namei 9
129translations
130.It Cm p
131trace capability check failures
132.It Cm s
133trace signal processing
134.It Cm t
135trace various structures and arrays of structures
136.It Cm u
137userland traces generated by
138.Xr utrace 2
139.It Cm w
140context switches
141.It Cm y
142trace
143.Xr sysctl 3
144requests
145.It Cm a
146trace
147.Xr execve 2
148arguments
149.It Cm e
150trace
151.Xr execve 2
152environment variables
153.It Cm +
154trace the default set of trace points -
155.Cm a, c , e,  i , n , s , t , u , y
156.El
157.It Ar command
158Execute
159.Ar command
160with the specified trace flags.
161.El
162.Pp
163The
164.Fl p ,
165.Fl g ,
166and
167.Ar command
168options are mutually exclusive.
169.Sh CAPABILITY VIOLATION TRACING
170When the
171.Cm p
172trace point is specified,
173.Nm
174will record
175.Xr capsicum 4
176capability mode violations made by the traced process.
177Violations will be logged regardless of whether the process has actually
178entered capability mode.
179.Pp
180For developers that are interested in Capsicumizing their programs, the
181.Cm c , n , p
182trace points can help quickly identify any system calls and path lookups that
183are triggering violations.
184.Sh EXAMPLES
185Run "make", then trace it and any child processes:
186.Dl $ ktrace -i make
187.Pp
188Trace all kernel operations of process id 34:
189.Dl $ ktrace -p 34
190.Pp
191Trace all kernel operations of processes in process group 15 and
192pass the trace flags to all current and future children:
193.Dl $ ktrace -idg 15
194.Pp
195Disable all tracing of process 65:
196.Dl $ ktrace -cp 65
197.Pp
198Disable tracing signals on process 70 and all current children:
199.Dl $ ktrace -t s -cdp 70
200.Pp
201Enable tracing of
202.Tn I/O
203on process 67:
204.Dl $ ktrace -ti -p 67
205.Pp
206Disable all tracing to the file "tracedata":
207.Dl $ ktrace -c -f tracedata
208.Pp
209Disable tracing of all user-owned processes:
210.Dl $ ktrace -C
211.Sh SEE ALSO
212.Xr dtrace 1 ,
213.Xr kdump 1 ,
214.Xr truss 1 ,
215.Xr intro 2 ,
216.Xr ktrace 2 ,
217.Xr sigaction 2 ,
218.Xr utrace 2 ,
219.Xr capsicum 4 ,
220.Xr namei 9
221.Sh HISTORY
222The
223.Nm
224command appeared in
225.Bx 4.4 .
226.Sh BUGS
227Only works if
228.Ar trfile
229is a regular file.
230