1.\" Copyright (c) 1990, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd November 17, 2024 29.Dt KTRACE 1 30.Os 31.Sh NAME 32.Nm ktrace 33.Nd enable kernel process tracing 34.Sh SYNOPSIS 35.Nm 36.Op Fl aCcdi 37.Op Fl f Ar trfile 38.Op Fl g Ar pgrp | Fl p Ar pid 39.Op Fl t Ar trstr 40.Nm 41.Op Fl adi 42.Op Fl f Ar trfile 43.Op Fl t Ar trstr 44.Ar command 45.Sh DESCRIPTION 46The 47.Nm 48utility enables kernel trace logging for the specified processes. 49Kernel trace data is logged to the file 50.Pa ktrace.out . 51The kernel operations that are traced include system calls 52.Pq see Xr intro 2 , 53file system path lookups 54.Pq Xr namei 9 , 55signal processing 56.Pq Xr sigaction 2 , 57and 58.Tn I/O . 59.Pp 60Once tracing is enabled on a process, trace data will be logged until 61either the process exits or the trace point is cleared. 62A traced process can generate enormous amounts of log data quickly; 63It is strongly suggested that users memorize how to disable tracing before 64attempting to trace a process. 65The following command is sufficient to disable tracing on all user-owned 66processes, and, if executed by root, all processes: 67.Pp 68.Dl \&$ ktrace -C 69.Pp 70The trace file is not human readable; use 71.Xr kdump 1 72to decode it. 73.Pp 74The utility may be used only with a kernel that has been built with the 75.Dq KTRACE 76option in the kernel configuration file. 77.Pp 78The options are: 79.Bl -tag -width indent 80.It Fl a 81Append to the trace file instead of recreating it. 82.It Fl C 83Disable tracing on all user-owned processes, and, if executed by root, all 84processes in the system. 85.It Fl c 86Clear the specified trace points associated with the given file or processes. 87.It Fl d 88Descendants; perform the operation for all current children of the 89designated processes. 90See also the 91.Fl i 92option. 93.It Fl f Ar trfile 94Log trace records to 95.Ar trfile 96instead of 97.Pa ktrace.out . 98.It Fl g Ar pgid 99Enable (disable) tracing on all processes in the process group (only one 100.Fl g 101flag is permitted). 102.It Fl i 103Inherit; pass the trace flags to all future children of the designated 104processes. 105See also the 106.Fl d 107option. 108.It Fl p Ar pid 109Enable (disable) tracing on the indicated process id (only one 110.Fl p 111flag is permitted). 112.It Fl t Ar trstr 113Specify the list of trace points to enable or disable, one per letter. 114If an explicit list is not specified, the default set of trace points is used. 115.Pp 116The following trace points are supported: 117.Pp 118.Bl -tag -width flag -compact 119.It Cm c 120trace system calls 121.It Cm f 122trace page faults 123.It Cm i 124trace 125.Tn I/O 126.It Cm n 127trace 128.Xr namei 9 129translations 130.It Cm p 131trace capability check failures 132.It Cm s 133trace signal processing 134.It Cm t 135trace various structures and arrays of structures 136.It Cm u 137userland traces generated by 138.Xr utrace 2 139.It Cm w 140context switches 141.It Cm y 142trace 143.Xr sysctl 3 144requests 145.It Cm a 146trace 147.Xr execve 2 148arguments 149.It Cm e 150trace 151.Xr execve 2 152environment variables 153.It Cm + 154trace the default set of trace points - 155.Cm a, c , e, i , n , s , t , u , y 156.El 157.It Ar command 158Execute 159.Ar command 160with the specified trace flags. 161.El 162.Pp 163The 164.Fl p , 165.Fl g , 166and 167.Ar command 168options are mutually exclusive. 169.Sh CAPABILITY VIOLATION TRACING 170When the 171.Cm p 172trace point is specified, 173.Nm 174will record 175.Xr capsicum 4 176capability mode violations made by the traced process. 177Violations will be logged regardless of whether the process has actually 178entered capability mode. 179.Pp 180For developers that are interested in Capsicumizing their programs, the 181.Cm c , n , p 182trace points can help quickly identify any system calls and path lookups that 183are triggering violations. 184.Sh EXAMPLES 185Run "make", then trace it and any child processes: 186.Dl $ ktrace -i make 187.Pp 188Trace all kernel operations of process id 34: 189.Dl $ ktrace -p 34 190.Pp 191Trace all kernel operations of processes in process group 15 and 192pass the trace flags to all current and future children: 193.Dl $ ktrace -idg 15 194.Pp 195Disable all tracing of process 65: 196.Dl $ ktrace -cp 65 197.Pp 198Disable tracing signals on process 70 and all current children: 199.Dl $ ktrace -t s -cdp 70 200.Pp 201Enable tracing of 202.Tn I/O 203on process 67: 204.Dl $ ktrace -ti -p 67 205.Pp 206Disable all tracing to the file "tracedata": 207.Dl $ ktrace -c -f tracedata 208.Pp 209Disable tracing of all user-owned processes: 210.Dl $ ktrace -C 211.Sh SEE ALSO 212.Xr dtrace 1 , 213.Xr kdump 1 , 214.Xr truss 1 , 215.Xr intro 2 , 216.Xr ktrace 2 , 217.Xr sigaction 2 , 218.Xr utrace 2 , 219.Xr capsicum 4 , 220.Xr namei 9 221.Sh HISTORY 222The 223.Nm 224command appeared in 225.Bx 4.4 . 226.Sh BUGS 227Only works if 228.Ar trfile 229is a regular file. 230