1 #!/usr/sbin/dtrace -s 2 /* 3 * CDDL HEADER START 4 * 5 * The contents of this file are subject to the terms of the 6 * Common Development and Distribution License (the "License"). 7 * You may not use this file except in compliance with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 23 /* 24 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 25 */ 26 27 /* 28 * Usage: ./msrpc.d -p `pgrep smbd` 29 * 30 * On multi-processor systems, it may be easier to follow the output 31 * if run on a single processor: see psradm. For example, to disable 32 * the second processor on a dual-processor system: psradm -f 1 33 * 34 * This script can be used to trace NDR operations and MSRPC requests. 35 * In order to put these operations in context, SMB session and tree 36 * requests are also traced. 37 * 38 * Output formatting is as follows: 39 * 40 * UI 03 ... rpc_vers get 1@0 = 5 {05} 41 * UI 03 ... rpc_vers_minor get 1@1 = 0 {00} 42 * 43 * U Marshalling flag (M=marshal, U=unmarshal) 44 * I Direction flag (I=in, O=out) 45 * ... Field name 46 * get PDU operation (get or put) 47 * 1@0 Bytes @ offset (i.e. 1 byte at offset 0) 48 * {05} Value 49 * 50 * The value formatting is limited to 10 bytes, after which an ellipsis 51 * will be inserted before the closing brace. If the value is 1 or 2 52 * bytes, an attempt will be made to present an ASCII value but this may 53 * or may not be relevent. 54 * 55 * The following example shows the header from a bind response: 56 * 57 * trace:entry MO 03 ... rpc_vers put 1@0 = 5 {05} 58 * trace:entry MO 03 ... rpc_vers_minor put 1@1 = 0 {00} 59 * trace:entry MO 03 ... ptype put 1@2 = 12 {0c} 60 * trace:entry MO 03 ... pfc_flags put 1@3 = 3 {03} 61 * trace:entry MO 04 .... intg_char_rep put 1@4 = 16 {10} 62 * trace:entry MO 04 .... float_rep put 1@5 = 0 {00} 63 * trace:entry MO 04 .... _spare[0] put 1@6 = 0 {00} 64 * trace:entry MO 04 .... _spare[1] put 1@7 = 0 {00} 65 * trace:entry MO 03 ... frag_length put 2@8 = 68 {44 00} D 66 * trace:entry MO 03 ... auth_length put 2@10 = 0 {00 00} 67 * trace:entry MO 03 ... call_id put 4@12 = 1 {01 00 00 00} 68 * trace:entry MO 02 .. max_xmit_frag put 2@16 = 4280 {b8 10} 69 * trace:entry MO 02 .. max_recv_frag put 2@18 = 4280 {b8 10} 70 * trace:entry MO 02 .. assoc_group_id put 4@20 = 1192620711 {a7 f2 15 47} 71 * trace:entry MO 02 .. sec_addr.length put 2@24 = 12 {0c 00} 72 * trace:entry MO 02 .. sec_addr.port_spec[0] put 1@26 = 92 {5c} \ 73 * trace:entry MO 02 .. sec_addr.port_spec[1] put 1@27 = 80 {50} P 74 * trace:entry MO 02 .. sec_addr.port_spec[2] put 1@28 = 73 {49} I 75 * trace:entry MO 02 .. sec_addr.port_spec[3] put 1@29 = 80 {50} P 76 * trace:entry MO 02 .. sec_addr.port_spec[4] put 1@30 = 69 {45} E 77 * trace:entry MO 02 .. sec_addr.port_spec[5] put 1@31 = 92 {5c} \ 78 * trace:entry MO 02 .. sec_addr.port_spec[6] put 1@32 = 108 {6c} l 79 * trace:entry MO 02 .. sec_addr.port_spec[7] put 1@33 = 115 {73} s 80 * trace:entry MO 02 .. sec_addr.port_spec[8] put 1@34 = 97 {61} a 81 * trace:entry MO 02 .. sec_addr.port_spec[9] put 1@35 = 115 {73} s 82 * trace:entry MO 02 .. sec_addr.port_spec[10] put 1@36 = 115 {73} s 83 * trace:entry MO 02 .. sec_addr.port_spec[11] put 1@37 = 0 {00} 84 */ 85 86 BEGIN 87 { 88 printf("MSRPC Trace Started"); 89 printf("\n\n"); 90 } 91 92 END 93 { 94 printf("MSRPC Trace Ended"); 95 printf("\n\n"); 96 } 97 98 /* 99 * SmbSessionSetupX, SmbLogoffX 100 * SmbTreeConnect, SmbTreeDisconnect 101 */ 102 smb_tree*:entry, 103 smb_com_*:entry, 104 smb_com_*:return, 105 smb_com_session_setup_andx:entry, 106 smb_com_logoff_andx:entry, 107 smb_tree_connect:return, 108 smb_tree_disconnect:entry, 109 smb_tree_disconnect:return, 110 smb_opipe_open:entry, 111 smb_opipe_door_call:entry, 112 smb_opipe_door_upcall:entry, 113 door_ki_upcall:entry 114 { 115 } 116 117 smb_com_session_setup_andx:return, 118 smb_user*:return, 119 smb_tree*:return, 120 smb_opipe_open:return, 121 smb_opipe_door_call:return, 122 smb_opipe_door_upcall:return, 123 door_ki_upcall:return 124 { 125 printf("rc=0x%08x", arg1); 126 } 127 128 sdt:smbsrv::smb-sessionsetup-clntinfo 129 { 130 user_info = (smb_logon_t *)arg0; 131 132 printf("domain\\username=%s\\%s\n\n", 133 stringof(user_info->lg_domain), 134 stringof(user_info->lg_username)); 135 } 136 137 smb_tree_connect:entry 138 { 139 sr = (smb_request_t *)arg0; 140 141 printf("share=%s service=%s", 142 stringof(sr->arg.tcon.path), 143 stringof(sr->arg.tcon.service)); 144 } 145 146 smb_com_logoff_andx:return 147 { 148 } 149 150 /* 151 * Raise error functions (no return). 152 */ 153 smbsr_status:entry 154 { 155 printf("status=0x%08x class=%d, code=%d", arg1, arg2, arg3); 156 } 157 158 smbsr_errno:entry 159 { 160 printf("errno=%d", arg1); 161 } 162 163 smbsr_status:return, 164 smbsr_errno:return 165 { 166 } 167 168 /* 169 * MSRPC activity. 170 */ 171 pid$target::ndr_svc_bind:entry, 172 pid$target::ndr_svc_bind:return, 173 pid$target::ndr_svc_request:entry, 174 pid$target::ndr_svc_request:return 175 { 176 } 177 178 pid$target::smb_trace:entry, 179 pid$target::ndo_trace:entry 180 { 181 printf("%s", copyinstr(arg0)); 182 } 183 184 /* 185 * LSARPC 186 */ 187 pid$target::lsarpc_s_CloseHandle:entry, 188 pid$target::lsarpc_s_QuerySecurityObject:entry, 189 pid$target::lsarpc_s_EnumAccounts:entry, 190 pid$target::lsarpc_s_EnumTrustedDomain:entry, 191 pid$target::lsarpc_s_OpenAccount:entry, 192 pid$target::lsarpc_s_EnumPrivsAccount:entry, 193 pid$target::lsarpc_s_LookupPrivValue:entry, 194 pid$target::lsarpc_s_LookupPrivName:entry, 195 pid$target::lsarpc_s_LookupPrivDisplayName:entry, 196 pid$target::lsarpc_s_QueryInfoPolicy:entry, 197 pid$target::lsarpc_s_OpenDomainHandle:entry, 198 pid$target::lsarpc_s_OpenDomainHandle:entry, 199 pid$target::lsarpc_s_LookupSids:entry, 200 pid$target::lsarpc_s_LookupNames:entry, 201 pid$target::lsarpc_s_GetConnectedUser:entry, 202 pid$target::lsarpc_s_LookupSids2:entry, 203 pid$target::lsarpc_s_LookupNames2:entry 204 { 205 } 206 207 pid$target::lsarpc_s_CloseHandle:return, 208 pid$target::lsarpc_s_QuerySecurityObject:return, 209 pid$target::lsarpc_s_EnumAccounts:return, 210 pid$target::lsarpc_s_EnumTrustedDomain:return, 211 pid$target::lsarpc_s_OpenAccount:return, 212 pid$target::lsarpc_s_EnumPrivsAccount:return, 213 pid$target::lsarpc_s_LookupPrivValue:return, 214 pid$target::lsarpc_s_LookupPrivName:return, 215 pid$target::lsarpc_s_LookupPrivDisplayName:return, 216 pid$target::lsarpc_s_QueryInfoPolicy:return, 217 pid$target::lsarpc_s_OpenDomainHandle:return, 218 pid$target::lsarpc_s_OpenDomainHandle:return, 219 pid$target::lsarpc_s_LookupSids:return, 220 pid$target::lsarpc_s_LookupNames:return, 221 pid$target::lsarpc_s_GetConnectedUser:return, 222 pid$target::lsarpc_s_LookupSids2:return, 223 pid$target::lsarpc_s_LookupNames2:return 224 { 225 } 226 227 pid$target::lsar_lookup_names:entry 228 { 229 printf("%s", copyinstr(arg1)); 230 } 231 232 pid$target::lsar_lookup_*:entry 233 { 234 } 235 236 pid$target::lsar_lookup_*:return 237 { 238 printf("0x%08x", arg1); 239 } 240 241 pid$target::lsar_*:entry 242 { 243 } 244 245 pid$target::lsar_*:return 246 { 247 printf("0x%08x", arg1); 248 } 249 250 /* 251 * NetLogon 252 */ 253 pid$target::netr_*:entry 254 { 255 } 256 257 pid$target::netr_*:return 258 { 259 printf("0x%08x", arg1); 260 } 261 262 /* 263 * SAMR 264 */ 265 pid$target::samr_s_Connect:entry, 266 pid$target::samr_s_CloseHandle:entry, 267 pid$target::samr_s_LookupDomain:entry, 268 pid$target::samr_s_EnumLocalDomains:entry, 269 pid$target::samr_s_OpenDomain:entry, 270 pid$target::samr_s_QueryDomainInfo:entry, 271 pid$target::samr_s_QueryInfoDomain2:entry, 272 pid$target::samr_s_LookupNames:entry, 273 pid$target::samr_s_OpenUser:entry, 274 pid$target::samr_s_DeleteUser:entry, 275 pid$target::samr_s_QueryUserInfo:entry, 276 pid$target::samr_s_QueryUserGroups:entry, 277 pid$target::samr_s_OpenGroup:entry, 278 pid$target::samr_s_Connect2:entry, 279 pid$target::samr_s_GetUserPwInfo:entry, 280 pid$target::samr_s_CreateUser:entry, 281 pid$target::samr_s_ChangeUserPasswd:entry, 282 pid$target::samr_s_GetDomainPwInfo:entry, 283 pid$target::samr_s_SetUserInfo:entry, 284 pid$target::samr_s_Connect4:entry, 285 pid$target::samr_s_Connect5:entry, 286 pid$target::samr_s_QueryDispInfo:entry, 287 pid$target::samr_s_OpenAlias:entry, 288 pid$target::samr_s_CreateDomainAlias:entry, 289 pid$target::samr_s_SetAliasInfo:entry, 290 pid$target::samr_s_QueryAliasInfo:entry, 291 pid$target::samr_s_DeleteDomainAlias:entry, 292 pid$target::samr_s_EnumDomainAliases:entry, 293 pid$target::samr_s_EnumDomainGroups:entry 294 { 295 } 296 297 pid$target::samr_s_Connect:return, 298 pid$target::samr_s_CloseHandle:return, 299 pid$target::samr_s_LookupDomain:return, 300 pid$target::samr_s_EnumLocalDomains:return, 301 pid$target::samr_s_OpenDomain:return, 302 pid$target::samr_s_QueryDomainInfo:return, 303 pid$target::samr_s_QueryInfoDomain2:return, 304 pid$target::samr_s_LookupNames:return, 305 pid$target::samr_s_OpenUser:return, 306 pid$target::samr_s_DeleteUser:return, 307 pid$target::samr_s_QueryUserInfo:return, 308 pid$target::samr_s_QueryUserGroups:return, 309 pid$target::samr_s_OpenGroup:return, 310 pid$target::samr_s_Connect2:return, 311 pid$target::samr_s_GetUserPwInfo:return, 312 pid$target::samr_s_CreateUser:return, 313 pid$target::samr_s_ChangeUserPasswd:return, 314 pid$target::samr_s_GetDomainPwInfo:return, 315 pid$target::samr_s_SetUserInfo:return, 316 pid$target::samr_s_Connect4:return, 317 pid$target::samr_s_Connect5:return, 318 pid$target::samr_s_QueryDispInfo:return, 319 pid$target::samr_s_OpenAlias:return, 320 pid$target::samr_s_CreateDomainAlias:return, 321 pid$target::samr_s_SetAliasInfo:return, 322 pid$target::samr_s_QueryAliasInfo:return, 323 pid$target::samr_s_DeleteDomainAlias:return, 324 pid$target::samr_s_EnumDomainAliases:return, 325 pid$target::samr_s_EnumDomainGroups:return 326 { 327 } 328 329 /* 330 * SPOOLSS 331 */ 332 pid$target::spoolss_*:entry, 333 pid$target::spoolss_*:return 334 { 335 } 336 337 /* 338 * SVCCTL 339 */ 340 pid$target::svcctl_s_*:entry, 341 pid$target::svcctl_s_*:return 342 { 343 } 344 345 /* 346 * SRVSVC 347 */ 348 pid$target::srvsvc_s_NetConnectEnum:entry, 349 pid$target::srvsvc_s_NetFileEnum:entry, 350 pid$target::srvsvc_s_NetFileClose:entry, 351 pid$target::srvsvc_s_NetShareGetInfo:entry, 352 pid$target::srvsvc_s_NetShareSetInfo:entry, 353 pid$target::srvsvc_s_NetSessionEnum:entry, 354 pid$target::srvsvc_s_NetSessionDel:entry, 355 pid$target::srvsvc_s_NetServerGetInfo:entry, 356 pid$target::srvsvc_s_NetRemoteTOD:entry, 357 pid$target::srvsvc_s_NetNameValidate:entry, 358 pid$target::srvsvc_s_NetShareAdd:entry, 359 pid$target::srvsvc_s_NetShareDel:entry, 360 pid$target::srvsvc_s_NetShareEnum:entry, 361 pid$target::srvsvc_s_NetShareEnumSticky:entry, 362 pid$target::srvsvc_s_NetGetFileSecurity:entry, 363 pid$target::srvsvc_s_NetSetFileSecurity:entry 364 { 365 } 366 367 pid$target::srvsvc_s_NetConnectEnum:return, 368 pid$target::srvsvc_s_NetFileEnum:return, 369 pid$target::srvsvc_s_NetFileClose:return, 370 pid$target::srvsvc_s_NetShareGetInfo:return, 371 pid$target::srvsvc_s_NetShareSetInfo:return, 372 pid$target::srvsvc_s_NetSessionEnum:return, 373 pid$target::srvsvc_s_NetSessionDel:return, 374 pid$target::srvsvc_s_NetServerGetInfo:return, 375 pid$target::srvsvc_s_NetRemoteTOD:return, 376 pid$target::srvsvc_s_NetNameValidate:return, 377 pid$target::srvsvc_s_NetShareAdd:return, 378 pid$target::srvsvc_s_NetShareDel:return, 379 pid$target::srvsvc_s_NetShareEnum:return, 380 pid$target::srvsvc_s_NetShareEnumSticky:return, 381 pid$target::srvsvc_s_NetGetFileSecurity:return, 382 pid$target::srvsvc_s_NetSetFileSecurity:return 383 { 384 } 385 386 /* 387 * WinReg 388 */ 389 pid$target::winreg_s_*:entry, 390 pid$target::winreg_s_*:return 391 { 392 } 393 394 /* 395 * Workstation 396 */ 397 pid$target::wkssvc_s_*:entry, 398 pid$target::wkssvc_s_*:return 399 { 400 } 401 402 /* 403 * SMBRDR 404 */ 405 pid$target::smbrdr_tree_connect:entry 406 { 407 printf("%s %s %s", 408 copyinstr(arg0), 409 copyinstr(arg1), 410 copyinstr(arg2)); 411 } 412 413 pid$target::smbrdr_open_pipe:entry 414 { 415 printf("%s %s %s %s", 416 copyinstr(arg0), 417 copyinstr(arg1), 418 copyinstr(arg2), 419 copyinstr(arg3)); 420 } 421 422 pid$target::smbrdr_tree_disconnect:entry, 423 pid$target::smbrdr_close_pipe:entry, 424 pid$target::smbrdr_ntcreatex:entry, 425 pid$target::smbrdr_transact:entry, 426 pid$target::smbrdr_readx*:entry 427 { 428 } 429 430 pid$target::smbrdr_tree_connect:return, 431 pid$target::smbrdr_tree_disconnect:return, 432 pid$target::smbrdr_open_pipe:return, 433 pid$target::smbrdr_close_pipe:return, 434 pid$target::smbrdr_ntcreatex:return, 435 pid$target::smbrdr_transact:return, 436 pid$target::smbrdr_readx*:return 437 { 438 printf("%d", arg1); 439 } 440 441 pid$target::ndr_clnt_get_frags:entry, 442 pid$target::ndr_clnt_get_frag:entry 443 { 444 } 445 446 pid$target::ndr_clnt_get_frags:return, 447 pid$target::ndr_clnt_get_frag:return 448 { 449 printf("%d", arg1); 450 } 451