1.\" $OpenBSD: ktrace.2,v 1.43 2023/02/23 01:34:27 deraadt Exp $ 2.\" $NetBSD: ktrace.2,v 1.2 1995/02/27 12:33:58 cgd Exp $ 3.\" 4.\" Copyright (c) 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the University nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" @(#)ktrace.2 8.1 (Berkeley) 6/4/93 32.\" 33.Dd $Mdocdate: February 23 2023 $ 34.Dt KTRACE 2 35.Os 36.Sh NAME 37.Nm ktrace 38.Nd process tracing 39.Sh SYNOPSIS 40.In sys/types.h 41.In sys/ktrace.h 42.Ft int 43.Fn ktrace "const char *tracefile" "int ops" "int trpoints" "pid_t pid" 44.Sh DESCRIPTION 45The 46.Fn ktrace 47function enables or disables tracing of one or more processes. 48Users may only trace their own processes. 49Only the superuser can trace setuid or setgid programs. 50This function is only available on kernels compiled with the 51.Cm KTRACE 52option. 53.Pp 54.Fa tracefile 55gives the pathname of the file to be used for tracing. 56The file must exist, be writable by the calling process, and 57not be a symbolic link. 58If tracing points are being disabled (see 59.Dv KTROP_CLEAR 60below), 61.Fa tracefile 62must be 63.Dv NULL . 64.Pp 65Trace records are always appended to the file, ignoring the file offset, 66so the caller will usually want to truncate the file before calling 67these functions. 68.Pp 69The 70.Fa ops 71parameter specifies the requested ktrace operation. 72The defined operations are: 73.Pp 74.Bl -tag -width KTRFLAG_DESCEND -offset indent -compact 75.It Dv KTROP_SET 76Enable trace points specified in 77.Fa trpoints . 78.It Dv KTROP_CLEAR 79Disable trace points specified in 80.Fa trpoints . 81.It Dv KTROP_CLEARFILE 82Stop all tracing to the trace file. 83.It Dv KTRFLAG_DESCEND 84The tracing change should apply to the 85specified process and all its current children. 86.El 87.Pp 88The 89.Fa trpoints 90parameter specifies the trace points of interest. 91The defined trace points are: 92.Pp 93.Bl -tag -width KTRFAC_EXECARGS -offset indent -compact 94.It Dv KTRFAC_SYSCALL 95Trace system calls. 96.It Dv KTRFAC_SYSRET 97Trace return values from system calls. 98.It Dv KTRFAC_NAMEI 99Trace name lookup operations. 100.It Dv KTRFAC_GENIO 101Trace all I/O 102(note that this option can generate much output). 103.It Dv KTRFAC_PSIG 104Trace posted signals. 105.It Dv KTRFAC_STRUCT 106Trace various structs. 107.It Dv KTRFAC_USER 108Trace user data coming from 109.Xr utrace 2 110calls. 111.It Dv KTRFAC_EXECARGS 112Trace argument vector in 113.Xr execve 2 114calls. 115.It Dv KTRFAC_EXECENV 116Trace environment vector in 117.Xr execve 2 118calls. 119.It Dv KTRFAC_PLEDGE 120Trace violations of 121.Xr pledge 2 122restrictions. 123.It Dv KTRFAC_INHERIT 124Inherit tracing to future children. 125.El 126.Pp 127The 128.Fa pid 129parameter refers to a process ID. 130If it is negative, 131it refers to a process group ID. 132.Pp 133Each tracing event outputs a record composed of a generic header 134followed by a trace point specific structure. 135The generic header is: 136.Bd -literal 137struct ktr_header { 138 uint ktr_type; /* trace record type */ 139 pid_t ktr_pid; /* process id */ 140 pid_t ktr_tid; /* thread id */ 141 struct timespec ktr_time; /* timestamp */ 142 char ktr_comm[MAXCOMLEN+1]; /* command name */ 143 size_t ktr_len; /* length of buf */ 144}; 145.Ed 146.Pp 147The 148.Fa ktr_len 149field specifies the length of the 150.Fa ktr_type 151data that follows this header. 152The 153.Fa ktr_pid , ktr_tid , 154and 155.Fa ktr_comm 156fields specify the process, thread, and command generating the record. 157The 158.Fa ktr_time 159field gives the time (with nanosecond resolution) 160that the record was generated. 161.Pp 162The generic header is followed by 163.Fa ktr_len 164bytes of a 165.Fa ktr_type 166record. 167The type specific records are defined in the 168.In sys/ktrace.h 169include file. 170.Sh RETURN VALUES 171.Rv -std 172.Sh ERRORS 173.Fn ktrace 174will fail if: 175.Bl -tag -width EINVALAA 176.It Bq Er EINVAL 177No trace points were selected. 178.It Bq Er EPERM 179The tracing process is not the superuser and either its effective 180user ID does not match the real user ID of the receiving process, 181its effective group ID does not match the real group ID of the 182receiving process, 183the receiving process is currently being traced by the superuser, 184or the receiving process has changed its UIDs or GIDs. 185When tracing multiple processes, 186this error is returned if none of the targeted processes could be traced. 187When clearing a trace file with 188.Dv KTROP_CLEARFILE , 189this error is returned if it could not stop tracing any of the processes 190tracing to the file. 191.It Bq Er ESRCH 192No process can be found corresponding to that specified by 193.Fa pid . 194.It Bq Er EACCES 195The named file is a device or FIFO. 196.It Bq Er EIO 197An I/O error occurred while reading from or writing to the file system. 198.El 199.Pp 200Additionally, 201.Fn ktrace 202will fail if: 203.Bl -tag -width ENAMETOOLONGAA 204.It Bq Er ENOTDIR 205A component of the path prefix is not a directory. 206.It Bq Er ENAMETOOLONG 207A component of a pathname exceeded 208.Dv NAME_MAX 209characters, or an entire pathname (including the terminating NUL) 210exceeded 211.Dv PATH_MAX 212bytes. 213.It Bq Er ENOENT 214The named tracefile does not exist. 215.It Bq Er EACCES 216Search permission is denied for a component of the path prefix or the 217path refers to a symbolic link. 218.It Bq Er ELOOP 219Too many symbolic links were encountered in translating the pathname. 220.It Bq Er EFAULT 221.Fa tracefile 222points outside the process's allocated address space. 223.El 224.Sh SEE ALSO 225.Xr kdump 1 , 226.Xr ktrace 1 , 227.Xr utrace 2 228.Sh HISTORY 229A 230.Fn ktrace 231function call first appeared in 232.Bx 4.3 Reno . 233