syscalltrack Tux

SourceForge Logo

When to Use it?

Here are a few scenarios that will show what can be done with the system call tracker. These scenarios actually happened to some of us on various systems (not necessarily Linux) - and might have also happened to you.

  • You have an important file on the system mysteriously being deleted once in a while, and you wish to know which process is deleting the file.

    solution: add a rule to track any invocation of the 'unlink' system call, in which the 'pathname' parameter contains the name of the disappearing file.

  • You develop a multi-process system, and a process you're running suddenly receives a SIGTERM signal and dies. you want to know which process SENT this signal to your process.

    solution: add a rule to track any invocation of the 'kill' system call, in which the 'pid' parameter equals the pid of your precious process, and as an action for the rule - to log the activation, as well as suspend the process that invokes this system call. Then sit back and wait until the murderer makes its next move (i.e. kills your precious process) - then read the log, see which process killed your process (its still active, since it was suspended) and keep tracking from there.

  • You have a configuration file for a program which keeps being reset to a given state a while after you modify it. obviously, some program is updating this file's contents - but which program?

    solution: add a rule to track invocations of the 'open' system call, where the 'pathname' parameter contains the name of the config file, and the 'mode' flags contain any of 'O_CREAT', 'O_TRUNC', 'O_WRONLY' or 'O_RDWR'. Then modify your config file, wait until its contents is changed again, and look at the syscalls log for the culprit.

  • The permissions on some directory in your system keep changing to some value, despite you changing them to a different value, and you want to know who keeps changing them.

    solution: add a rule to track invocations of the 'chmod' system call, in which the 'path' parameter contains the name of the directory. You know the rest already...

$Id: when.html,v 1.26 2003/02/05 22:30:59 mulix Exp $