1

I want to capture all the system calls on a file system in great details. E.g. for write system call, I want to record the target file, number of bytes written and the offset that write occurs.

Currently, I want to implement such a logger with inotify. However, it cannot provide such details. E.g. for write it does not provide number of bytes written and offset. An alternative is to use bbfs implemented on fuse. However, it will introduce overhead when logging system calls and delay user operations to some un-tolerable degree.

Is there some library that can capture system calls on file system, just like ptrace when logging all system calls issued by a process?

Summer_More_More_Tea
  • 12,740
  • 12
  • 51
  • 83

2 Answers2

1

How about write your own profiling tool using a wrapper? See GCC -wrapper:

-wrapper
Invoke all subcommands under a wrapper program. The name of the wrapper program and its parameters are passed as a comma separated list.

Mingliang Liu
  • 5,477
  • 1
  • 18
  • 13
1

There are many options for tracing in Linux. But this sounds like a pretty simple case. Have you investigated simply using the strace utility? It has lots of options that can control tracing granularity, will log arguments to almost all syscalls (including buffer contents if you want that) and exists and works basically everywhere without any setup beyond installing the package.

Andy Ross
  • 11,699
  • 1
  • 34
  • 31
  • No, I haven't investigated `strace`. Thank you for the hint. – Summer_More_More_Tea Jun 04 '13 at 18:02
  • Just skim the man page, it seems `strace` is process-oriented. While I want record all the system calls on a file system without differenciating the processes. Is that OK? – Summer_More_More_Tea Jun 04 '13 at 18:07
  • I missed that bit. If you want to trace at the kernel level, you'll want to look at things like Systemtap and LTTNG. Those are vastly more powerful, but quite a bit more involved than something like strace. Basically you're writing little code bits to run inline in the kernel when it hits specific events, and making good use of the tools requires that you have a reasonable familiarity with how the kernel is organized. – Andy Ross Jun 04 '13 at 21:06