NAME¶
kdump —
display kernel trace
data
SYNOPSIS¶
kdump |
[-dEnlHRsTA]
[-f
trfile]
[-m
maxdata]
[-p pid]
[-t
trstr] |
DESCRIPTION¶
The
kdump command displays the kernel trace files produced
with
ktrace(1) in human readable format. By default, the
file
ktrace.out in the current directory is displayed.
The options are as follows:
- -d
- Display all numbers in decimal.
- -E
- Display elapsed timestamps (time since beginning of
trace).
- -f
trfile
- Display the specified file instead of
ktrace.out.
- -H
- List the thread ID (tid) of the thread with each trace
record, if available. If no thread ID is available, 0 will be
printed.
- -l
- Loop reading the trace file, once the end-of-file is
reached, waiting for more data.
- -m
maxdata
- Display at most maxdata bytes when
decoding I/O.
- -n
- Suppress ad hoc translations. Normally
kdump tries to decode many system calls into a more
human readable format. For example, ioctl(2) values are
replaced with the macro name and errno values are
replaced with the strerror(3) string. Suppressing this
feature yields a more consistent output format and is easily amenable to
further processing.
- -p
pid
- Display only trace events that correspond to the process
pid. This may be useful when there are multiple
processes recorded in the same trace file.
- -R
- Display relative timestamps (time since previous
entry).
- -r
- When decoding STRU records, display structure members such
as UIDs, GIDs, dates etc. symbolically instead of numerically.
- -s
- Suppress display of I/O data.
- -T
- Display absolute timestamps for each entry (seconds since
epoch).
- -A
- Display description of the ABI of traced process.
- -t
trstr
- See the -t option of
ktrace(1).
The output format of
kdump is line oriented with several
fields. The example below shows a section of a kdump generated by the
following commands:
?> ktrace echo "ktrace"
?> kdump
85045 echo CALL writev(0x1,0x804b030,0x2)
85045 echo GIO fd 1 wrote 7 bytes
"ktrace
"
85045 echo RET writev 7
The first field is the PID of the process being traced. The second field is the
name of the program being traced. The third field is the operation that the
kernel performed on behalf of the process. If thread IDs are being printed,
then an additional thread ID column will be added to the output between the
PID field and program name field.
In the first line above, the kernel executes the
writev(2)
system call on behalf of the process so this is a
CALL
operation. The fourth field shows the system call that was executed, including
its arguments. The
writev(2) system call takes a file
descriptor, in this case 1, or standard output, then a pointer to the iovector
to write, and the number of iovectors that are to be written. In the second
line we see the operation was
GIO
, for general I/O,
and that file descriptor 1 had seven bytes written to it. This is followed by
the seven bytes that were written, the string
“
ktrace
” with a carriage return and line
feed. The last line is the
RET
operation, showing a
return from the kernel, what system call we are returning from, and the return
value that the process received. Seven bytes were written by the
writev(2) system call, so 7 is the return value.
The possible operations are:
Name |
Operation |
Fourth field |
CALL |
enter syscall |
syscall name and arguments |
RET |
return from syscall |
syscall name and return value |
NAMI |
file name lookup |
path to file |
GIO |
general I/O |
fd, read/write, number of bytes |
PSIG |
signal |
signal name, handler, mask, code |
CSW |
context switch |
stop/resume user/kernel |
USER |
data from user process |
the data |
STRU |
various syscalls |
structure |
SCTL |
sysctl(3) requests |
MIB name |
SEE ALSO¶
ktrace(1)
HISTORY¶
The
kdump command appeared in
4.4BSD.