This is cool :). I always wanted a reason to play around with dtrace and never really found a good
reason for it.
Might this also work on FreeBSD? If I am not very much mistaken, dtrace support has been added
to it quite a while ago.
Johanna
This is cool :). I always wanted a reason to play around with dtrace and never really found a good
reason for it.
Might this also work on FreeBSD? If I am not very much mistaken, dtrace support has been added
to it quite a while ago.
Johanna
The way the probes are compiled, it *should* work with FreeBSD. I'm in
the process of rebuilding my FreeBSD VM, so no way to easily test that
yet, though.
This will *not* work on Solaris.
In case anyone would like to play with this, I've attached a simple
bro-trace.d that will trace calls to bro-builtins. On OS X, you'll *need*
to actually sudo -i to run the script; if you don't, END {} won't fire
(not sure why). You'll also probably need 'dtrace -Z -s bro-trace.d' if
you run dtrace before bro is started.
By the way, to give some idea of overhead, I ran an analysis of the 700 MB
pcap here:
http://2009.hack.lu/index.php/InfoVisContest
via:
bro -r ~/Downloads/jubrowska-capture_1.cap
On my laptop (quad-core i7, 5400 RPM HD, 8 GB DDR3), without probes
compiled into bro, I got:
real 3m33.206s
user 4m15.808s
sys 0m25.539s
With probes compiled but nothing using them:
real 3m41.651s
user 4m18.873s
sys 0m25.759s
With bro-trace.d running while bro processed the above capture file:
real 4m29.553s
user 4m26.601s
sys 1m10.063s
--Gilbert
bro-trace.d (901 Bytes)