[Bro-Commits] [git/bro] topic/gilbert/dtrace-probes: OSX support for dtrace built into bro. Probes supported are: (20fe478)

This is cool :). I always wanted a reason to play around with dtrace and never really found a good
reason for it.

Might this also work on FreeBSD? If I am not very much mistaken, dtrace support has been added
to it quite a while ago.


The way the probes are compiled, it *should* work with FreeBSD. I'm in
the process of rebuilding my FreeBSD VM, so no way to easily test that
yet, though.

This will *not* work on Solaris.

In case anyone would like to play with this, I've attached a simple
bro-trace.d that will trace calls to bro-builtins. On OS X, you'll *need*
to actually sudo -i to run the script; if you don't, END {} won't fire
(not sure why). You'll also probably need 'dtrace -Z -s bro-trace.d' if
you run dtrace before bro is started.

By the way, to give some idea of overhead, I ran an analysis of the 700 MB
pcap here:



bro -r ~/Downloads/jubrowska-capture_1.cap

On my laptop (quad-core i7, 5400 RPM HD, 8 GB DDR3), without probes
compiled into bro, I got:

real 3m33.206s
user 4m15.808s
sys 0m25.539s

With probes compiled but nothing using them:

real 3m41.651s
user 4m18.873s
sys 0m25.759s

With bro-trace.d running while bro processed the above capture file:

real 4m29.553s
user 4m26.601s
sys 1m10.063s


bro-trace.d (901 Bytes)