1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of syscount, the Linux/eBPF version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard Workersyscount summarizes syscall counts across the system or a specific process, 5*387f9dfdSAndroid Build Coastguard Workerwith optional latency information. It is very useful for general workload 6*387f9dfdSAndroid Build Coastguard Workercharacterization, for example: 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Worker# syscount 9*387f9dfdSAndroid Build Coastguard WorkerTracing syscalls, printing top 10... Ctrl+C to quit. 10*387f9dfdSAndroid Build Coastguard Worker[09:39:04] 11*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 12*387f9dfdSAndroid Build Coastguard Workerwrite 10739 13*387f9dfdSAndroid Build Coastguard Workerread 10584 14*387f9dfdSAndroid Build Coastguard Workerwait4 1460 15*387f9dfdSAndroid Build Coastguard Workernanosleep 1457 16*387f9dfdSAndroid Build Coastguard Workerselect 795 17*387f9dfdSAndroid Build Coastguard Workerrt_sigprocmask 689 18*387f9dfdSAndroid Build Coastguard Workerclock_gettime 653 19*387f9dfdSAndroid Build Coastguard Workerrt_sigaction 128 20*387f9dfdSAndroid Build Coastguard Workerfutex 86 21*387f9dfdSAndroid Build Coastguard Workerioctl 83 22*387f9dfdSAndroid Build Coastguard Worker^C 23*387f9dfdSAndroid Build Coastguard Worker 24*387f9dfdSAndroid Build Coastguard WorkerThese are the top 10 entries; you can get more by using the -T switch. Here, 25*387f9dfdSAndroid Build Coastguard Workerthe output indicates that the write and read syscalls were very common, followed 26*387f9dfdSAndroid Build Coastguard Workerimmediately by wait4, nanosleep, and so on. By default, syscount counts across 27*387f9dfdSAndroid Build Coastguard Workerthe entire system, but we can point it to a specific process of interest: 28*387f9dfdSAndroid Build Coastguard Worker 29*387f9dfdSAndroid Build Coastguard Worker# syscount -p $(pidof dd) 30*387f9dfdSAndroid Build Coastguard WorkerTracing syscalls, printing top 10... Ctrl+C to quit. 31*387f9dfdSAndroid Build Coastguard Worker[09:40:21] 32*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 33*387f9dfdSAndroid Build Coastguard Workerread 7878397 34*387f9dfdSAndroid Build Coastguard Workerwrite 7878397 35*387f9dfdSAndroid Build Coastguard Worker^C 36*387f9dfdSAndroid Build Coastguard Worker 37*387f9dfdSAndroid Build Coastguard WorkerIndeed, dd's workload is a bit easier to characterize. Occasionally, the count 38*387f9dfdSAndroid Build Coastguard Workerof syscalls is not enough, and you'd also want an aggregate latency: 39*387f9dfdSAndroid Build Coastguard Worker 40*387f9dfdSAndroid Build Coastguard Worker# syscount -L 41*387f9dfdSAndroid Build Coastguard WorkerTracing syscalls, printing top 10... Ctrl+C to quit. 42*387f9dfdSAndroid Build Coastguard Worker[09:41:32] 43*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT TIME (us) 44*387f9dfdSAndroid Build Coastguard Workerselect 16 3415860.022 45*387f9dfdSAndroid Build Coastguard Workernanosleep 291 12038.707 46*387f9dfdSAndroid Build Coastguard Workerftruncate 1 122.939 47*387f9dfdSAndroid Build Coastguard Workerwrite 4 63.389 48*387f9dfdSAndroid Build Coastguard Workerstat 1 23.431 49*387f9dfdSAndroid Build Coastguard Workerfstat 1 5.088 50*387f9dfdSAndroid Build Coastguard Worker[unknown: 321] 32 4.965 51*387f9dfdSAndroid Build Coastguard Workertimerfd_settime 1 4.830 52*387f9dfdSAndroid Build Coastguard Workerioctl 3 4.802 53*387f9dfdSAndroid Build Coastguard Workerkill 1 4.342 54*387f9dfdSAndroid Build Coastguard Worker^C 55*387f9dfdSAndroid Build Coastguard Worker 56*387f9dfdSAndroid Build Coastguard WorkerThe select and nanosleep calls are responsible for a lot of time, but remember 57*387f9dfdSAndroid Build Coastguard Workerthese are blocking calls. This output was taken from a mostly idle system. Note 58*387f9dfdSAndroid Build Coastguard Workerthe "unknown" entry -- syscall 321 is the bpf() syscall, which is not in the 59*387f9dfdSAndroid Build Coastguard Workertable used by this tool (borrowed from strace sources). 60*387f9dfdSAndroid Build Coastguard Worker 61*387f9dfdSAndroid Build Coastguard WorkerAnother direction would be to understand which processes are making a lot of 62*387f9dfdSAndroid Build Coastguard Workersyscalls, thus responsible for a lot of activity. This is what the -P switch 63*387f9dfdSAndroid Build Coastguard Workerdoes: 64*387f9dfdSAndroid Build Coastguard Worker 65*387f9dfdSAndroid Build Coastguard Worker# syscount -P 66*387f9dfdSAndroid Build Coastguard WorkerTracing syscalls, printing top 10... Ctrl+C to quit. 67*387f9dfdSAndroid Build Coastguard Worker[09:58:13] 68*387f9dfdSAndroid Build Coastguard WorkerPID COMM COUNT 69*387f9dfdSAndroid Build Coastguard Worker13820 vim 548 70*387f9dfdSAndroid Build Coastguard Worker30216 sshd 149 71*387f9dfdSAndroid Build Coastguard Worker29633 bash 72 72*387f9dfdSAndroid Build Coastguard Worker25188 screen 70 73*387f9dfdSAndroid Build Coastguard Worker25776 mysqld 30 74*387f9dfdSAndroid Build Coastguard Worker31285 python 10 75*387f9dfdSAndroid Build Coastguard Worker529 systemd-udevd 9 76*387f9dfdSAndroid Build Coastguard Worker1 systemd 8 77*387f9dfdSAndroid Build Coastguard Worker494 systemd-journal 5 78*387f9dfdSAndroid Build Coastguard Worker^C 79*387f9dfdSAndroid Build Coastguard Worker 80*387f9dfdSAndroid Build Coastguard WorkerThis is again from a mostly idle system over an interval of a few seconds. 81*387f9dfdSAndroid Build Coastguard Worker 82*387f9dfdSAndroid Build Coastguard WorkerSometimes, you'd only care about failed syscalls -- these are the ones that 83*387f9dfdSAndroid Build Coastguard Workermight be worth investigating with follow-up tools like opensnoop, execsnoop, 84*387f9dfdSAndroid Build Coastguard Workeror trace. Use the -x switch for this; the following example also demonstrates 85*387f9dfdSAndroid Build Coastguard Workerthe -i switch, for printing at predefined intervals: 86*387f9dfdSAndroid Build Coastguard Worker 87*387f9dfdSAndroid Build Coastguard Worker# syscount -x -i 5 88*387f9dfdSAndroid Build Coastguard WorkerTracing failed syscalls, printing top 10... Ctrl+C to quit. 89*387f9dfdSAndroid Build Coastguard Worker[09:44:16] 90*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 91*387f9dfdSAndroid Build Coastguard Workerfutex 13 92*387f9dfdSAndroid Build Coastguard Workergetxattr 10 93*387f9dfdSAndroid Build Coastguard Workerstat 8 94*387f9dfdSAndroid Build Coastguard Workeropen 6 95*387f9dfdSAndroid Build Coastguard Workerwait4 3 96*387f9dfdSAndroid Build Coastguard Workeraccess 2 97*387f9dfdSAndroid Build Coastguard Worker[unknown: 321] 1 98*387f9dfdSAndroid Build Coastguard Worker 99*387f9dfdSAndroid Build Coastguard Worker[09:44:21] 100*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 101*387f9dfdSAndroid Build Coastguard Workerfutex 12 102*387f9dfdSAndroid Build Coastguard Workergetxattr 10 103*387f9dfdSAndroid Build Coastguard Worker[unknown: 321] 2 104*387f9dfdSAndroid Build Coastguard Workerwait4 1 105*387f9dfdSAndroid Build Coastguard Workeraccess 1 106*387f9dfdSAndroid Build Coastguard Workerpause 1 107*387f9dfdSAndroid Build Coastguard Worker^C 108*387f9dfdSAndroid Build Coastguard Worker 109*387f9dfdSAndroid Build Coastguard WorkerSimilar to -x/--failures, sometimes you only care about certain syscall 110*387f9dfdSAndroid Build Coastguard Workererrors like EPERM or ENONET -- these are the ones that might be worth 111*387f9dfdSAndroid Build Coastguard Workerinvestigating with follow-up tools like opensnoop, execsnoop, or 112*387f9dfdSAndroid Build Coastguard Workertrace. Use the -e/--errno switch for this; the following example also 113*387f9dfdSAndroid Build Coastguard Workerdemonstrates the -e switch, for printing ENOENT failures at predefined intervals: 114*387f9dfdSAndroid Build Coastguard Worker 115*387f9dfdSAndroid Build Coastguard Worker# syscount -e ENOENT -i 5 116*387f9dfdSAndroid Build Coastguard WorkerTracing syscalls, printing top 10... Ctrl+C to quit. 117*387f9dfdSAndroid Build Coastguard Worker[13:15:57] 118*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 119*387f9dfdSAndroid Build Coastguard Workerstat 4669 120*387f9dfdSAndroid Build Coastguard Workeropen 1951 121*387f9dfdSAndroid Build Coastguard Workeraccess 561 122*387f9dfdSAndroid Build Coastguard Workerlstat 62 123*387f9dfdSAndroid Build Coastguard Workeropenat 42 124*387f9dfdSAndroid Build Coastguard Workerreadlink 8 125*387f9dfdSAndroid Build Coastguard Workerexecve 4 126*387f9dfdSAndroid Build Coastguard Workernewfstatat 1 127*387f9dfdSAndroid Build Coastguard Worker 128*387f9dfdSAndroid Build Coastguard Worker[13:16:02] 129*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 130*387f9dfdSAndroid Build Coastguard Workerlstat 18506 131*387f9dfdSAndroid Build Coastguard Workerstat 13087 132*387f9dfdSAndroid Build Coastguard Workeropen 2907 133*387f9dfdSAndroid Build Coastguard Workeraccess 412 134*387f9dfdSAndroid Build Coastguard Workeropenat 19 135*387f9dfdSAndroid Build Coastguard Workerreadlink 12 136*387f9dfdSAndroid Build Coastguard Workerexecve 7 137*387f9dfdSAndroid Build Coastguard Workerconnect 6 138*387f9dfdSAndroid Build Coastguard Workerunlink 1 139*387f9dfdSAndroid Build Coastguard Workerrmdir 1 140*387f9dfdSAndroid Build Coastguard Worker^C 141*387f9dfdSAndroid Build Coastguard Worker 142*387f9dfdSAndroid Build Coastguard WorkerSometimes, you'd only care about a single syscall rather than all syscalls. 143*387f9dfdSAndroid Build Coastguard WorkerUse the --syscall option for this; the following example also demonstrates 144*387f9dfdSAndroid Build Coastguard Workerthe --syscall option, for printing at predefined intervals: 145*387f9dfdSAndroid Build Coastguard Worker 146*387f9dfdSAndroid Build Coastguard Worker# syscount --syscall stat -i 1 147*387f9dfdSAndroid Build Coastguard WorkerTracing syscall 'stat'... Ctrl+C to quit. 148*387f9dfdSAndroid Build Coastguard Worker[12:51:06] 149*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 150*387f9dfdSAndroid Build Coastguard Workerstat 310 151*387f9dfdSAndroid Build Coastguard Worker 152*387f9dfdSAndroid Build Coastguard Worker[12:51:07] 153*387f9dfdSAndroid Build Coastguard WorkerSYSCALL COUNT 154*387f9dfdSAndroid Build Coastguard Workerstat 316 155*387f9dfdSAndroid Build Coastguard Worker^C 156*387f9dfdSAndroid Build Coastguard Worker 157*387f9dfdSAndroid Build Coastguard WorkerUSAGE: 158*387f9dfdSAndroid Build Coastguard Worker# syscount -h 159*387f9dfdSAndroid Build Coastguard Workerusage: syscount.py [-h] [-p PID] [-t TID] [-i INTERVAL] [-d DURATION] [-T TOP] 160*387f9dfdSAndroid Build Coastguard Worker [-x] [-e ERRNO] [-L] [-m] [-P] [-l] [--syscall SYSCALL] 161*387f9dfdSAndroid Build Coastguard Worker 162*387f9dfdSAndroid Build Coastguard WorkerSummarize syscall counts and latencies. 163*387f9dfdSAndroid Build Coastguard Worker 164*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 165*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 166*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace only this pid 167*387f9dfdSAndroid Build Coastguard Worker -t TID, --tid TID trace only this tid 168*387f9dfdSAndroid Build Coastguard Worker -c PPID, --ppid PPID trace only child of this pid 169*387f9dfdSAndroid Build Coastguard Worker -i INTERVAL, --interval INTERVAL 170*387f9dfdSAndroid Build Coastguard Worker print summary at this interval (seconds) 171*387f9dfdSAndroid Build Coastguard Worker -d DURATION, --duration DURATION 172*387f9dfdSAndroid Build Coastguard Worker total duration of trace, in seconds 173*387f9dfdSAndroid Build Coastguard Worker -T TOP, --top TOP print only the top syscalls by count or latency 174*387f9dfdSAndroid Build Coastguard Worker -x, --failures trace only failed syscalls (return < 0) 175*387f9dfdSAndroid Build Coastguard Worker -e ERRNO, --errno ERRNO 176*387f9dfdSAndroid Build Coastguard Worker trace only syscalls that return this error (numeric or 177*387f9dfdSAndroid Build Coastguard Worker EPERM, etc.) 178*387f9dfdSAndroid Build Coastguard Worker -L, --latency collect syscall latency 179*387f9dfdSAndroid Build Coastguard Worker -m, --milliseconds display latency in milliseconds (default: 180*387f9dfdSAndroid Build Coastguard Worker microseconds) 181*387f9dfdSAndroid Build Coastguard Worker -P, --process count by process and not by syscall 182*387f9dfdSAndroid Build Coastguard Worker -l, --list print list of recognized syscalls and exit 183*387f9dfdSAndroid Build Coastguard Worker --syscall SYSCALL trace this syscall only (use option -l to get all 184*387f9dfdSAndroid Build Coastguard Worker recognized syscalls) 185