Kstrax -- kernel system call tracer

Fri Jul 21 2006
Author : Satoru MORIYA <satoru.moriya.br@hitachi.com>

INDEX
1. What Is Kstrax
2. Installation
3. How to Use
4. Limitations


1. What Is Kstrax
===================
 Kstrax traces the system call executions, analyzes the trace log file,
and displays each system call information and statistics information.

 Kstrax has some features.
  - Record in Kernel space 
    Kstrax records system call information in Linux Kernel space.
  - Not change the Linux Kernel.
    It is not necessary to change the Linux Kernel because Kstrax consists
    of modules and commands.
  - Trace all system calls at low overhead
    It is possible to trace all system calls executed on the system at low
    overhead because of tracing in kernel space.

Kstrax is checked on the following system.
 - RedHat Enterprise Linux AS 4 Upadate 1

2. Installation
================
  1)Untar the Kstrax archive

    $ tar xjf kstrax-0.0.3.tar.bz2

  2)Install kernel modules and command

    $ su - (input super-user password)
    # cd $(SOMEWHERE_LIST)/kstrax-0.0.3
    # make install


3. How To Use
==============
  Please refer the online manual for details of each command

  1)Start tracing system calls in kernel space

    $ su - (input super-user password)
    # kstrax-rec start

  2)Get a log buffer from kernel

    $ su - (input super-user password)
    # kstrax -b -o bin

  3)Terminate getting the buffer

   "Ctrl + C"

  4)Convert binary data to txt data(normal mode)

    $ kstrax -t bin

  4')Convert binary data to txt data(raw mode)

    $ kstrax -r bin

  4'')Convert binary data to txt data(statistics mode)

    $ kstrax -c bin

  5)Display the trace data

    $ less bin_txt  (normal mode)
    $ less bin_raw  (raw mode)
    $ less bin_stat (statistics mode)

  6)Stop tracing in kernel space

    $ su - (input super-user password)
    # kstrax-rec stop

4. Limitations
===============
 - Kstrax can use just on i386/ia64 architecture.
 - Kstrax for ia64 cannot trace any system calls(execve, ptrace, pipe,
   clone, clone2, rt_sigreturn, rt_sigsuspend).
