UNIX systems keep track of the current time as well as the time when they were booted . The current time is usually easy to find, but sometimes the boot time is a bit trickier. In postmortem system crash dump files, the current time is actually the time of the crash. The time of the crash can play a vital role in system crash dump analysis. For example, if you find you have several crashes from one system that all occurred at the same time but on different days, you are much closer to finding the source. In such cases, often a specific cron job turns out to be the program that is triggering the crashes. Comparing the boot time to the current or crash time also provides useful information. Subtracting the crash time from the boot time gives the system uptime. A system that, according to the savecore files, was up for several months presents a different picture than a system that was up for merely a few minutes. Looking first at a Solaris 1 system, let's get the boot time and the time of the system crash. These are conveniently stored in kernel variables boottime and time . UNIX time is maintained as the number of seconds since January 1, 1970. As you may recall from the previous chapter, in adb the /Y command says to show the 32-bit value stored in the specified variable as a date instead of, say, a hexadecimal value. Figure 9-3 Displaying the boot time and crash time on a Solaris 1 crashHiya... adb -k vmunix.0 vmcore.0 physmem 3f98 boottime/Y _boottime: _boottime: 1993 Oct 25 13:02:25 time/Y _time: _time: 1993 Nov 3 00:14:06 $q Hiya... Solaris 2 also has a time variable but doesn't keep track of the boot time as a fixed value, as is done in Solaris 1. Instead, it keeps track of the 100ths of seconds that have passed since the system was booted. This value is kept in a kernel variable called lbolt, which is an abbreviation for "lightning bolts," or clock ticks . To get the boot time on a Solaris 2 system, we have to get the lbolt value, divide it by 100 to get whole seconds, and subtract that value from the current or crash time. Within adb we can do this simple arithmetic and ask adb to display the result in time format. Figure 9-4 Displaying the boot time and crash time on a Solaris 2 crashHiya... adb -k /dev/ksyms /dev/mem physmem 1e16 time/Y time: time: 1994 Mar 13 21:12:49 time/X time: time: 2d8381d1 lbolt/X lbolt: lbolt: a50e3 2d8381d1-(a50e3%0t100)=Y 1994 Mar 13 19:20:09 $q Hiya... The % sign says to divide. The 0t specifies that the next value is in decimal instead of the adb default base, hexadecimal. Instead of 0t100 we could have simply put 64, as 100 decimal is 64 hexadecimal. The =Y says to show the result of the formula in date format. When calculating the boot time, you might find it easier to work in decimal. We will perform the same operation again, this time using all decimal values. We can easily do the division by 100 in our head by simply dropping the last two digits from lbolt . Hiya... adb -k /dev/ksyms /dev/mem physmem 1e16 time/D time: time: 763593169 lbolt/D lbolt: lbolt: 676067 0t763593169-0t6760=Y 1994 Mar 13 19:20:09 $q Hiya... |