Project43.System Voyeur Tips
Project 43. System Voyeur Tips"How do I check on the activity of system components such as the file system and the network?" This project gives tips for viewing system activity and statistics, such as system calls and virtual-memory statistics, file system activity, network activity, and kernel information. It presents some quick tips, each of which introduces a useful voyeur command. It covers the commands sc_usage, latency, uptime, vm_stat, dmesg, fs_usage, lsof, netstat, tcpdump, ktrace, and sysctl. Glimpsing PossibilitiesMany of the commands suggested in this project have extensive capabilities and would take a project or two to cover fully. The purpose of this project is merely to introduce several useful commands, describe briefly what each command does, and give examples of how the commands might be used. As ever, the Unix man pages will furnish you with further, if rather terse, details. System ActivityThis section presents commands that display system activity such as system calls, virtual-memory statistics, system messages, and open files. Display Live System CallsUse the command sc_usage to display live statistics of system-call and virtual-memory usage. Invoke sc_uage as root, giving the name of a process to monitor. We might monitor the nano text editor by using the command $ sudo sc_usage nano Password:You'll see a screen presenting statistics and updating in real time. It shows information such as the number and type of system calls, CPU time consumed, current scheduling priority, and so on. You'll see the "read" and "write" counts increase for every character you type into the editor. Monitor Scheduling and Interrupt LatencyThe command latency measures the time your system takes to switch between processes (scheduling latency) and to respond to interrupts (external events from the network and peripherals). It records the number of such events that fall within a range of delays. To monitor in real time (option -rt), use $ sudo latency -rtHow Long Has Your Mac Been Up and Running?The command uptime reports on the length of time your Mac has been running since it was last rebooted. It also shows the load average over the past 1, 5, and 15 minutes. The load measures the number of processes queuing for CPU time; a value of less than 1 means that the CPU has time to spare. $ uptime 10:20 up 49 mins, 3 users, load averages: 0.64 0.63 0.48The rather pathetic uptime (49 minutes) shown above reflects a recent power cut. (And why does Microsoft Word never recover a document in a satisfactory manner?) Display Virtual-Memory StatisticsUse the vm_stat command to display statistics on usage of virtual memory (VM), showing how much is free, used, and wired (can never be swapped out and usually is reserved by the kernel). It also counts pageins and pageouts. The pageouts statistic is particularly interesting, as it shows how much swapping is occurring. If this value is continually increasing by hundreds every few seconds, your system is running out of physical memory and is having to swap executing processes in and out. It's time to invest in some additional memory. To view VM statistics accumulated since the last restart, type $ vm_stat Mach Virtual Memory Statistics: (page size of 4096 bytes) Pages free: 155884. Pages active: 35132. ... Pageouts: 0.To monitor continually what is happening every five seconds, type $ vm_stat 5 Mach Virtual Memory Statistics:(page size 4096 bytes, ca... free active inac wire faults ...reactive pageins pageout 155880 35132 50299 20833 653414 ... 0 22302 0 155880 35522 50299 20443 60 ... 0 0 0 156736 31521 49558 24329 89 ... 0 0 0 ...Display the System Message BufferThe command dmesg displays kernel messages. These messages are written to the system message buffer, not to the log files. When the kernel boots, it reports ongoing progress and problems, such as device drivers not loading, to the system message buffer. It's a good source of debugging information if you experience startup and device-driver problems. $ dmesg standard timeslicing quantum is 10000 us vm_page_bootstrap: 252593 free pages mig_table_max_displ = 70 97 prelinked modules Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of ... MacRISC4CPU: publishing BootCPU FireWire (OHCI) Apple ID 52 built-in now active, GUID 001124ff fe3c5c76; max speed s400. ... AFP_VFS afpfs_mount: /Volumes/saruman, pid 218Show Live File System CallsUse the fs_stat command to trace file system calls in real time. Trace file system calls made by the Mac OS X Finder by typing $ sudo fs_usage FinderTip
List Open FilesDiscover all the files (and directories) that are open and being read from or written to. To view a complete list, type $ lsofYou might want to filter the output lines by commandfor example, using grep to search for lines that start with iTunes. $ lsof | grep "^iTunes "If you are interested in a particular file, specify the filename as an argument to lsof. $ lsof /Users/saruman/Music/iTunes/iTunes\ Library COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME iTunes 483 saruman 15r VREG 14,2 13097 613145 /Users/saruman/Music/iTunes/iTunes LibraryNetwork ActivityTo display active Internet connections, use the netstat command. Include option -I to specify a particular network interface. To display statistics for AirPort (usually the second Ethernet port, or en1), we could type the command $ netstat -I en1 Name Mtu Network Address Ipkts Ierrs ... en1 1500 <Link#5> 00:11:24:ba:a1:ce 667890 0 ... en1 1500 sauron.loca fe80::211:24ff:fe 667890 - ... en1 1500 10.0.2/24 sauron.wless 667890 - ...The netstat command has many options and is capable of much more than is suggested by this simple example. The tcpdump command is used to trace network packets, displaying the headers of all packets captured. As a simple example, let's trace all packets involved in communication with the host osxfaq.com. The option -vvv specifies a high degree of verbosity in displaying packet-header details. $ sudo tcpdump -vvv host osxfaq.com tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 96 bytes 12:06:03.223924 IP (tos 0x0, ttl 64, id 10127, offset 0, flags [DF], length: 60) sauron. mayo-family.com.49295 > arthur.hostwizard.com.http: ...Kernel InformationTrace all kernel operations (such as system calls and inputoutput) performed during execution of a given command. The trace information is written to a trace file named ./ktrace.out. To trace the execution of ls and view the results, type $ ktrace ls Desktop Library Music Public ktrace.out Documents Movies Pictures Sites $ kdump -f ktrace.out | less ... The sysctl command will view and change kernel settings. This command does not make much sense unless you understand kernel state, which is beyond the scope of this project. Here are a few examples. We display the current kernel state and all settings by using the following command. In this example, we also filter the output looking for state information relating to the firewall (.fw.). $ sysctl -a | grep "\.fw\." net.inet.ip.fw.enable: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 0 ...This brief extract shows that the firewall is enabled (net.inet.ip.fw.enable: 1). Change kernel settings by specifying option -w and running sysctl as user root. Other kernel-related commands include
Note
|
EAN: 2147483647
Pages: 153