Real time application and routine sequencing

ByMike Moffit

Terminal and application tracking

We have previously covered trace, dynamic trace scripting, in Terminal and the higher powered logging and tracking it provided with the iosnoop command. Dtrace though offers realtime IO tracking of everything from read and write functions of the HD, system calls and application launch and exit.
Do you want to see what processes and applications are opening and closing in real time? execsnoop is the terminal command that logs all applications and routines as the launch. execsnoop tracks the applications by User ID, UID, that opened the application; PID or process ID of routine or application as it launches sequentially, and the audit PPID, Parent process ID, what application/routine spawned the new process and finally the ARGS or name of the process or application.
UID PID PPID ARGS

0 53624 1 ocspd
501 53625 181 AddressBookManag
501 53626 53625 AddressBookSync
501 53627 27 SFLSharedPrefsTo
0 53628 1 newsyslog
501 53629 181 Safari
501 53630 27 SFLIconTool

In the above example, UID, 0 or 501, root or the User ID of the Admin account on the machine is the UID making the request for the opening of the new process. As each new routine or application launches, it spawns a process ID, 53624, etc.; The PPID reflects the Parent PID or the new PID; finally the application or process name.
Why is this important? Using this Terminal command you can see applications that may be causing issues for your system. If an application or routine regularly launches and fails, reoccurs frequently, this may indicate that the particular application is misbehaving and causing your system problems.

Similar Posts

  • AirPlay v. Bluetooth Wireless Audio

    AirPlay v. Bluetooth Audio: Which one is for you? AirPlay – AirPlay is a technology invented by and used by Apple to let…

  • Jon

    Simple steps for resolving and diagnosing simple (non) boot issues. In the past week we have, in the Waitsfield service area, received no…

  • Super User to the Rescue

    In last week’s article I mentioned a special command that requires a password to perform certain tasks. This week I’d like to talk about that command a little. It is called “sudo”. It is both an acronym for the expression Super User DO and also the “su” and “do” commands put together. The first part, “su”, is the power part. It enables you to enter commands as what is known as the superuser or root user. The superuser can do anything, which is both is power and danger. When you enable as superuser you will be warned up front that you are now capable of destroying your system with ease. While you are always required to enter your password when enabling as superuser, you only get the warning once. After that they assume you are on board with being responsible for your system. The warning is pretty dry at this point, but in the past the text looked like this:

    We trust you have received the usual lecture from the local System

    Administrator. It usually boils down to these two things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    Kind of friendly and humorous. And kind of sad that level of humor seems to be gone from OS X at this point. On to the second part- “do” is what it seems like. It is an action command. So together you get “sudo” or SuperUserDO. One might ask why bother to use “sudo” when you could just use “su” and then type in your commands? From a caution point of view “sudo” provides some benefits- it times out after 15 minutes, after which it requires you to enter your password again. So it’s OK to walk away and forget you were logged in as root, because after 15 minutes you revert to your normal status. The “sudo” command is a great tool to accomplish tasks normally not allowed in terminal, such as changing permissions and ownership of certain files and moving things you normally couldn’t. For more information see the wikipedia page on “sudo”, and next week we’ll look at some tasks that require the use of this powerful command.

    Thanks