1 files changed, 98 insertions, 0 deletions

diff --git a/cddl/contrib/dtracetoolkit/Examples/rwsnoop_example.txt b/cddl/contrib/dtracetoolkit/Examples/rwsnoop_example.txt
new file mode 100644
index 0000000..2ef26ab
--- /dev/null
+++ b/cddl/contrib/dtracetoolkit/Examples/rwsnoop_example.txt
@@ -0,0 +1,98 @@
+The following is a demonstration of the rwsnoop program,
+
+
+Here we run it for about a second,
+
+   # rwsnoop
+     UID    PID CMD          D   BYTES FILE
+     100  20334 sshd         R      52 <unknown>
+     100  20334 sshd         W       1 /devices/pseudo/clone@0:ptm
+       0  20320 bash         W       1 /devices/pseudo/pts@0:12
+     100  20334 sshd         R       2 /devices/pseudo/clone@0:ptm
+     100  20334 sshd         W      52 <unknown>
+       0   2848 ls           W      58 /devices/pseudo/pts@0:12
+       0   2848 ls           W      68 /devices/pseudo/pts@0:12
+       0   2848 ls           W      57 /devices/pseudo/pts@0:12
+       0   2848 ls           W      67 /devices/pseudo/pts@0:12
+       0   2848 ls           W      48 /devices/pseudo/pts@0:12
+       0   2848 ls           W      49 /devices/pseudo/pts@0:12
+       0   2848 ls           W      33 /devices/pseudo/pts@0:12
+       0   2848 ls           W      41 /devices/pseudo/pts@0:12
+     100  20334 sshd         R     429 /devices/pseudo/clone@0:ptm
+     100  20334 sshd         W     468 <unknown>
+   ^C
+
+The output scrolls rather fast. Above, we can see an ls command was run,
+and we can see as ls writes each line. The "<unknown>" read/writes are 
+socket activity, which have no corresponding filename.
+
+
+For a summary style output, use the rwtop program.
+
+
+
+If a particular program is of interest, the "-n" option can be used
+to match on process name. Here we match on "bash" during a login where
+the user uses the bash shell as their default,
+
+   # rwsnoop -n bash
+     UID    PID CMD          D   BYTES FILE
+     100   2854 bash         R     757 /etc/nsswitch.conf
+     100   2854 bash         R       0 /etc/nsswitch.conf
+     100   2854 bash         R     668 /etc/passwd
+     100   2854 bash         R     980 /etc/profile
+     100   2854 bash         W      15 /devices/pseudo/pts@0:14
+     100   2854 bash         R      10 /export/home/brendan/.bash_profile
+     100   2854 bash         R     867 /export/home/brendan/.bashrc
+     100   2854 bash         R     980 /etc/profile
+     100   2854 bash         W      15 /devices/pseudo/pts@0:14
+     100   2854 bash         R    8951 /export/home/brendan/.bash_history
+     100   2854 bash         R    8951 /export/home/brendan/.bash_history
+     100   2854 bash         R    1652 /usr/share/lib/terminfo/d/dtterm
+     100   2854 bash         W      41 /devices/pseudo/pts@0:14
+     100   2854 bash         R       1 /devices/pseudo/pts@0:14
+     100   2854 bash         W       1 /devices/pseudo/pts@0:14
+     100   2854 bash         W      41 /devices/pseudo/pts@0:14
+     100   2854 bash         R       1 /devices/pseudo/pts@0:14
+     100   2854 bash         W       7 /devices/pseudo/pts@0:14
+
+In the above, various bash related files such as ".bash_profile" and
+".bash_history" can be seen. The ".bashrc" is also read, as it was sourced
+from the .bash_profile.
+
+
+
+Extra options with rwsnoop allow us to print zone ID, project ID, timestamps,
+etc. Here we use "-v" to see the time printed, and match on "ps" processes,
+
+   # rwsnoop -vn ps
+   TIMESTR                UID    PID CMD          D   BYTES FILE
+   2005 Jul 24 04:23:45     0   2804 ps           R     168 /proc/2804/auxv
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/2804/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R    1495 /etc/ttysrch
+   2005 Jul 24 04:23:45     0   2804 ps           W      28 /devices/pseudo/pts.
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/0/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/1/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/2/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/3/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/218/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/7/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/9/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/360/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/91/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/112/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/307/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/226/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/242/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/228/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/243/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/234/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/119/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/143/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/361/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/20314/psinfo
+   2005 Jul 24 04:23:45     0   2804 ps           R     336 /proc/116/psinfo
+   [...]
+
+
+