NAME

kdump — display kernel trace data

SYNOPSIS

kdump [-dEnlHRSsTA] [-f trfile] [-m maxdata] [-p pid] [-t trstr]

DESCRIPTION

The kdump command displays the kernel trace files produced with ktrace(1) in human readable format. By default, the file ktrace.out in the current directory is displayed.

The options are as follows:

-d: Display all numbers in decimal.
-E: Display elapsed timestamps (time since beginning of trace).
-f trfile: Display the specified file instead of ktrace.out.
-H: List the thread ID (tid) of the thread with each trace record, if available. If no thread ID is available, 0 will be printed.
-l: Loop reading the trace file, once the end-of-file is reached, waiting for more data.
-m maxdata: Display at most maxdata bytes when decoding I/O.
-n: Suppress ad hoc translations. Normally kdump tries to decode many system calls into a more human readable format. For example, ioctl(2) values are replaced with the macro name and errno values are replaced with the strerror(3) string. Suppressing this feature yields a more consistent output format and is easily amenable to further processing.
-p pid: Display only trace events that correspond to the process or thread pid. This may be useful when there are multiple processes or threads recorded in the same trace file.
-R: Display relative timestamps (time since previous entry).
-r: When decoding STRU records, display structure members such as UIDs, GIDs, dates etc. symbolically instead of numerically.
-S: Display system call numbers.
-s: Suppress display of I/O data.
-T: Display absolute timestamps for each entry (seconds since epoch).
-A: Display description of the ABI of traced process.
-t trstr: See the -t option of ktrace(1).

The output format of kdump is line oriented with several fields. The example below shows a section of a kdump generated by the following commands:

?> ktrace echo "ktrace"

?> kdump

 85045 echo     CALL  writev(0x1,0x804b030,0x2)
 85045 echo     GIO   fd 1 wrote 7 bytes
       "ktrace
       "
 85045 echo     RET   writev 7

The first field is the PID of the process being traced. The second field is the name of the program being traced. The third field is the operation that the kernel performed on behalf of the process. If thread IDs are being printed, then an additional thread ID column will be added to the output between the PID field and program name field.

In the first line above, the kernel executes the writev(2) system call on behalf of the process so this is a CALL operation. The fourth field shows the system call that was executed, including its arguments. The writev(2) system call takes a file descriptor, in this case 1, or standard output, then a pointer to the iovector to write, and the number of iovectors that are to be written. In the second line we see the operation was GIO, for general I/O, and that file descriptor 1 had seven bytes written to it. This is followed by the seven bytes that were written, the string "ktrace" with a carriage return and line feed. The last line is the RET operation, showing a return from the kernel, what system call we are returning from, and the return value that the process received. Seven bytes were written by the writev(2) system call, so 7 is the return value.

The possible operations are:

Name	Operation	Fourth field
`CALL`	enter syscall	syscall name and arguments
`RET`	return from syscall	syscall name and return value
`NAMI`	file name lookup	path to file
`GIO`	general I/O	fd, read/write, number of bytes
`PSIG`	signal	signal name, handler, mask, code
`CSW`	context switch	stop/resume user/kernel wmesg
`USER`	data from user process	the data
`STRU`	various syscalls	structure
`SCTL`	sysctl(3) requests	MIB name
`PFLT`	enter page fault	fault address and type
`PRET`	return from page fault	fault result

HISTORY

The kdump command appeared in 4.4BSD.

NAME

SYNOPSIS

DESCRIPTION

SEE ALSO

HISTORY