The posix-omni-parser aims to parse the traced system calls from various utilities on different POSIX-compliant platforms into a more useful representation.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
old_files
parsers
plugins
sysDef
traces
.gitignore
README.md
Syscall.py
Trace.py
generate_fs.py
parsing_classes.py
sys_defs.txt
syscall_definitions.pickle

README.md

posix-omni-parser

The posix-omni-parser tool aims to parse the traced system calls from various interposing utilities (eg strace on Linux, truss on Solaris, dtrace on BSD and Mac OSX) on different POSIX-compliant platforms into a more useful representation.

Trace Object

This module contains the Trace object, which is used to capture all the extracted information from a trace file.

Example using this module: import Trace trace = Trace.Trace(path_to_trace) print(trace)

The Trace object represents an entire system call trace, which means that it holds all the information extracted from a system call trace file created by an interposition utility such as the strace utility on Linux, the truss utility on Solaris or the dtrace utility on BSD and OSX platforms.

self.trace_path:
  The path to the file containing the traced system calls.

self.tracing_utility:
  The detected tracing utility used to generate the trace file, e.g strace.

self.parser:
  The parser to use in order to extract the information from the trace file.
  The choice of parser depends on the tracing utility used to generate the 
  trace file, i.e self.tracing_utility.

self.syscalls:
  This variable holds all the parsed system calls. It is a list of Syscall
  objects returned by the parser.

self.platform:
  The platform in which the trace is parsed on (sys.platform). This is
  especially useful when creating a trace bundle containing not only the
  parsed system calls but also a representation of all the files referenced
  in trace file.

Parser Object

Acts as the parent for all parsers. Defines some abstract methods required by all parsers and some helper methods that can be used by any parser.

StraceParser Object

This module holds a set of methods needed to parse the output of the strace utility. More information about strace can be found in the manual page under most Linux platforms (man strace)

The path to a file generated by the strace utility must be passed to the constructor method when initializing a StraceParser object. Then the parse_trace method of the parser can be called, which will return a list of Syscall objects, each containing all the information about a single system call parsed from the strace output file.

Example using this module:

import StraceParser

parser = StraceParser.StraceParser(path_to_trace)
print(parser)

# this will return a list of Syscall objects.
syscalls = parser.parse_trace()

TrussParser Object

This module holds a set of methods needed to parse the output of the truss utility. More information about truss can be found in the manual page under most Solaris distributions.

The path to a file generated by the truss utility must be passed to the constructor method when initializing a TrussParser object. Then the parse_trace method of the parser can be called, which will return a list of Syscall objects, each containing all the information about a single system call parsed from the truss output file.

Example using this module: import TrussParser

parser = TrussParser.TrussParser(path_to_trace)
print(parser)

# this will return a list of Syscall objects.
syscalls = parser.parse_trace()

Syscall Object

This object is used to describe a system call, holding all the information extracted from the trace file. The same object is used to describe system calls independently on which utility was used to generate the trace file.
self.original_line:
  A string holding the original line from which this object was created.

self.type:
  The type of the system call. This can be one of the UNFINISHED, RESUMED or
  COMPLETE.

self.pid:
  The process id of this system call.

self.name:
  The name of the system call.

self.args:
  A tuple containing all the arguments of the system call. The value of each
  argument can be either a string or wrapped into a more meaningful class.

self.ret:
  A tuple holding the return part of the system call. This tuple should
  always contain two items. The first one is the return value of the system
  call. The second is either a string holding the error label eg "EACCES"
  in case the system call had an error or None if the syscall executed 
  correctly.

self.inst_pointer:
  The instruction pointer at the time of the system call.

self.timestamp:
  This value can have different formats and content according to the parser
  options. For example it can hold  a relative timestamp indicating the
  interval between the beginning of successive syscalls or it can hold the
  time the syscall was executed.

self.elapsed_time:
  The time difference between the beginning and the end of the system call.