=Start=
缘由:
学习记录一下macOS系统上追踪定位异常行为的工具和方法,方便后面有需要的时候参考。
正文:
参考解答:
简单直接根据manual和网上的一些文章还有实际的测试整理的内容:
使用样例
监控除fs_usage等几个默认排除进程的文件系统活动(如果你电脑上安装和运行的应用比较多的话,输出可能会非常多)
$ sudo fs_usage
[then ctrl-C to cancel]
监控 iTunes 的文件系统活动
$ sudo fs_usage iTunes
只监控网络相关的事件
$ sudo fs_usage -f network
只记录和word相关的本地文件系统的行为并将内容先输出到特定文件中
$ sudo fs_usage -f filesys "Microsoft Word" >./fs_usage-filesys-word.txt
详细显示选项,不考虑窗口宽度大小将详细信息展示出来,内容过多时自动换行
$ sudo fs_usage -w
只显示特定进程名称的事件(进程名称可以从ps命令中获取,也可以从「活动监视器」中的「进程名称」那一列进行查看)
$ sudo fs_usage "process name"
只显示特定进程pid的事件
$ sudo fs_usage 3968
先根据特定关键字对全量输出进行过滤看看情况再说
$ sudo fs_usage | grep "Activity Monitor"
监控进程名称是Mail的文件系统相关活动,并在10秒后自动退出/停止
$ sudo fs_usage -w -f filesys -t 10 Mailfs_usage – 实时报告与文件系统活动相关的系统调用和页面错误
概要
fs_usage [-e] [-w] [-f mode] [-b] [-t seconds] [-R rawfile [-S start_time -E end_time]] [pid | cmd [pid | cmd [...]]]
命令说明
fs_usage命令可持续显示与文件系统活动有关的系统调用信息。因为它使用内核跟踪工具进行操作,所以它需要root权限。默认情况下,被监控的活动包括除正在运行的fs_usage进程、Terminal、telnetd、telnet、sshd、rlogind、tcsh、csh、sh和zsh外的所有系统进程。不过这些默认值可以被覆盖更新,这样输出可以被限制为包含或排除由用户指定的进程列表。
fs_usage命令的输出默认是根据您的窗口大小格式化的,窄窗口将显示更少的数据列,使用宽窗口最大限度地显示数据。您可以通过使用-w选项强制宽显示来覆盖窗口大小限制。在这种情况下,当窗口不够宽时,显示的数据将自动换行。
命令选项介绍
-e 排除选项,用于指定不对哪些pid或命令进行采样。
-w 详细显示选项,不考虑窗口宽度大小将详细信息展示出来,内容过多时自动换行。
-f 输出过滤选项,默认不进行输出过滤,支持的过滤模式有 network/filesys/pathname/exec/diskio/cachehit 分别指代 网络/文件系统/路径/exec和spawn/磁盘io/缓存命中 的事件。
-b 为磁盘IO添加BootCache注解信息的选项(如果支持的话)。
-t seconds 运行时间选项,指定fs_usage命令运行不超过指定的秒数。
-R raw_file
Specifies a raw trace file to process.
-S start_time
If -R is selected, specifies the start time in microseconds to begin processing entries from the raw trace file. Entries with timestamps before the specified start time will be skipped.
-E end_time
If -R is selected, specifies the ending time in microseconds to stop processing entries from the raw trace file. Entries with timestamps beyond the specified ending time will be skipped.
pid | cmd 用于限制fs_usage命令仅对指定的pid/cmd进行采样,和-e选项刚好是反过来的。
显示列介绍
The data columns displayed are as follows:
TIMESTAMP
TOD when call occurred. Wide mode will have microsecond granularity.
CALL The name of the network or filesystem related call, page-in, page-out, or physical disk access.
FILE DESCRIPTOR
Of the form F=x, x is a file descriptor. Depending on the type of system call, this will be either an input value or a return value.
BYTE COUNT
Of the form B=x, x is the number of bytes requested by the call.
[ERRNO]
On error, the errno is displayed in brackets.
PATHNAME
Pathname of the file accessed (up to the last 28 bytes).
FAULT ADDRESS
Of the form A=0xnnnnnnnn, where 0xnnnnnnnn is the address being faulted.
DISK BLOCK NUMBER
Of the form D=0xnnnnnnnn, where 0xnnnnnnnn is the block number of the physical disk block being read or written.
OFFSET Of the form O=0xnnnnnnnn, where 0xnnnnnnnn is a file offset.
SELECT RETURN
Of the form S=x, x is the number of ready descriptors returned by the select(2) system call. If S=0, the time limit expired.
TIME INTERVAL(W)
The elapsed time spent in the system call. A ‘W’ after the elapsed time indicates the process was scheduled out during this file activity. In this case, the elapsed
time includes the wait time.
PROCESS NAME
The process that made the system call. Wide mode will append the thread id to the process name (i.e Mail.nnn).参考链接:
fs_usage – Filesystem usage (process/pathname) Requires root privileges due to the kernel tracing facility it uses to operate.
https://ss64.com/osx/fs_usage.html
Mac OS X: Using fs_usage as a Troubleshooting Tool
https://www.macobserver.com/tmo/article/os_x_using_fs_usage_as_a_troubleshooting_tool
fs_usage – trace file system calls on Mac OS X
https://mohit.io/blog/fs_usage-trace-file-system-calls-on-mac-os-x/
View Filesystem Access in Real Time on Mac OS X
https://superuser.com/questions/97980/view-filesystem-access-in-real-time-on-mac-os-x
File-System Performance Guidelines
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/FileSystem/Articles/FileSystemCalls.html
Monitor Usage Regularly
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/power_efficiency_guidelines_osx/MonitoringEnergyUsage.html
Performance Tools
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/PerformanceOverview/PerformanceTools/PerformanceTools.html
=END=
《 “macOS上如何追踪定位文件系统的活动” 》 有 4 条评论
Is there a way to find out when a USB flash drive has been last used (on any computer)?
https://apple.stackexchange.com/questions/146351/is-there-a-way-to-find-out-when-a-usb-flash-drive-has-been-last-used-on-any-com/146352#146352
`
# 在我的 macOS 12.4 上面没有测试成功……
tail -f /var/log/system.log
zgrep -il ‘usbmsc’ /var/log/system.log*
zgrep -i ‘usbmsc’ /var/log/system.log*
zgrep -iE ‘usbmsc|mount’ /var/log/system.log*
system_profiler SPUSBDataType
`
Is there a system log which displays which external media/storage devices were connected/disconnected from my system? If so, please advise me on how to do so.
https://discussions.apple.com/thread/6734878
Automating USB Device Identification on Mac OS X
https://df-stream.com/2013/01/automating-usb-device-identification-on/
mac 系统下有这种软件吗 . 查看插入 usb 设备的 型号及速率 ?
https://www.v2ex.com/t/735141
Tracking history of USB events on GNU/Linux
https://github.com/snovvcrash/usbrip
# Windows-腾讯微云
wydrive.exe
# 快压
KuaiZip.exe
# Windows上的压缩软件(Breezip – The Best Free Zip&Unzip Utility for Windows)
BreeZip.exe
# 好压
HaoZip.exe
# 360压缩
360zip.exe
# macOS-TimeMachine
backupd
# macOS-系统迁移工具
systemmigrationd (_mbsetupuser)
macOS上如何做性能分析
Apple提供一些图形化/命令行工具用于收集性能指标从而支持性能分析,一些工具是在Xcode里面,一些工具默认已经安装到了/usr/bin/目录,还有一些需要去Apple开发者网站进行下载才能使用。下面对一些核心的工具进行介绍:
核心应用
Instruments #安装在Xcode里面
分析工具
heap
leaks
vmmap
OpenGL Driver Monitor #需要手动下载
OpenGL Profiler #需要手动下载
监控工具
fs_usage
sc_usage
top
Activity Monitor(中文名:活动监视器)
Quartz Debug #需要手动下载
硬件分析工具
acid
simg4
simg5
Reggie SE
额外的命令行工具
atos #Converts back and forth between a symbol name and the numeric address of that symbol in a running executable.
c2ph #Displays the C-structures from an object file along with their member offset values.
gprof #Produces execution profiles based on an execution analysis of a program.
malloc_history #Shows the malloc allocations performed by a specified process.
nm #Displays the symbol table information for one or more object files.
otool #Displays the contents of a Mach-O executable in a more human-readable form
pagestuff #Displays information about the logical pages of a Mach-O executable file.
pstruct #Parses the C structures from an object file and displays them along with their member offset values.
sample #Produces an execution profile based on the execution analysis of a program.
vm_stat #Displays Mach virtual memory statistics, including the number of active, inactive, wired, and free pages. This tool also displays page fault and other activity information.
Performance Tools
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/PerformanceOverview/PerformanceTools/PerformanceTools.html
定期监控使用
活动监视器 #支持CPU/内存/能耗/磁盘/网络
Xcode #
Instruments #
命令行工具
dyld – the dynamic linker
dyldinfo – Displays information used by dyld in an executable
latency – monitors scheduling and interrupt latency
sc_usage
top
dtrace – dynamic tracing compiler and tracing utility
sample – Profile a process during a time interval
spindump – Profile entire system during a time interval
nsurlsessiond – The background NSURLSession daemon. nsurlsessiond is a per-user daemon that performs tasks for background-configured NSURLSessions. There are no configuration options to nsurlsessiond. Users should not run nsurlsessiond manually.
Monitor Usage Regularly
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/power_efficiency_guidelines_osx/MonitoringEnergyUsage.html
性能概览
https://developer.apple.com/library/archive/documentation/Performance/Conceptual/PerformanceOverview/Introduction/Introduction.html