Introduction to LTT (Linux trace Toolkit)

ArticleDirectory

• 1 concept
• 2. Use
• 3 Experiences

1 concept

1.1 features

LTT is a tool used to track detailed running states and processes of the system. It can track and record specific events in the system. These events include:

? System Call entry and exit
? Entry/exit of TRAP/IRQ
? Process Scheduling event
? Kernel Timer
? Process Management Related Events: creation, wakeup, and signal processing
? File System related events: open/read/write/seek/ioctl, etc.
? Memory Management Related Events: memory allocation/release
? Other events: IPC/socket/Network

In addition, LTT provides function interfaces that customize and record the event types to be tracked.

1.2 Structure

LTT consists of four parts:
? KernelCodePatch: LTT is not yet included in the official kernel. Some codes in the kernel need to be patched for retrieval. It mainly modifies the code of the above events and adds the Trace call code.
? Kernel module: the main implementation part of the trace function. It records kernel events and interacts with the user space daemon.
? User space daemon: obtains event-related data from the kernel module of LTT and writes it to a file.
? Data analysis applicationsProgram: Read the data files generated by the daemon, analyze them, and display them in a more readable way (charts, etc.
 

In addition, LTT can customize and track user space events.

2. Use

All the content related to the security handover can be found at the official site of LTT:Http://www.opersys.com/ltt/Find. Read the documents carefully.
(However, the stable version has an error during compilation. After some code has been modified, it has been compiled. There are a lot of warning, which may be a problem with my compiling environment, when I finally tried it, it was easy to figure and I had not studied it much. I used the package of montavista to generate the compiled version 8)

3 Experiences

LTT is indeed a very useful tool and can be used flexibly with other tools, such as strace and time, which can be used as a feasible way to analyze and optimize the performance of the system.

It is worth mentioning that LTT can set parameters to filter the event types to be recorded in a specific period of time, and select specific objects to be tracked by process ID, reasonable parameter configuration can reduce the extra burden on the system to a reasonable level, and the analysis of system performance will not cause obvious interference.

In addition, the function interfaces provided by LTT to customize and record the event types to be tracked also provide some extended capabilities for debugging the kernel module Code Compiled by itself.

The implementation of LTT tracking user space events is through several specific IOCTL interfaces in the kernel module, which are encapsulated into functions by a user space lib library, it is used in the same way as the function interface that customizes and records event types in the kernel module. It should be said that this is a clever implementation method, but I still have some doubts about its performance, because, to record user space events, go through user space> kernel space> user space.