Originally posted by: mrrogers

We are trying to monitor system calls on a systemwide basis in AIX 7.1 and it appears they are dynamically assigned and can't be relied upon to be the same for any two machines or even for any two processes on the same machine at the same time. What we are doing requires us to look up system calls by number to determine whether a system call needs to be reported or ignored, and to identify its arguments.

Furthermore, if the system call does match what we are looking for, we need to be able to monitor child processes that might be created.

We have tried ptrace, and ptrace64 and as we said they aren't producing the results we need.  We found discussions of kmod_util on developerworks and in the doc, but there's no visible way to either (a) specify which system call(s) you want to intercept, or (b) identify which system call you have intercepted, if it just intercepts them all. If you can't distinguish between system calls at interception time, you can't know if each of the registers (register contents are all you have at that moment) contains a pointer to a filename, an FD (File Descriptor), a pointer to a data buffer, the number of bytes to read/write to/from disk, an original or new filespec (if a file is being renamed or moved)... each register could contain anything, since there are so many system calls.

Are there any working examples that we could use to figure out how to get what we need?

Originally posted by: flodstrom

Have a look at probevue. Don't know exactly what you want to accomplish, but I think probevue will do most of the things mentioned like catching the arguments passed to a system call, which pid it came from, etc.

The developer works have a number of good examples to get you started.