Sysdig is introduced:

When you need to track system calls made and received by a process, you might think of Strace. What command-line tools do you use to monitor raw network traffic? If you think about tcpdump. If you have a need to keep track of open files, you might use lsof. Strace, tcpdump, and LSof are really must-have tools, which is why you should use SysDIG. It’s a powerful open source tool for system-level exploration and barrier removal, described by its creators as “Strace +tcpdump+ LSof + Lua cherries in a fabulous sauce.” Humor aside, one of the best features of SysDIG is that it not only analyzes the “live” state of a Linux system, but also saves that state as a dump for offline inspection. What’s more, you can customize sysdig’s behavior, or even enhance it with a little built-in script called Chisel that you can write yourself. Individual chisels can analyze the stream of events captured by SysDIG in various styles specified by the script.

Sysdig installation:

https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo curl – s sudo bash note: the network is not very stable, can try a few times more

Sysdig options:

Sysdig is a tool kit, including a lot of tools, at the same time more options, here only select a few commonly used, the rest of the reader can be their own man sysdig or sysdig – L etc to learn;

Sysdig -s specifies how many bytes are saved to disk when the cache is reached, that is, how many bytes are reserved for a line.

Sysdig -w file.scap saves traced data in a file. Note that the file can only be viewed with the sysdig command.

Sysdig -r file.scap reads the saved data files.

Chisel named Chisel is an analysis script that comes with sysdig and can also be created yourself.

Sysdig -c chiselName specifies that the chiselName script is used to analyze data.

Sysdig-a (– print-ASCII) means to print only the text part of the data, which can be read directly by humans.

Sysdig-b (–print-base64) prints the data in base64 format, which is useful if the data needs to be analyzed by other tools.

By default, SysDIG prints captured events in the following format:

%evt.num (event id),%evt.time(event occurrence time) % evt.CPU (CPU ID) %evt.type (event name) % EVt.info %proc.name (process name) % EVt.dir %thread.tid

Sysdig -l can see the use of a field such as sysdig -l fd.


Sysdig usage examples:

View all HTTP requests made by the native machine as GET requests

sysdig -s 2000 -A -c echo_fds fd.port=80 and evt.buffer contains GET

View the DISK I/O ranking

sysdig -c topprocs_file

Check the bandwidth usage of processes

sysdig -c topprocs_net

View the ranking of active read/write files and directories

sysdig -c fdbytes_by fd.directory “fd.type=file”

View CPU usage rankings

sysdig -c topproces_cpu

Get all the data streams from the machine and store the data in a file

sysdig -s 4096 -w file.scap