[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] xen strace analysis

  • To: "Sanjam Garg" <sanjamg@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
  • Date: Wed, 28 Feb 2007 18:55:23 +0100
  • Delivery-date: Wed, 28 Feb 2007 09:54:55 -0800
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcdbX0zOjWnU9urkRFiEdZRUNiRzvAAAP5tQ
  • Thread-topic: [Xen-devel] xen strace analysis
 

> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Sanjam Garg
> Sent: 28 February 2007 17:38
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-devel] xen strace analysis
> 
> Hi
> 
> I  am looking for  a mechanism to gather information about 
> system calls that a guest Operating system  is making. Any 
> references for development of IDS's with Xen would also help.

Xen doesn't have any clue what system calls the guest-OS is making (and
should not know this). Xen itself only gets involved for certain special
operations which, generally, either deal with page-table
(memory-mapping) handling or inter-domain communication (event-channel),
and of course domain life-cycle (creating, destroying, pausing and
unpausing, save and restore, and migration). With a few other
exceptions, everything else is handled within the guest itself. That's
for the para-virtual case. In a fully-virtualized domain, there's even
less knowledge of what's going on in the guest. 

So whilst the hypervisor may be able to surmise from this knowledge that
a guest changed its pagetables around, it's not sufficiently aware of
WHY to say whether that was done because of a fork, mmap or malloc call
for example. It can determine that some communication happened between
the guest and dom0, but not whether it's a file-read or a socket network
operation, etc, etc. 

The only way to know what the guest is doing is to sit inside the
guest-OS and perform something like strace (I think there are some ways
to do a "system-wide strace", so you'd see exactly which system calls
are done by which process). 

--
Mats
> 
> Thanks
> Sanjam
> 
> 
> ________________________________
> 
> Don't pick lemons.
> See all the new 2007 cars 
> <http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9
TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw-->  at Yahoo! Autos.
<http://autos.yahoo.com/new_cars.html;>
_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb
> mV3Y2Fycw--> 
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.