Trace facility implementation

Edit online

A trace hook is a specific event that is to be monitored. A unique number is assigned to that event called a hook ID. The trace command monitors these hooks.

The trace command generates statistics on user processes and kernel subsystems. The binary information is written to two alternate buffers in memory. The trace process then transfers the information to the trace log file on disk. This file grows very rapidly. The trace program runs as a process which may be monitored by the ps command. The trace command acts as a daemon, similar to accounting.

The following figure illustrates the implementation of the trace facility.

Figure 1. Implementation of the Trace Facility. This illustration shows the trace process. In this process, the user process (kernel subsystems) sends trace hook calls to trace buffers labeled A and B. From the buffers, they pass through the trace driver and on to the trace log file of the user kernel.
Implementation of the Trace Facility

Monitoring facilities use system resources. Ideally, the overhead should be low enough as to not significantly affect system execution. When the trace program is active, the CPU overhead is less than 2 percent. When the trace data fills the buffers and must be written to the log, additional CPU is required for file I/O. Usually this is less than 5 percent. Because the trace program claims and pins buffer space, if the environment is memory-constrained, this might be significant. Be aware that the trace log and report files can become very large.