There is an excellent help documentation for 'crash' utility available at this link :
http://people.redhat.com/anderson/help.html
However, I put all these documentation in a two pages here.
18. ) Documentation for crash command list:
NAME
list - linked list
SYNOPSIS
list [[-o] offset] [-e end] [-s struct[.member[,member]]] [-H] start
DESCRIPTION
This command dumps the contents of a linked list. The entries in a linked
list are typically data structures that are tied together in one of two
formats:
1. A starting address points to a data structure; that structure contains
a member that is a pointer to the next structure, and so on. The list
typically ends when a "next" pointer value contains one of the
following:
a. a NULL pointer.
b. a pointer to the start address.
c. a pointer to the first item pointed to by the start address.
d. a pointer to its containing structure.
2. Most Linux lists are linked via embedded list_head structures contained
within the data structures in the list. The linked list is headed by an
external LIST_HEAD, which is simply a list_head structure initialized to
point to itself, signifying that the list is empty:
struct list_head {
struct list_head *next, *prev;
};
#define LIST_HEAD_INIT(name) { &(name), &(name) }
#define LIST_HEAD(name) struct list_head name = LIST_HEAD_INIT(name)
In the case of list_head-type lists, the "next" pointer is the address
of the embedded list_head structure in the next structure, and not the
address of the structure itself. The list typically ends when the
list_head's next pointer points back to the LIST_HEAD address.
This command can handle both types of linked list; in both cases the list
of addresses that are dumped are the addresses of the data structures
themselves.
The arguments are as follows:
[-o] offset The offset within the structure to the "next" pointer
(default is 0). If non-zero, the offset may be entered
in either of two manners:
1. In "structure.member" format; the "-o" is not necessary.
2. A number of bytes; the "-o" is only necessary on processors
where the offset value could be misconstrued as a kernel
virtual address.
-e end If the list ends in a manner unlike the typical manners that
are described above, an explicit ending address value may be
entered.
-s struct For each address in list, format and print as this type of
structure; use the "struct.member" format in order to display
a particular member of the structure. To display multiple
members of a structure, use a comma-separated list of members.
The meaning of the "start" argument, which can be expressed either
symbolically or in hexadecimal format, depends upon whether the -H option
is pre-pended or not:
start The address of the first structure in the list.
-H start The address of the list_head structure, typically expressed
symbolically, but also can be an expression evaluating to the
address of the starting list_head structure.
EXAMPLES
Note that each task_struct is linked to its parent's task_struct via the
p_pptr member:
crash> struct task_struct.p_pptr
struct task_struct {
[136] struct task_struct *p_pptr;
}
That being the case, given a task_struct pointer of c169a000, show its
parental hierarchy back to the "init_task" (the "swapper" task):
crash> list task_struct.p_pptr c169a000
c169a000
c0440000
c50d0000
c0562000
c0d28000
c7894000
c6a98000
c009a000
c0252000
Given that the "task_struct.p_pptr" offset is 136 bytes, the same
result could be accomplished like so:
crash> list 136 c169a000
c169a000
c0440000
c50d0000
c0562000
c0d28000
c7894000
c6a98000
c009a000
c0252000
The list of currently-registered file system types are headed up by a
struct file_system_type pointer named "file_systems", and linked by
the "next" field in each file_system_type structure. The following
sequence displays the structure address followed by the name and
fs_flags members of each registered file system type:
crash> p file_systems
file_systems = $1 = (struct file_system_type *) 0xc03adc90
crash> list file_system_type.next -s file_system_type.name,fs_flags 0xc03adc90
c03adc90
name = 0xc02c05c8 "rootfs",
fs_flags = 0x30,
c03abf94
name = 0xc02c0319 "bdev",
fs_flags = 0x10,
c03acb40
name = 0xc02c07c4 "proc",
fs_flags = 0x8,
c03e9834
name = 0xc02cfc83 "sockfs",
fs_flags = 0x10,
c03ab8e4
name = 0xc02bf512 "tmpfs",
fs_flags = 0x20,
c03ab8c8
name = 0xc02c3d6b "shm",
fs_flags = 0x20,
c03ac394
name = 0xc02c03cf "pipefs",
fs_flags = 0x10,
c03ada74
name = 0xc02c0e6b "ext2",
fs_flags = 0x1,
c03adc74
name = 0xc02c0e70 "ramfs",
fs_flags = 0x20,
c03ade74
name = 0xc02c0e76 "hugetlbfs",
fs_flags = 0x20,
c03adf8c
name = 0xc02c0f84 "iso9660",
fs_flags = 0x1,
c03aec14
name = 0xc02c0ffd "devpts",
fs_flags = 0x8,
c03e93f4
name = 0xc02cf1b9 "pcihpfs",
fs_flags = 0x28,
e0831a14
name = 0xe082f89f "ext3",
fs_flags = 0x1,
e0846af4
name = 0xe0841ac6 "usbdevfs",
fs_flags = 0x8,
e0846b10
name = 0xe0841acf "usbfs",
fs_flags = 0x8,
e0992370
name = 0xe099176c "autofs",
fs_flags = 0x0,
e2dcc030
name = 0xe2dc8849 "nfs",
fs_flags = 0x48000,
In some kernels, the system run queue is a linked list headed up by the
"runqueue_head", which is defined like so:
static LIST_HEAD(runqueue_head);
The run queue linking is done with the "run_list" member of the task_struct:
crash> struct task_struct.run_list
struct task_struct {
[60] struct list_head run_list;
}
Therefore, to view the list of task_struct addresses in the run queue,
either of the following commands will work:
crash> list task_struct.run_list -H runqueue_head
f79ac000
f7254000
f7004000
crash> list 60 -H runqueue_head
f79ac000
f7254000
f7004000
Lastly, in some kernel versions, the vfsmount structures of the mounted
filesystems are linked by the LIST_HEAD "vfsmntlist", which uses the
mnt_list list_head of each vfsmount structure in the list. To dump each
vfsmount structure in the list, append the -s option:
crash> list -H vfsmntlist vfsmount.mnt_list -s vfsmount
c3fc9e60
struct vfsmount {
mnt_hash = {
next = 0xc3fc9e60,
prev = 0xc3fc9e60
},
mnt_parent = 0xc3fc9e60,
mnt_mountpoint = 0xc3fc5dc0,
mnt_root = 0xc3fc5dc0,
mnt_instances = {
next = 0xc3f60a74,
prev = 0xc3f60a74
},
mnt_sb = 0xc3f60a00,
mnt_mounts = {
next = 0xf7445e08,
prev = 0xf7445f88
},
mnt_child = {
next = 0xc3fc9e88,
prev = 0xc3fc9e88
},
mnt_count = {
counter = 209
},
mnt_flags = 0,
mnt_devname = 0xc8465b20 "/dev/root",
mnt_list = {
next = 0xf7445f9c,
prev = 0xc02eb828
},
mnt_owner = 0
}
f7445f60
struct vfsmount {
...
19. ) Documentation for crash command log:
NAME
log - dump system message buffer
SYNOPSIS
log [-m]
DESCRIPTION
This command dumps the kernel log_buf contents in chronological order.
-m Display the message log level preceding each message.
EXAMPLES
Dump the kernel message buffer:
crash> log
Linux version 2.2.5-15smp (root@mclinux1) (gcc version egcs-2.91.66 19990
314/Linux (egcs-1.1.2 release)) #1 SMP Thu Aug 26 11:04:37 EDT 1999
Intel MultiProcessor Specification v1.4
Virtual Wire compatibility mode.
OEM ID: DELL Product ID: WS 410 APIC at: 0xFEE00000
Processor #0 Pentium(tm) Pro APIC version 17
Processor #1 Pentium(tm) Pro APIC version 17
I/O APIC #2 Version 17 at 0xFEC00000.
Processors: 2
mapped APIC to ffffe000 (fee00000)
mapped IOAPIC to ffffd000 (fec00000)
Detected 447696347 Hz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 445.64 BogoMIPS
...
8K byte-wide RAM 5:3 Rx:Tx split, autoselect/Autonegotiate interface.
MII transceiver found at address 24, status 782d.
Enabling bus-master transmits and whole-frame receives.
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
nfsd_init: initialized fhcache, entries=256
...
Do the same thing, but also show the log level preceding each message:
crash> log -m
<4>Linux version 2.2.5-15smp (root@mclinux1) (gcc version egcs-2.91.66 19990
314/Linux (egcs-1.1.2 release)) #1 SMP Thu Aug 26 11:04:37 EDT 1999
<4>Intel MultiProcessor Specification v1.4
<4> Virtual Wire compatibility mode.
<4>OEM ID: DELL Product ID: WS 410 APIC at: 0xFEE00000
<4>Processor #0 Pentium(tm) Pro APIC version 17
<4>Processor #1 Pentium(tm) Pro APIC version 17
<4>I/O APIC #2 Version 17 at 0xFEC00000.
<4>Processors: 2
<4>mapped APIC to ffffe000 (fee00000)
<4>mapped IOAPIC to ffffd000 (fec00000)
<4>Detected 447696347 Hz processor.
<4>Console: colour VGA+ 80x25
<4>Calibrating delay loop... 445.64 BogoMIPS
...
<6> 8K byte-wide RAM 5:3 Rx:Tx split, autoselect/Autonegotiate interface.
<6> MII transceiver found at address 24, status 782d.
<6> Enabling bus-master transmits and whole-frame receives.
<6>Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
<7>nfsd_init: initialized fhcache, entries=256
...
20. ) Documentation for crash command mach:
NAME
mach - machine specific data
SYNOPSIS
mach [-cm]
DESCRIPTION
This command displays data specific to a machine type.
-c Display each cpu's cpuinfo structure (x86, x86_64 and ia64 only).
Display each cpu's x8664_pda structure (x86_64 only),
Display the hwrpb_struct, and each cpu's percpu_struct (alpha only).
-m Display the physical memory map (x86, x86_64 and ia64 only).
EXAMPLES
crash> mach
MACHINE TYPE: i686
MEMORY SIZE: 512 MB
CPUS: 2
PROCESSOR SPEED: 1993 Mhz
HZ: 100
PAGE SIZE: 4096
KERNEL VIRTUAL BASE: c0000000
KERNEL VMALLOC BASE: e0800000
KERNEL STACK SIZE: 8192
Display the system physical memory map:
crash> mach -m
PHYSICAL ADDRESS RANGE TYPE
0000000000000000 - 00000000000a0000 E820_RAM
00000000000f0000 - 0000000000100000 E820_RESERVED
0000000000100000 - 000000001ff75000 E820_RAM
000000001ff75000 - 000000001ff77000 E820_NVS
000000001ff77000 - 000000001ff98000 E820_ACPI
000000001ff98000 - 0000000020000000 E820_RESERVED
00000000fec00000 - 00000000fec90000 E820_RESERVED
00000000fee00000 - 00000000fee10000 E820_RESERVED
00000000ffb00000 - 0000000100000000 E820_RESERVED
21. ) Documentation for crash command mod:
NAME
mod - module information and loading of symbols and debugging data
SYNOPSIS
mod -s module [objfile] | -d module | -S [directory] | -D | -r | -R | -o | -g
DESCRIPTION
With no arguments, this command displays basic information of the currently
installed modules, consisting of the module address, name, size, the
object file name (if known), and whether the module was compiled with
CONFIG_KALLSYMS.
The arguments are concerned with with the loading or deleting of symbolic
and debugging data from a module's object file. A modules's object file
always contains symbolic data (symbol names and addresses), but contains
debugging data only if the module was compiled with the -g CFLAG. In
addition, the module may have compiled with CONFIG_KALLSYMS, which means
that the module's symbolic data will have been loaded into the kernel's
address space when it was installed. If the module was not compiled with
CONFIG_KALLSYMS, then only the module's exported symbols will be loaded
into the kernel's address space. Therefore, for the purpose of this
command, it should noted that a kernel module may have been compiled in
one of following manners:
1. If the module was built without CONFIG_KALLSYMS and without the -g CFLAG,
then the loading of the module's additional non-exported symbols can
be accomplished with this command.
2. If the module was built with CONFIG_KALLSYMS, but without the -g CFLAG,
then there is no benefit in loading the symbols from the module object
file, because all of the module's symbols will have been loaded into the
kernel's address space when it was installed.
3. If the module was built with CONFIG_KALLSYMS and with the the -g CFLAG,
then the loading of the module's debugging data can be accomplished
with this command.
4. If the module was built without CONFIG_KALLSYMS but with the -g CFLAG,
then the loading of the both module's symbolic and debugging data can
be accomplished with this command.
-s module [objfile] Loads symbolic and debugging data from the object file
for the module specified. If no objfile argument is
appended, a search will be made for an object file
consisting of the module name with a .o or .ko suffix,
starting at the /lib/modules/
the host system. If an objfile argument is appended,
then that file will be used.
-d module Deletes the symbolic and debugging data of the module
specified.
-S [directory] Load symbolic and debugging data from the object file
for all loaded modules. For each module, a search
will be made for an object file consisting of the
module name with a .o or.ko suffix, starting at the
/lib/modules/
If a directory argument is appended, then the search
will be restricted to that directory.
-D Deletes the symbolic and debugging data of all modules.
-r Passes the -readnow flag to the embedded gdb module,
which will override the two-stage strategy that it uses
for reading symbol tables from module object files.
-R Reinitialize module data. All currently-loaded symbolic
and debugging data will be deleted, and the installed
module list will be updated (live system only).
-g When used with -s or -S, add a module object's section
start and end addresses to its symbol list.
-o Load module symbols with old mechanism.
After symbolic and debugging data have been loaded, backtraces and text
disassembly will be displayed appropriately. Depending upon the processor
architecture, data may also printed symbolically with the "p" command;
at a minimum, the "rd" command may be used with module data symbols.
If crash can recognize that the set of modules has changed while running a
session on a live kernel, the module data will be reinitialized the next
time this command is run; the -r option forces the reinitialization.
EXAMPLES
Display the currently-installed modules:
crash> mod
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 (not loaded)
c801b000 soundlow 336 (not loaded)
c801d000 sound 59864 (not loaded)
c802d000 ad1848 15728 (not loaded)
c8032000 uart401 6000 (not loaded)
c8035000 cs4232 2472 (not loaded)
c8043000 opl3 11048 (not loaded)
c8047000 3c59x 18152 (not loaded)
c804d000 sunrpc 53796 (not loaded)
c805c000 lockd 31528 (not loaded)
c8065000 nfsd 151896 (not loaded)
c8092000 nfs 29752 (not loaded)
Display the currently-installed modules on a system where all modules were
compiled with CONFIG_KALLSYMS:
crash> mod
MODULE NAME SIZE OBJECT FILE
e080d000 jbd 57016 (not loaded) [CONFIG_KALLSYMS]
e081e000 ext3 92360 (not loaded) [CONFIG_KALLSYMS]
e0838000 usbcore 83168 (not loaded) [CONFIG_KALLSYMS]
e0850000 usb-uhci 27532 (not loaded) [CONFIG_KALLSYMS]
e085a000 ehci-hcd 20904 (not loaded) [CONFIG_KALLSYMS]
e0865000 input 6208 (not loaded) [CONFIG_KALLSYMS]
e086a000 hid 22404 (not loaded) [CONFIG_KALLSYMS]
e0873000 mousedev 5688 (not loaded) [CONFIG_KALLSYMS]
e0878000 keybdev 2976 (not loaded) [CONFIG_KALLSYMS]
e08fd000 cdrom 34144 (not loaded) [CONFIG_KALLSYMS]
e0909000 ide-cd 35776 (not loaded) [CONFIG_KALLSYMS]
e0915000 scsi_mod 117928 (not loaded) [CONFIG_KALLSYMS]
e0935000 ide-scsi 12752 (not loaded) [CONFIG_KALLSYMS]
e093c000 microcode 5248 (not loaded) [CONFIG_KALLSYMS]
e0943000 sr_mod 18136 (not loaded) [CONFIG_KALLSYMS]
e0956000 floppy 59056 (not loaded) [CONFIG_KALLSYMS]
e0966000 sg 38060 (not loaded) [CONFIG_KALLSYMS]
e0971000 ip_tables 16544 (not loaded) [CONFIG_KALLSYMS]
e097d000 iptable_filter 2412 (not loaded) [CONFIG_KALLSYMS]
e097f000 e1000 76096 (not loaded) [CONFIG_KALLSYMS]
e09ba000 autofs 13780 (not loaded) [CONFIG_KALLSYMS]
e09c1000 parport 39072 (not loaded) [CONFIG_KALLSYMS]
e09ce000 lp 9220 (not loaded) [CONFIG_KALLSYMS]
e09d4000 parport_pc 19204 (not loaded) [CONFIG_KALLSYMS]
e09e2000 agpgart 59128 (not loaded) [CONFIG_KALLSYMS]
e0a1a000 radeon 117156 (not loaded) [CONFIG_KALLSYMS]
e2dc7000 sunrpc 91996 (not loaded) [CONFIG_KALLSYMS]
e2de1000 lockd 60624 (not loaded) [CONFIG_KALLSYMS]
e2df3000 nfs 96880 (not loaded) [CONFIG_KALLSYMS]
Load the symbolic and debugging data of all modules:
crash> mod -S
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /lib/modules/2.2.5-15/misc/soundcore.o
c801b000 soundlow 336 /lib/modules/2.2.5-15/misc/soundlow.o
c801d000 sound 59864 /lib/modules/2.2.5-15/misc/sound.o
c802d000 ad1848 15728 /lib/modules/2.2.5-15/misc/ad1848.o
c8032000 uart401 6000 /lib/modules/2.2.5-15/misc/uart401.o
c8035000 cs4232 2472 /lib/modules/2.2.5-15/misc/cs4232.o
c8043000 opl3 11048 /lib/modules/2.2.5-15/misc/opl3.o
c8047000 3c59x 18152 /lib/modules/2.2.5-15/net/3c59x.o
c804d000 sunrpc 53796 /lib/modules/2.2.5-15/misc/sunrpc.o
c805c000 lockd 31528 /lib/modules/2.2.5-15/fs/lockd.o
c8065000 nfsd 151896 /lib/modules/2.2.5-15/fs/nfsd.o
c8092000 nfs 29752 /lib/modules/2.2.5-15/fs/nfs.o
Load the symbolic and debugging data of the soundcore module from its
known location:
crash> mod -s soundcore
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /lib/modules/2.2.5-15/misc/soundcore.o
Delete the current symbolic and debugging data of the soundcore module,
and then re-load it from a specified object file:
crash> mod -d soundcore
crash> mod -s soundcore /tmp/soundcore.o
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /tmp/soundcore.o
After installing a new kernel module on a live system, reinitialize the
installed module list:
crash> !insmod mdacon
crash> mod
mod: NOTE: modules have changed on this system -- reinitializing
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 (not loaded)
c801b000 soundlow 336 (not loaded)
c801d000 sound 59864 (not loaded)
c802d000 ad1848 15728 (not loaded)
c8032000 uart401 6000 (not loaded)
c8035000 cs4232 2472 (not loaded)
c8043000 opl3 11048 (not loaded)
c8047000 3c59x 18152 (not loaded)
c804d000 sunrpc 53796 (not loaded)
c805c000 lockd 31528 (not loaded)
c8065000 nfs 29752 (not loaded)
c806e000 autofs 9316 (not loaded)
c8072000 nfsd 151896 (not loaded)
c80a1000 mdacon 3556 (not loaded)
22. ) Documentation for crash command mount:
NAME
mount - mounted filesystem data
SYNOPSIS
mount [-f] [-i] [-n pid|task] [vfsmount|superblock|devname|dirname|inode]
DESCRIPTION
This command displays basic information about the currently-mounted
filesystems. The per-filesystem dirty inode list or list of open
files for the filesystem may also be displayed.
-f dump dentries and inodes for open files in each filesystem.
-i dump all dirty inodes associated with each filesystem; only
supported on kernels with super_block.s_dirty linked list.
For kernels supporting namespaces, the -n option may be used to
display the mounted filesystems with respect to the namespace of a
specified task:
-n pid a process PID.
-n task a hexadecimal task_struct pointer.
Specific filesystems may be selected using the following forms:
vfsmount hexadecimal address of filesystem vfsmount structure.
superblock hexadecimal address of filesystem super_block structure.
devname device name of filesystem.
dirname directory where filesystem is mounted.
inode hexadecimal address of an open inode of a filesystem.
EXAMPLES
Display mounted filesystem data:
crash> mount
VFSMOUNT SUPERBLK TYPE DEVNAME DIRNAME
c0089ea0 c0088a00 ext2 /dev/root /
c0089cf0 c0088c00 proc /proc /proc
c0089e10 c0088800 ext2 /dev/sda5 /boot
c0089d80 c0088600 ext2 /dev/sda6 /usr
c0089f30 c0088400 devpts none /dev/pts
c3f4b010 c0088200 ext2 /dev/sda1 /home
c6bf3d10 c0088000 nfs home:/home1 /home1
c49b90a0 c43a2a00 nfs home:/usr/local /usr/local
Display the open files associated with each mounted filesystem:
crash> mount -f
VFSMOUNT SUPERBLK TYPE DEVNAME DIRNAME
c7fb2b80 c7fb3200 ext2 /dev/root /
OPEN FILES:
DENTRY INODE TYPE PATH
c6d02200 c6d0f7a0 REG usr/X11R6/lib/libX11.so.6.1
c6d02100 c6d0f9e0 REG usr/X11R6/lib/libXext.so.6.3
c6d02000 c6d0fc20 REG usr/X11R6/lib/libICE.so.6.3
c6d02680 c6d0f320 REG usr/X11R6/bin/xfs
c7106580 c70c5440 CHR dev/psaux
...
Display the dirty inodes associated with each mounted filesystem:
crash> mount -i
VFSMOUNT SUPERBLK TYPE DEVNAME DIRNAME
c0089ea0 c0088a00 ext2 /dev/root /
DIRTY INODES
c7ad4008
c2233438
c72c4008
c7d6b548
c3af1a98
c7d6b768
c3c4e228
...
Display the mounted filesystem containing inode c5000aa8:
crash> mount c5000aa8
VFSMOUNT SUPERBLK TYPE DEVNAME DIRNAME
c0089f30 c0088600 ext2 /dev/sda6 /usr
23. ) Documentation for crash command net:
NAME
net - network command
SYNOPSIS
net [-a] [[-s | -S] [-R ref] [pid | taskp]] [-n addr]
DESCRIPTION
Display various network related data:
-a display the ARP cache.
-s display open network socket/sock addresses, their family and type,
and for INET and INET6 families, their source and destination
addresses and ports.
-S displays open network socket/sock addresses followed by a dump
of both structures.
-n addr translates an IPv4 address expressed as a decimal or hexadecimal
value into a standard numbers-and-dots notation.
-R ref socket or sock address, or file descriptor.
pid a process PID.
taskp a hexadecimal task_struct pointer.
If no arguments are entered, the list of network devices, names and IP
addresses are displayed. The -R option, typically invoked from "foreach net",
and in conjunction with the -s or -S options, searches for references to a
socket address, sock address, or a file descriptor; if found, only the
referenced fd/socket/sock data will be displayed.
EXAMPLES
Display the network device list:
crash> net
DEVICE NAME IP ADDRESS(ES)
c0249f20 lo 127.0.0.1
c7fe6d80 eth0 10.1.8.20
Dump the ARP cache:
crash> net -a
IP ADDRESS HW TYPE HW ADDRESS DEVICE STATE
0.0.0.0 UNKNOWN 00 00 00 00 00 00 lo 40 (NOARP)
192.168.1.1 ETHER 00:50:54:fe:ef:23 eth0 04 (STALE)
192.168.1.10 ETHER 00:90:27:9c:6c:79 eth0 02 (REACHABLE)
192.168.1.118 ETHER 00:c0:4f:60:00:e2 eth0 02 (REACHABLE)
Display the sockets for PID 2517, using both -s and -S output formats:
crash> net -s 2517
PID: 2517 TASK: c1598000 CPU: 1 COMMAND: "rlogin"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
3 c57375dc c1ff1850 INET:STREAM 10.1.8.20-1023 10.1.16.62-513
crash> net -S 2517
PID: 2517 TASK: c1598000 CPU: 1 COMMAND: "rlogin"
FD SOCKET SOCK
3 c57375dc c1ff1850
struct socket {
state = SS_CONNECTED,
flags = 131072,
ops = 0xc023f820,
inode = 0xc5737540,
fasync_list = 0x0,
file = 0xc58892b0,
sk = 0xc1ff1850,
wait = 0xc14d9ed4,
type = 1,
passcred = 0 '\000',
tli = 0 '\000'
}
struct sock {
sklist_next = 0xc1ff12f0,
sklist_prev = 0xc216bc00,
bind_next = 0x0,
bind_pprev = 0xc0918448,
daddr = 1041236234,
rcv_saddr = 336068874,
dport = 258,
num = 1023,
bound_dev_if = 0,
next = 0x0,
pprev = 0xc0286dd4,
state = 1 '\001',
zapped = 0 '\000',
sport = 65283,
family = 2,
reuse = 0 '\000',
...
Translate the rcv_saddr from above into dotted-decimal notation:
crash> net -n 1041236234
10.1.16.62
From "foreach", find all tasks with references to socket c08ea3cc:
crash> foreach net -s -R c08ea3cc
PID: 2184 TASK: c7026000 CPU: 1 COMMAND: "klines.kss"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2200 TASK: c670a000 CPU: 1 COMMAND: "kpanel"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2201 TASK: c648a000 CPU: 1 COMMAND: "kbgndwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 19294 TASK: c250a000 CPU: 0 COMMAND: "prefdm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2194 TASK: c62dc000 CPU: 1 COMMAND: "kaudioserver"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2195 TASK: c6684000 CPU: 1 COMMAND: "maudio"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2196 TASK: c6b58000 CPU: 1 COMMAND: "kwmsound"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2197 TASK: c6696000 CPU: 0 COMMAND: "kfm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2199 TASK: c65ec000 CPU: 0 COMMAND: "krootwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 694 TASK: c1942000 CPU: 0 COMMAND: "prefdm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 698 TASK: c6a2c000 CPU: 1 COMMAND: "X"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2159 TASK: c4a5a000 CPU: 1 COMMAND: "kwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
24. ) Documentation for crash command p:
NAME
p - print the value of an expression
SYNOPSIS
p [-x|-d][-u] expression
DESCRIPTION
This command passes its arguments on to gdb "print" command for evaluation.
expression The expression to be evaluated.
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-u the expression evaluates to a user address reference.
The default output format is decimal, but that can be changed at any time
with the two built-in aliases "hex" and "dec". Alternatively, there
are two other built-in aliases, "px" and "pd", which force the command
output to be displayed in hexadecimal or decimal, without changing the
default mode.
EXAMPLES
Print the contents of jiffies:
crash> p jiffies
jiffies = $6 = 166532620
crash> px jiffies
jiffies = $7 = 0x9ed174b
crash> pd jiffies
jiffies = $8 = 166533160
Print the contents of the vm_area_struct "init_mm":
crash> p init_mm
init_mm = $5 = {
mmap = 0xc022d540,
mmap_avl = 0x0,
mmap_cache = 0x0,
pgd = 0xc0101000,
count = {
counter = 0x6
},
map_count = 0x1,
mmap_sem = {
count = {
counter = 0x1
},
waking = 0x0,
wait = 0x0
},
context = 0x0,
start_code = 0xc0000000,
end_code = 0xc022b4c8,
start_data = 0x0,
end_data = 0xc0250388,
start_brk = 0x0,
brk = 0xc02928d8,
start_stack = 0x0,
arg_start = 0x0,
arg_end = 0x0,
env_start = 0x0,
env_end = 0x0,
rss = 0x0,
total_vm = 0x0,
locked_vm = 0x0,
def_flags = 0x0,
cpu_vm_mask = 0x0,
swap_cnt = 0x0,
swap_address = 0x0,
segments = 0x0
}
No comments:
Post a Comment