Anyone know if there's a way to trace only system calls via ktrace in macOS 12+? (Obviously this is with SIP disabled.)
In the past one could trace system calls via:
sudo ktrace trace -s -S -t c -c ./some_binary
Now the -t is simply
Print times as Mach absolute timestamps, instead of the default local wall clock time.
The replacement for -t trstr seems to be -f filter-desc. The new filters are more flexible but arguably a bit fiddlier to use. Here's what the manpage has to say:
-f filter-descApply a filter description to the trace session, controlling which events are traced.
FILTER DESCRIPTIONS
A filter description is a comma-separated list of class and subclass specifiers that indicate which events should be traced. A class specifier starts with
Cand contains a single byte, specified in either decimal or hex. A subclass specifier starts withSand takes two bytes. The high byte is the class and the low byte is the subclass of that class.For example, this filter description would enable classes 1 and 37 and the subclasses 33 and 35 of class 5:
C1,C0x25,S0x0521,S0x0523.
The possible values you can filter on are defined in bsd/sys/kdebug.h under Class and subclass definitions.
So if you're interested in BSD syscalls, that's -f C4 (class 4 = DBG_BSD). Mach syscalls (aka traps) would be -f S0x010c (class 1 = DBG_MACH, subclass 0c = DBG_MACH_EXCP_SC).
So to show BSD syscalls and Mach traps:
sudo ktrace trace -Ss -f C4,S0x010c -c ./some_binary
Depending on what you're after, you might also want C2,C3 (DBG_NETWORK and DBG_FSYSTEM).
