startbootstrap icon indicating copy to clipboard operation
startbootstrap copied to clipboard

Published 20 hours ago verified publisher icon BlackrockDigital

Draft: implemented text parser plugin for Apple ps.txt files.

Open rick-slin opened this issue 10 months ago • 3 comments

Description:

DRAFT: Implemented a text parser plugin for Apple ps.txt files found in sysdiagnose dumps. It uses the DatelessLogHelper

Related issue (if applicable): fixes4697

Notes:

All contributions to Plaso undergo code review. This makes sure that the code has appropriate test coverage and conforms to the Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in order, and then a maintainer will review your code.

Checklist:

  • [ ] Automated checks (GitHub Actions, AppVeyor) pass
  • [x] No new new dependencies are required or l2tdevtools has been updated
  • [x] Reviewer assigned

rick-slin avatar Apr 04 '24 16:04 rick-slin

@rick-slin I will give this format some more thought, it does not fully match the use-case of the date-less log helper as with syslog where the log entries are (mostly) chronological.

Some hints (not the same) to the format based on Linux man ps

       bsdstart    START     time the command started.  If the process was started less than 24 hours ago, the output format is " HH:MM", else it is " Mmm:SS" (where Mmm is the three letters of the month).  See also lstart, start, start_time, and stime.

       bsdtime     TIME      accumulated cpu time, user + system.  The display format is usually "MMM:SS", but can be shifted to the right if the process used more than 999 minutes of cpu time.

Would be good to have an example of a process that has more than 999 minutes of cpu time

joachimmetz avatar Apr 06 '24 07:04 joachimmetz

I don't understand the significance of the entries not being chronological. I can see the usefulness of moving the handling of the three cases from the plugin to the helper.

I can try to setup an experiment for a long lived process but I don't see how that field would impact the start time column as they appear to be independent.

rick-slin avatar Apr 10 '24 22:04 rick-slin

I can try to setup an experiment for a long lived process but I don't see how that field would impact the start time column as they appear to be independent.

this would be more to see if there is an edge case for the format of the TIME value

I don't understand the significance of the entries not being chronological.

This is related to the inner workings of the date-less log helper

joachimmetz avatar Apr 11 '24 04:04 joachimmetz