Event filtering can happen through a predicate clause that determines if an action block should execute (at runtime) or by limiting the number of registered probes (at compile time). Limiting the number of registered probes can have a much lesser effect on the ultimate load of a trace tool (this is the lightweight aspect). To the user this is a very subtle distinction as programmatically these seem very similar. In both cases it offers a flexibility (the dynamic aspect) that previous trace tools did not.

The benefit of parsing data in (near) real time is that utilities such as truss and trace can only capture a limited amount of data because they do not know what part is of value for future analysis. With first hand access to the data in real time the possibilities open up to searching through larger data sets for specific data. To do this after the fact with trace/truss the entire data set of the parameters to a call like read() or write() would need to be captured.

The passwd snoop utility (AKA: The ÒA Nefarious Vue ExampleÓ slide) in this presentation would normally capture read operations for every library and message file loaded. The script presented here can filter on exact file descriptors and even on size and content of the read() or write() operation.