How can I trace/snoop route changes?

Question

I have a program that changes the routes on my mac. I want to trace what it is doing.

With some dtrace/dtruss, the best I can get is something like:

2455/0x833e: stat64("/sbin/route\0", 0x7FFEE9DB0740, 0x0) = 0 0 But this isn't good enough. I want to know what arguments route is being called with.

I've been doing a log of googling. I found a PDF of a talk (dtrace_workshop01_slides.pdf). It says:

DTrace can snoop route changes live

that'd be nice! But the slides don't say how to do it.

I turned off macOS SIP temporarily, and dtrace seems to work in general. I don't need the solution to be a dtrace solution.

Answer 1

I stumbled upon /usr/bin/newproc.d script. It's built-in to macOS. It's a big dtrace script.

newproc.d | grep 'ifconfig\|route'

in another shell: sudo route -n add -net 1.2.3.4/32 192.168.13.1

2021 Sep  7 22:16:55 10460 <10458> 64b  route -n add -net 1.2.3.4/32 192.168.13.1
2021 Sep  7 22:17:04 10463 <10462> 64b  route -n delete -net 1.2.3.4/32