Glossary
DTrace
Sun's dynamic tracing framework, ported to Darwin in 2007 and still the most powerful syscall-tracing tool on macOS — when SIP lets you use it.
DTrace is a kernel-level dynamic tracing framework originally written at Sun for Solaris and ported to Darwin in macOS 10.5 Leopard. The /usr/sbin/dtrace binary ships in every macOS install.
It works by inserting probes at well-defined kernel points and running short scripts in the D language whenever a probe fires. The two relevant providers for syscall work are:
syscall— fires on every BSD syscall entry/return. Maps 1-to-1 withbsd/kern/syscalls.masterentries.mach_trap— fires on every Mach trap entry/return.
Together they cover the complete syscall surface.
SIP restrictions. Out of the box, DTrace cannot attach to processes signed with Apple-private entitlements (Safari, WindowServer, most system daemons). The workaround is csrutil enable --without dtrace from Recovery, which relaxes only the DTrace restriction while keeping the rest of SIP active.
Apple Silicon limitations. The fbt (Function Boundary Tracing) provider, which let you probe arbitrary kernel functions on Intel macOS, is disabled on arm64. You're limited to the well-known providers: syscall, mach_trap, proc, sched, io, pid.
DTrace remains useful when Endpoint Security doesn't expose the event you need — most notably for raw Mach port IPC and for syscall arguments not surfaced in the ES payload.