opensnoop - snoop file opens as they occur. Uses DTrace.
[-a|-A|-ceghsvxZ] [-f pathname] [-n name] [-p PID]
opensnoop tracks file opens. As a process issues a file open, details such as
UID, PID and pathname are printed out.
The returned file descriptor is printed, a value of -1 indicates an error. This
can be useful for troubleshooting to determine if appliacions are attempting
to open files that do not exist.
Since this uses DTrace, only the root user or users with the dtrace_kernel
privilege can run this command.
stable - needs the syscall provider.
- print all data
- dump all data, space delimited
- print current working directory of process
- print errno value
- print full command arguments
- print start time, us
- print start time, string
- only print failed opens
- print zonename
- -f pathname
- file pathname to snoop
- -n name
- process name to snoop
- -p PID
- process ID to snoop
- Default output, print file opens by process as they occur,
- # opensnoop
- Print human readable timestamps,
- # opensnoop -v
- See error codes,
- # opensnoop -e
- Snoop this file only,
- # opensnoop -f /etc/passwd
- Zone name
- User ID
- Process ID
- Parent Process ID
- File Descriptor (-1 is error)
- errno value (see /usr/include/sys/errno.h)
- current working directory of process
- pathname for file open
- command name for the process
- argument listing for the process
- timestamp for the open event, us
- timestamp for the open event, string
See the DTraceToolkit for further documentation under the Docs directory. The
DTraceToolkit docs may include full worked examples with verbose descriptions
explaining the output.
opensnoop will run forever until Ctrl-C is hit.
occasionally the pathname for the file open cannot be read and the following
error will be seen,
dtrace: error on enabled probe ID 6 (...): invalid address
this is normal behaviour.
Brendan Gregg [Sydney, Australia]