opensnoop(1m)                     USER COMMANDS                    opensnoop(1m)

       opensnoop - snoop file opens as they occur. Uses DTrace.

       opensnoop [-a|-A|-ceFghstvxZ] [-f pathname] [-n name] [-p PID]

       opensnoop tracks file opens. As a process issues a file open, details
       such as UID, PID and pathname are printed out.

       The returned file descriptor is printed, a value of -1 indicates an
       error. This can be useful for troubleshooting to determine if
       applications are attempting to open files that do not exist.

       Since this uses DTrace, only users with root privileges can run this

       -a     print all data

       -A     dump all data, space delimited

       -c     print current working directory of process

       -e     print errno value

       -F     print the flags passed to open

       -g     print full command arguments

       -s     print start time, us

       -t     print user stack trace

       -v     print start time, string

       -x     only print failed opens

       -Z     print zonename

       -f pathname
              file pathname to snoop

       -n name
              process name to snoop

       -p PID process ID to snoop

       Default output, print file opens by process as they occur,
              # opensnoop

       Print human readable timestamps,
              # opensnoop -v

       See error codes,
              # opensnoop -e

       Snoop this file only,
              # opensnoop -f /etc/passwd

       ZONE   Zone name

       UID    User ID

       PID    Process ID

       PPID   Parent Process ID

       FD     File Descriptor (-1 is error)

       FLAGS  Flags passed to open

       ERR    errno value (see /usr/include/sys/errno.h)

       CWD    current working directory of process

       PATH   pathname for file open

       COMM   command name for the process

       ARGS   argument listing for the process

       TIME   timestamp for the open event, us

              timestamp for the open event, string

       See the DTraceToolkit for further documentation under the Docs directory.
       The DTraceToolkit docs may include full worked examples with verbose
       descriptions explaining the output.

       opensnoop will run forever until Ctrl-C is hit.

       occasionally the pathname for the file open cannot be read and the
       following error will be seen,

       dtrace: error on enabled probe ID 6 (...): invalid address

       this is normal behaviour.

       Brendan Gregg [Sydney, Australia]

       dtrace(1M), truss(1)

version 1.60                    January 12, 2006                   opensnoop(1m)