opensnoop
opensnoop(1m) USER COMMANDS opensnoop(1m)
NAME
opensnoop - snoop file opens as they occur. Uses DTrace.
SYNOPSIS
opensnoop [-a|-A|-ceFghstvxZ] [-f pathname] [-n name] [-p PID]
DESCRIPTION
opensnoop tracks file opens. As a process issues a file open, details
such as UID, PID and pathname are printed out.
The returned file descriptor is printed, a value of -1 indicates an
error. This can be useful for troubleshooting to determine if
applications are attempting to open files that do not exist.
Since this uses DTrace, only users with root privileges can run this
command.
OPTIONS
-a print all data
-A dump all data, space delimited
-c print current working directory of process
-e print errno value
-F print the flags passed to open
-g print full command arguments
-s print start time, us
-t print user stack trace
-v print start time, string
-x only print failed opens
-Z print zonename
-f pathname
file pathname to snoop
-n name
process name to snoop
-p PID process ID to snoop
EXAMPLES
Default output, print file opens by process as they occur,
# opensnoop
Print human readable timestamps,
# opensnoop -v
See error codes,
# opensnoop -e
Snoop this file only,
# opensnoop -f /etc/passwd
FIELDS
ZONE Zone name
UID User ID
PID Process ID
PPID Parent Process ID
FD File Descriptor (-1 is error)
FLAGS Flags passed to open
ERR errno value (see /usr/include/sys/errno.h)
CWD current working directory of process
PATH pathname for file open
COMM command name for the process
ARGS argument listing for the process
TIME timestamp for the open event, us
STRTIME
timestamp for the open event, string
DOCUMENTATION
See the DTraceToolkit for further documentation under the Docs directory.
The DTraceToolkit docs may include full worked examples with verbose
descriptions explaining the output.
EXIT
opensnoop will run forever until Ctrl-C is hit.
BUGS
occasionally the pathname for the file open cannot be read and the
following error will be seen,
dtrace: error on enabled probe ID 6 (...): invalid address
this is normal behaviour.
AUTHOR
Brendan Gregg [Sydney, Australia]
SEE ALSO
dtrace(1M), truss(1)
version 1.60 January 12, 2006 opensnoop(1m)