opensnoop

opensnoop(1m)                     USER COMMANDS                    opensnoop(1m)



NAME
       opensnoop - snoop file opens as they occur. Uses DTrace.

SYNOPSIS
       opensnoop [-a|-A|-ceFghstvxZ] [-f pathname] [-n name] [-p PID]

DESCRIPTION
       opensnoop tracks file opens. As a process issues a file open, details
       such as UID, PID and pathname are printed out.

       The returned file descriptor is printed, a value of -1 indicates an
       error. This can be useful for troubleshooting to determine if
       applications are attempting to open files that do not exist.

       Since this uses DTrace, only users with root privileges can run this
       command.

OPTIONS
       -a     print all data

       -A     dump all data, space delimited

       -c     print current working directory of process

       -e     print errno value

       -F     print the flags passed to open

       -g     print full command arguments

       -s     print start time, us

       -t     print user stack trace

       -v     print start time, string

       -x     only print failed opens

       -Z     print zonename

       -f pathname
              file pathname to snoop

       -n name
              process name to snoop

       -p PID process ID to snoop

EXAMPLES
       Default output, print file opens by process as they occur,
              # opensnoop

       Print human readable timestamps,
              # opensnoop -v

       See error codes,
              # opensnoop -e

       Snoop this file only,
              # opensnoop -f /etc/passwd

FIELDS
       ZONE   Zone name

       UID    User ID

       PID    Process ID

       PPID   Parent Process ID

       FD     File Descriptor (-1 is error)

       FLAGS  Flags passed to open

       ERR    errno value (see /usr/include/sys/errno.h)

       CWD    current working directory of process

       PATH   pathname for file open

       COMM   command name for the process

       ARGS   argument listing for the process

       TIME   timestamp for the open event, us

       STRTIME
              timestamp for the open event, string

DOCUMENTATION
       See the DTraceToolkit for further documentation under the Docs directory.
       The DTraceToolkit docs may include full worked examples with verbose
       descriptions explaining the output.

EXIT
       opensnoop will run forever until Ctrl-C is hit.

BUGS
       occasionally the pathname for the file open cannot be read and the
       following error will be seen,

       dtrace: error on enabled probe ID 6 (...): invalid address

       this is normal behaviour.

AUTHOR
       Brendan Gregg [Sydney, Australia]

SEE ALSO
       dtrace(1M), truss(1)




version 1.60                    January 12, 2006                   opensnoop(1m)