140 lines
2.3 KiB
Plaintext
140 lines
2.3 KiB
Plaintext
.TH opensnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
|
|
.SH NAME
|
|
opensnoop \- snoop file opens as they occur. Uses DTrace.
|
|
.SH SYNOPSIS
|
|
.B opensnoop
|
|
[\-a|\-A|\-ceghsvxZ] [\-f pathname] [\-n name] [\-p PID]
|
|
.SH DESCRIPTION
|
|
opensnoop tracks file opens. As a process issues a file open, details
|
|
such as UID, PID and pathname are printed out.
|
|
|
|
The returned file descriptor is printed,
|
|
a value of -1 indicates an error. This can be useful
|
|
for troubleshooting to determine if appliacions are attempting to
|
|
open files that do not exist.
|
|
|
|
Since this uses DTrace, only the root user or users with the
|
|
dtrace_kernel privilege can run this command.
|
|
.SH OS
|
|
Solaris
|
|
.SH STABILITY
|
|
stable - needs the syscall provider.
|
|
.SH OPTIONS
|
|
.TP
|
|
\-a
|
|
print all data
|
|
.TP
|
|
\-A
|
|
dump all data, space delimited
|
|
.TP
|
|
\-c
|
|
print current working directory of process
|
|
.TP
|
|
\-e
|
|
print errno value
|
|
.TP
|
|
\-g
|
|
print full command arguments
|
|
.TP
|
|
\-s
|
|
print start time, us
|
|
.TP
|
|
\-v
|
|
print start time, string
|
|
.TP
|
|
\-x
|
|
only print failed opens
|
|
.TP
|
|
\-Z
|
|
print zonename
|
|
.TP
|
|
\-f pathname
|
|
file pathname to snoop
|
|
.TP
|
|
\-n name
|
|
process name to snoop
|
|
.TP
|
|
\-p PID
|
|
process ID to snoop
|
|
.PP
|
|
.SH EXAMPLES
|
|
.TP
|
|
Default output, print file opens by process as they occur,
|
|
#
|
|
.B opensnoop
|
|
.PP
|
|
.TP
|
|
Print human readable timestamps,
|
|
#
|
|
.B opensnoop
|
|
\-v
|
|
.PP
|
|
.TP
|
|
See error codes,
|
|
#
|
|
.B opensnoop
|
|
\-e
|
|
.PP
|
|
.TP
|
|
Snoop this file only,
|
|
#
|
|
.B opensnoop
|
|
\-f /etc/passwd
|
|
.PP
|
|
.SH FIELDS
|
|
.TP
|
|
ZONE
|
|
Zone name
|
|
.TP
|
|
UID
|
|
User ID
|
|
.TP
|
|
PID
|
|
Process ID
|
|
.TP
|
|
PPID
|
|
Parent Process ID
|
|
.TP
|
|
FD
|
|
File Descriptor (-1 is error)
|
|
.TP
|
|
ERR
|
|
errno value (see /usr/include/sys/errno.h)
|
|
.TP
|
|
CWD
|
|
current working directory of process
|
|
.TP
|
|
PATH
|
|
pathname for file open
|
|
.TP
|
|
COMM
|
|
command name for the process
|
|
.TP
|
|
ARGS
|
|
argument listing for the process
|
|
.TP
|
|
TIME
|
|
timestamp for the open event, us
|
|
.TP
|
|
STRTIME
|
|
timestamp for the open event, string
|
|
.SH DOCUMENTATION
|
|
See the DTraceToolkit for further documentation under the
|
|
Docs directory. The DTraceToolkit docs may include full worked
|
|
examples with verbose descriptions explaining the output.
|
|
.SH EXIT
|
|
opensnoop will run forever until Ctrl\-C is hit.
|
|
.SH BUGS
|
|
occasionally the pathname for the file open cannot be read
|
|
and the following error will be seen,
|
|
|
|
dtrace: error on enabled probe ID 6 (...): invalid address
|
|
|
|
this is normal behaviour.
|
|
.SH AUTHOR
|
|
Brendan Gregg
|
|
[Sydney, Australia]
|
|
.SH SEE ALSO
|
|
dtrace(1M), truss(1)
|
|
|