opensnoop(1m) USER COMMANDS opensnoop(1m)

opensnoop - snoop file opens as they occur. Uses DTrace.

opensnoop [-a|-A|-ceFghstvxZ] [-f pathname] [-n name] [-p PID]

opensnoop tracks file opens. As a process issues a file open, details such as UID, PID and pathname are printed out.

The returned file descriptor is printed, a value of -1 indicates an error. This can be useful for troubleshooting to determine if applications are attempting to open files that do not exist.

Since this uses DTrace, only users with root privileges can run this command.

print all data
dump all data, space delimited
print current working directory of process
print errno value
print the flags passed to open
print full command arguments
print start time, us
print user stack trace
print start time, string
only print failed opens
print zonename
file pathname to snoop
process name to snoop
process ID to snoop

# opensnoop
# opensnoop -v
# opensnoop -e
# opensnoop -f /etc/passwd

Zone name
User ID
Process ID
Parent Process ID
File Descriptor (-1 is error)
Flags passed to open
errno value (see /usr/include/sys/errno.h)
current working directory of process
pathname for file open
command name for the process
argument listing for the process
timestamp for the open event, us
timestamp for the open event, string

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

opensnoop will run forever until Ctrl-C is hit.

occasionally the pathname for the file open cannot be read and the following error will be seen,

dtrace: error on enabled probe ID 6 (...): invalid address

this is normal behaviour.

Brendan Gregg [Sydney, Australia]

dtrace(1M), truss(1)

January 12, 2006 version 1.60