rwsnoop(1m) USER COMMANDS rwsnoop(1m)

rwsnoop - snoop read/write events. Uses DTrace.

rwsnoop [-jPtvZ] [-n name] [-p PID]

This is measuring reads and writes at the application level. This matches the syscalls read, write, pread and pwrite.

Since this uses DTrace, only users with root privileges can run this command.

print project ID
print parent process ID
print timestamp, us
print time, string
print zone ID
process name to track
PID to track

# rwsnoop
# rwsnoop -
# rwsnoop -n bash

timestamp, us
time, string
zone ID
project ID
user ID
process ID
parent process ID
command name for the process
direction, Read or Write
total bytes during sample
filename, if file based. Reads and writes that are not file based, for example with sockets, will print "<unknown>" as the filename.

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

rwsnoop will run forever until Ctrl-C is hit.

Brendan Gregg [Sydney, Australia]

rwtop(1M), dtrace(1M)

July 24, 2005 version 0.70