opensnoop
Bob Rudis (via Jens Alfke):
Leopard ships with something called DTrace that gives developers and administrators the ability to take a peek at what all running code is doing in a flexible and dynamic way. Giving DTrace the coverage it deserves is beyond a simple blog post, but there are some smaller utilities – like
opensnoop– that take advantage of the power of DTrace, but on a more targeted scale which are worthy of a minor exposition. The main purpose of theopensnooputility is to provide a report of file opens as they occur.
Here’s the man page. This seems like a good alternative to fs_usage for certain use cases.
Update (2022-02-08): LOLgrep:
It’s insane how useful
opensnoop -t -f "/Some/Path/ThatYouWannaObserveWhoIsOpening/It"is
3 Comments RSS · Twitter
You can find a bunch of other preinstalled dtrace scripts by looking for snoop >
> apropos snoop
creatbyproc.d(1m) - snoop creat()s by process name. Uses DTrace
execsnoop(1m) - snoop new process execution. Uses DTrace
filebyproc.d(1m) - snoop opens by process name. Uses DTrace
iosnoop(1m) - snoop I/O events as they occur. Uses DTrace
kill.d(1m) - snoop process signals as they occur. Uses DTrace
newproc.d(1m) - snoop new processes. Uses DTrace
opensnoop(1m) - snoop file opens as they occur. Uses DTrace
rwsnoop(1m) - snoop read/write events. Uses DTrace
setuids.d(1m) - snoop setuid calls as they occur. Uses DTrace
And after an other though, you can get even more scripts by looking for DTrace
> apropos DTrace
…
lots of DTrace scripts.
…
