Monday, June 24, 2013

opensnoop

Bob Rudis (via Jens Alfke):

Leopard ships with something called DTrace that gives developers and administrators the ability to take a peek at what all running code is doing in a flexible and dynamic way. Giving DTrace the coverage it deserves is beyond a simple blog post, but there are some smaller utilities – like opensnoop – that take advantage of the power of DTrace, but on a more targeted scale which are worthy of a minor exposition. The main purpose of the opensnoop utility is to provide a report of file opens as they occur.

Here’s the man page. This seems like a good alternative to fs_usage for certain use cases.

Update (2022-02-08): LOLgrep:

It’s insane how useful opensnoop -t -f "/Some/Path/ThatYouWannaObserveWhoIsOpening/It" is

3 Comments RSS · Twitter

You can find a bunch of other preinstalled dtrace scripts by looking for snoop >

> apropos snoop
creatbyproc.d(1m) - snoop creat()s by process name. Uses DTrace
execsnoop(1m) - snoop new process execution. Uses DTrace
filebyproc.d(1m) - snoop opens by process name. Uses DTrace
iosnoop(1m) - snoop I/O events as they occur. Uses DTrace
kill.d(1m) - snoop process signals as they occur. Uses DTrace
newproc.d(1m) - snoop new processes. Uses DTrace
opensnoop(1m) - snoop file opens as they occur. Uses DTrace
rwsnoop(1m) - snoop read/write events. Uses DTrace
setuids.d(1m) - snoop setuid calls as they occur. Uses DTrace

Jean-Daniel

And after an other though, you can get even more scripts by looking for DTrace

> apropos DTrace

lots of DTrace scripts.

Leave a Comment