| @@ -1,139 +1,120 @@ | | | @@ -1,139 +1,120 @@ |
1 | .TH opensnoop 1m "$Date: 2015/09/30 22:01:09 $" "USER COMMANDS" | | 1 | .\" $NetBSD: opensnoop.1m,v 1.2 2020/06/24 18:06:01 sevan Exp $ |
2 | .SH NAME | | 2 | .Dd June 24, 2020 |
3 | opensnoop \- snoop file opens as they occur. Uses DTrace. | | 3 | .Dt OPENSNOOP 1 |
4 | .SH SYNOPSIS | | 4 | .Os |
5 | .B opensnoop | | 5 | .Sh NAME |
6 | [\-a|\-A|\-ceghsvxZ] [\-f pathname] [\-n name] [\-p PID] | | 6 | .Nm opensnoop |
7 | .SH DESCRIPTION | | 7 | .Nd snoop file opens as they occur. Uses DTrace |
8 | opensnoop tracks file opens. As a process issues a file open, details | | 8 | .Sh SYNOPSIS |
9 | such as UID, PID and pathname are printed out. | | 9 | .Nm |
10 | | | 10 | .Op Fl a | Fl A | Fl ceghsvxZ |
11 | The returned file descriptor is printed, | | 11 | .Op Fl f Ar pathname |
12 | a value of -1 indicates an error. This can be useful | | 12 | .Op Fl n Ar name |
13 | for troubleshooting to determine if appliacions are attempting to | | 13 | .Op Fl p Ar PID |
14 | open files that do not exist. | | 14 | .Sh DESCRIPTION |
15 | | | 15 | .Nm |
| | | 16 | tracks file opens. |
| | | 17 | As a process issues a file open, details such as UID, PID and pathname are |
| | | 18 | printed out. |
| | | 19 | The returned file descriptor is printed, a value of -1 indicates an error. |
| | | 20 | This can be useful for troubleshooting to determine if appliacions are |
| | | 21 | attempting to open files that do not exist. |
16 | Since this uses DTrace, only the root user or users with the | | 22 | Since this uses DTrace, only the root user or users with the |
17 | dtrace_kernel privilege can run this command. | | 23 | dtrace_kernel privilege can run this command. |
18 | .SH OS | | 24 | .Bl -tag -width Ds |
19 | Solaris | | 25 | .It Fl a |
20 | .SH STABILITY | | | |
21 | stable - needs the syscall provider. | | | |
22 | .SH OPTIONS | | | |
23 | .TP | | | |
24 | \-a | | | |
25 | print all data | | 26 | print all data |
26 | .TP | | 27 | .It Fl A |
27 | \-A | | | |
28 | dump all data, space delimited | | 28 | dump all data, space delimited |
29 | .TP | | 29 | .It Fl c |
30 | \-c | | | |
31 | print current working directory of process | | 30 | print current working directory of process |
32 | .TP | | 31 | .It Fl e |
33 | \-e | | | |
34 | print errno value | | 32 | print errno value |
35 | .TP | | 33 | .It Fl g |
36 | \-g | | | |
37 | print full command arguments | | 34 | print full command arguments |
38 | .TP | | 35 | .It Fl s |
39 | \-s | | | |
40 | print start time, us | | 36 | print start time, us |
41 | .TP | | 37 | .It Fl v |
42 | \-v | | | |
43 | print start time, string | | 38 | print start time, string |
44 | .TP | | 39 | .It Fl x |
45 | \-x | | | |
46 | only print failed opens | | 40 | only print failed opens |
47 | .TP | | 41 | .It Fl Z |
48 | \-Z | | | |
49 | print zonename | | 42 | print zonename |
50 | .TP | | 43 | .It Fl f Ar pathname |
51 | \-f pathname | | | |
52 | file pathname to snoop | | 44 | file pathname to snoop |
53 | .TP | | 45 | .It Fl n Ar name |
54 | \-n name | | | |
55 | process name to snoop | | 46 | process name to snoop |
56 | .TP | | 47 | .It Fl p Ar PID |
57 | \-p PID | | | |
58 | process ID to snoop | | 48 | process ID to snoop |
59 | .PP | | 49 | .El |
60 | .SH EXAMPLES | | 50 | .Pp |
61 | .TP | | 51 | Description of fields |
62 | Default output, print file opens by process as they occur, | | 52 | .Bl -column |
63 | # | | 53 | .It ZONE |
64 | .B opensnoop | | | |
65 | .PP | | | |
66 | .TP | | | |
67 | Print human readable timestamps, | | | |
68 | # | | | |
69 | .B opensnoop | | | |
70 | \-v | | | |
71 | .PP | | | |
72 | .TP | | | |
73 | See error codes, | | | |
74 | # | | | |
75 | .B opensnoop | | | |
76 | \-e | | | |
77 | .PP | | | |
78 | .TP | | | |
79 | Snoop this file only, | | | |
80 | # | | | |
81 | .B opensnoop | | | |
82 | \-f /etc/passwd | | | |
83 | .PP | | | |
84 | .SH FIELDS | | | |
85 | .TP | | | |
86 | ZONE | | | |
87 | Zone name | | 54 | Zone name |
88 | .TP | | 55 | .It UID |
89 | UID | | | |
90 | User ID | | 56 | User ID |
91 | .TP | | 57 | .It PID |
92 | PID | | | |
93 | Process ID | | 58 | Process ID |
94 | .TP | | 59 | .It PPID |
95 | PPID | | | |
96 | Parent Process ID | | 60 | Parent Process ID |
97 | .TP | | 61 | .It FD |
98 | FD | | | |
99 | File Descriptor (-1 is error) | | 62 | File Descriptor (-1 is error) |
100 | .TP | | 63 | .It ERR |
101 | ERR | | 64 | errno value (see |
102 | errno value (see /usr/include/sys/errno.h) | | 65 | .Pa /usr/include/sys/errno.h |
103 | .TP | | 66 | ) |
104 | CWD | | 67 | .It CWD |
105 | current working directory of process | | 68 | current working directory of process |
106 | .TP | | 69 | .It PATH |
107 | PATH | | | |
108 | pathname for file open | | 70 | pathname for file open |
109 | .TP | | 71 | .It COMM |
110 | COMM | | | |
111 | command name for the process | | 72 | command name for the process |
112 | .TP | | 73 | .It ARGS |
113 | ARGS | | | |
114 | argument listing for the process | | 74 | argument listing for the process |
115 | .TP | | 75 | .It TIME |
116 | TIME | | | |
117 | timestamp for the open event, us | | 76 | timestamp for the open event, us |
118 | .TP | | 77 | .It STRTIME |
119 | STRTIME | | | |
120 | timestamp for the open event, string | | 78 | timestamp for the open event, string |
121 | .SH DOCUMENTATION | | 79 | .El |
122 | See the DTraceToolkit for further documentation under the | | 80 | .Sh EXAMPLES |
123 | Docs directory. The DTraceToolkit docs may include full worked | | 81 | Default output, print file opens by process as they occur, |
124 | examples with verbose descriptions explaining the output. | | 82 | .Bd -literal -offset indent |
125 | .SH EXIT | | 83 | .Ic opensnoop |
126 | opensnoop will run forever until Ctrl\-C is hit. | | 84 | .Ed |
127 | .SH BUGS | | 85 | .Pp |
128 | occasionally the pathname for the file open cannot be read | | 86 | Print human readable timestamps, |
129 | and the following error will be seen, | | 87 | .Bd -literal -offset indent |
130 | | | 88 | .Ic opensnoop -v |
| | | 89 | .Ed |
| | | 90 | .Pp |
| | | 91 | See error codes, |
| | | 92 | .Bd -literal -offset indent |
| | | 93 | .Ic opensnoop -e |
| | | 94 | .Ed |
| | | 95 | .Pp |
| | | 96 | Snoop this file only, |
| | | 97 | .Bd -literal -offset indent |
| | | 98 | .Ic opensnoop -f /etc/passwd |
| | | 99 | .Ed |
| | | 100 | .Sh STABILITY |
| | | 101 | stable - needs the syscall provider. |
| | | 102 | .Sh DOCUMENTATION |
| | | 103 | See the DTraceToolkit for further documentation under the Docs directory. |
| | | 104 | The DTraceToolkit docs may include full worked examples with verbose |
| | | 105 | descriptions explaining the output. |
| | | 106 | .Sh EXIT |
| | | 107 | opensnoop will run forever until Ctrl\-C is hit. |
| | | 108 | .Sh SEE ALSO |
| | | 109 | .Xr dtrace 1 |
| | | 110 | .Sh AUTHORS |
| | | 111 | .An Brendan Gregg |
| | | 112 | [Sydney, Australia] |
| | | 113 | .Sh BUGS |
| | | 114 | Occasionally the pathname for the file open cannot be read and the following |
| | | 115 | error will be seen, |
| | | 116 | .Bd -literal -offset indent |
131 | dtrace: error on enabled probe ID 6 (...): invalid address | | 117 | dtrace: error on enabled probe ID 6 (...): invalid address |
132 | | | 118 | .Ed |
| | | 119 | .Pp |
133 | this is normal behaviour. | | 120 | this is normal behaviour. |
134 | .SH AUTHOR | | | |
135 | Brendan Gregg | | | |
136 | [Sydney, Australia] | | | |
137 | .SH SEE ALSO | | | |
138 | dtrace(1M), truss(1) | | | |
139 | | | | |