oracular (8) opensnoop-perf.8.gz

Provided by: perf-tools-unstable_1.0.1~20200130+git49b8cdf-1ubuntu1_all bug

NAME

       opensnoop - trace open() syscalls with file details. Uses Linux ftrace.

SYNOPSIS

       opensnoop [-htx] [-d secs] [-p pid] [-L tid] [-n name] [filename]

DESCRIPTION

       This traces open() syscalls, showing the file name (pathname) and returned file descriptor
       number (or -1, for error).

       This implementation is designed to work on  older  kernel  versions,  and  without  kernel
       debuginfo.  It  works by dynamic tracing of the return value of getname() as a string, and
       associating it with the following open() syscall return.  This approach is kernel  version
       specific,  and may not work on your version.  It is a workaround, and proof of concept for
       ftrace, until more kernel tracing functionality is available.

       Since this uses ftrace, only the root user can use this tool.

REQUIREMENTS

       FTRACE and KPROBE CONFIG, the syscalls:sys_exit_open tracepoint, and the getname()  kernel
       function.  You  may  already have these enabled and available on recent Linux kernels. And
       awk.

OPTIONS

       -d secs
              Set the duration of tracing, in seconds. Trace output will be buffered and  printed
              at the end. This also reduces overheads by buffering in-kernel, instead of printing
              events as they occur.

              The     ftrace     buffer     has     a      fixed      size      per-CPU      (see
              /sys/kernel/debug/tracing/buffer_size_kb).  If  you  think  events are missing, try
              increasing that size.

       -h     Print usage message.

       -n name
              Only show processes  matching  this  process  name.  Partial  strings  and  regular
              expressions are allowed. This is post-filtered using awk.

       -p PID Only trace this process ID. This is filtered in-kernel.

       -L TID Only trace this thread ID. This is filtered in-kernel.

       -t     Include timestamps, in seconds.

       -x     Only print failed open()s.

       filename
              Only   show  open()s  which  match  this  filename.  Partial  strings  and  regular
              expressions are allowed. This is post-filtered using awk.

EXAMPLES

       Trace all open() syscalls with details:
              # opensnoop

       Only trace open()s for PID 81:
              # opensnoop -p 81

       Trace failed open() syscalls:
              # opensnoop -x

       Trace open() syscalls for filenames containing "conf":
              # opensnoop conf

       Trace open() syscalls for filenames ending in "log":
              # opensnoop 'log$'

FIELDS

       TIMEs  Time of open() completion, in units of seconds.

       COMM   Process name (if known).

       PID    Process ID.

       FD     File descriptor. If this is a successful open, the file descriptor number is shown.
              If this is unsuccessful, -1 is shown. Numbers beginning with 0x are hexadecimal.

       FILE   Filename (pathname) used by the open() syscall.

OVERHEAD

       This  reads  and  open()  syscalls and getname() kernel functions as they occur.  For high
       rates of opens (> 500/s), the overhead may begin to be measurable.  Test yourself. You can
       use the -d mode to buffer output, reducing overheads.

SOURCE

       This is from the perf-tools collection.

              https://github.com/brendangregg/perf-tools

       Also  look  under the examples directory for a text file containing example usage, output,
       and commentary for this tool.

OS

       Linux

STABILITY

       Unstable - in development.

AUTHOR

       Brendan Gregg

SEE ALSO

       execsnoop(8), strace(1)