opensnoop_example.txt [plain text]
The following are examples of opensnoop. File open events are traced
along with some process details.
This first example is of the default output. The commands "cat", "cal",
"ls" and "uname" were run. The returned file descriptor (or -1 for error) are
shown, along with the filenames.
# ./opensnoop
UID PID COMM FD PATH
100 3504 cat -1 /var/ld/ld.config
100 3504 cat 3 /usr/lib/libc.so.1
100 3504 cat 3 /etc/passwd
100 3505 cal -1 /var/ld/ld.config
100 3505 cal 3 /usr/lib/libc.so.1
100 3505 cal 3 /usr/share/lib/zoneinfo/Australia/NSW
100 3506 ls -1 /var/ld/ld.config
100 3506 ls 3 /usr/lib/libc.so.1
100 3507 uname -1 /var/ld/ld.config
100 3507 uname 3 /usr/lib/libc.so.1
[...]
Full command arguments can be fetched using -g,
# ./opensnoop -g
UID PID PATH FD ARGS
100 3528 /var/ld/ld.config -1 cat /etc/passwd
100 3528 /usr/lib/libc.so.1 3 cat /etc/passwd
100 3528 /etc/passwd 3 cat /etc/passwd
100 3529 /var/ld/ld.config -1 cal
100 3529 /usr/lib/libc.so.1 3 cal
100 3529 /usr/share/lib/zoneinfo/Australia/NSW 3 cal
100 3530 /var/ld/ld.config -1 ls -l
100 3530 /usr/lib/libc.so.1 3 ls -l
100 3530 /var/run/name_service_door 3 ls -l
100 3530 /usr/share/lib/zoneinfo/Australia/NSW 4 ls -l
100 3531 /var/ld/ld.config -1 uname -a
100 3531 /usr/lib/libc.so.1 3 uname -a
[...]
The verbose option prints human readable timestamps,
# ./opensnoop -v
STRTIME UID PID COMM FD PATH
2005 Jan 22 01:22:50 0 23212 df -1 /var/ld/ld.config
2005 Jan 22 01:22:50 0 23212 df 3 /lib/libcmd.so.1
2005 Jan 22 01:22:50 0 23212 df 3 /lib/libc.so.1
2005 Jan 22 01:22:50 0 23212 df 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
2005 Jan 22 01:22:50 0 23212 df 3 /etc/mnttab
2005 Jan 22 01:22:50 0 23211 dtrace 4 /usr/share/lib/zoneinfo/Australia/NSW
2005 Jan 22 01:22:51 0 23213 uname -1 /var/ld/ld.config
2005 Jan 22 01:22:51 0 23213 uname 3 /lib/libc.so.1
2005 Jan 22 01:22:51 0 23213 uname 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
[...]
Particular files can be monitored using -f. For example,
# ./opensnoop -vgf /etc/passwd
STRTIME UID PID PATH FD ARGS
2005 Jan 22 01:28:50 0 23242 /etc/passwd 3 cat /etc/passwd
2005 Jan 22 01:28:54 0 23243 /etc/passwd 4 vi /etc/passwd
2005 Jan 22 01:29:06 0 23244 /etc/passwd 3 passwd brendan
[...]
This example is of opensnoop running on a quiet system. We can see as
various daemons are opening files,
# ./opensnoop
UID PID COMM FD PATH
0 253 nscd 5 /etc/user_attr
0 253 nscd 5 /etc/hosts
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/rtls
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/rtls
0 419 mibiisa 2 /dev/kstat
0 253 nscd 5 /etc/user_attr
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/rtls
0 419 mibiisa 2 /dev/kstat
0 174 in.routed 8 /dev/kstat
0 174 in.routed 8 /dev/kstat
0 174 in.routed 6 /dev/ip
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/rtls
0 419 mibiisa 2 /dev/kstat
0 293 utmpd 4 /var/adm/utmpx
0 293 utmpd 5 /var/adm/utmpx
0 293 utmpd 6 /proc/442/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/567/psinfo
0 293 utmpd 6 /proc/3013/psinfo
0 419 mibiisa 2 /dev/kstat
0 419 mibiisa 2 /dev/rtls
0 419 mibiisa 2 /dev/kstat
[...]