The following are examples of opensnoop. File open events are traced along with some process details. This first example is of the default output. The commands "cat", "cal", "ls" and "uname" were run. The returned file descriptor (or -1 for error) are shown, along with the filenames. # ./opensnoop UID PID COMM FD PATH 100 3504 cat -1 /var/ld/ld.config 100 3504 cat 3 /usr/lib/libc.so.1 100 3504 cat 3 /etc/passwd 100 3505 cal -1 /var/ld/ld.config 100 3505 cal 3 /usr/lib/libc.so.1 100 3505 cal 3 /usr/share/lib/zoneinfo/Australia/NSW 100 3506 ls -1 /var/ld/ld.config 100 3506 ls 3 /usr/lib/libc.so.1 100 3507 uname -1 /var/ld/ld.config 100 3507 uname 3 /usr/lib/libc.so.1 [...] Full command arguments can be fetched using -g, # ./opensnoop -g UID PID PATH FD ARGS 100 3528 /var/ld/ld.config -1 cat /etc/passwd 100 3528 /usr/lib/libc.so.1 3 cat /etc/passwd 100 3528 /etc/passwd 3 cat /etc/passwd 100 3529 /var/ld/ld.config -1 cal 100 3529 /usr/lib/libc.so.1 3 cal 100 3529 /usr/share/lib/zoneinfo/Australia/NSW 3 cal 100 3530 /var/ld/ld.config -1 ls -l 100 3530 /usr/lib/libc.so.1 3 ls -l 100 3530 /var/run/name_service_door 3 ls -l 100 3530 /usr/share/lib/zoneinfo/Australia/NSW 4 ls -l 100 3531 /var/ld/ld.config -1 uname -a 100 3531 /usr/lib/libc.so.1 3 uname -a [...] The verbose option prints human readable timestamps, # ./opensnoop -v STRTIME UID PID COMM FD PATH 2005 Jan 22 01:22:50 0 23212 df -1 /var/ld/ld.config 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libcmd.so.1 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libc.so.1 2005 Jan 22 01:22:50 0 23212 df 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1 2005 Jan 22 01:22:50 0 23212 df 3 /etc/mnttab 2005 Jan 22 01:22:50 0 23211 dtrace 4 /usr/share/lib/zoneinfo/Australia/NSW 2005 Jan 22 01:22:51 0 23213 uname -1 /var/ld/ld.config 2005 Jan 22 01:22:51 0 23213 uname 3 /lib/libc.so.1 2005 Jan 22 01:22:51 0 23213 uname 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1 [...] Particular files can be monitored using -f. For example, # ./opensnoop -vgf /etc/passwd STRTIME UID PID PATH FD ARGS 2005 Jan 22 01:28:50 0 23242 /etc/passwd 3 cat /etc/passwd 2005 Jan 22 01:28:54 0 23243 /etc/passwd 4 vi /etc/passwd 2005 Jan 22 01:29:06 0 23244 /etc/passwd 3 passwd brendan [...] This example is of opensnoop running on a quiet system. We can see as various daemons are opening files, # ./opensnoop UID PID COMM FD PATH 0 253 nscd 5 /etc/user_attr 0 253 nscd 5 /etc/hosts 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/rtls 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/rtls 0 419 mibiisa 2 /dev/kstat 0 253 nscd 5 /etc/user_attr 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/rtls 0 419 mibiisa 2 /dev/kstat 0 174 in.routed 8 /dev/kstat 0 174 in.routed 8 /dev/kstat 0 174 in.routed 6 /dev/ip 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/rtls 0 419 mibiisa 2 /dev/kstat 0 293 utmpd 4 /var/adm/utmpx 0 293 utmpd 5 /var/adm/utmpx 0 293 utmpd 6 /proc/442/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/567/psinfo 0 293 utmpd 6 /proc/3013/psinfo 0 419 mibiisa 2 /dev/kstat 0 419 mibiisa 2 /dev/rtls 0 419 mibiisa 2 /dev/kstat [...]