rwsnoop_example.txt [plain text]
The following is a demonstration of the rwsnoop program,
Here we run it for about a second,
# rwsnoop
UID PID CMD D BYTES FILE
100 20334 sshd R 52 <unknown>
100 20334 sshd W 1 /devices/pseudo/clone@0:ptm
0 20320 bash W 1 /devices/pseudo/pts@0:12
100 20334 sshd R 2 /devices/pseudo/clone@0:ptm
100 20334 sshd W 52 <unknown>
0 2848 ls W 58 /devices/pseudo/pts@0:12
0 2848 ls W 68 /devices/pseudo/pts@0:12
0 2848 ls W 57 /devices/pseudo/pts@0:12
0 2848 ls W 67 /devices/pseudo/pts@0:12
0 2848 ls W 48 /devices/pseudo/pts@0:12
0 2848 ls W 49 /devices/pseudo/pts@0:12
0 2848 ls W 33 /devices/pseudo/pts@0:12
0 2848 ls W 41 /devices/pseudo/pts@0:12
100 20334 sshd R 429 /devices/pseudo/clone@0:ptm
100 20334 sshd W 468 <unknown>
^C
The output scrolls rather fast. Above, we can see an ls command was run,
and we can see as ls writes each line. The "<unknown>" read/writes are
socket activity, which have no corresponding filename.
For a summary style output, use the rwtop program.
If a particular program is of interest, the "-n" option can be used
to match on process name. Here we match on "bash" during a login where
the user uses the bash shell as their default,
# rwsnoop -n bash
UID PID CMD D BYTES FILE
100 2854 bash R 757 /etc/nsswitch.conf
100 2854 bash R 0 /etc/nsswitch.conf
100 2854 bash R 668 /etc/passwd
100 2854 bash R 980 /etc/profile
100 2854 bash W 15 /devices/pseudo/pts@0:14
100 2854 bash R 10 /export/home/brendan/.bash_profile
100 2854 bash R 867 /export/home/brendan/.bashrc
100 2854 bash R 980 /etc/profile
100 2854 bash W 15 /devices/pseudo/pts@0:14
100 2854 bash R 8951 /export/home/brendan/.bash_history
100 2854 bash R 8951 /export/home/brendan/.bash_history
100 2854 bash R 1652 /usr/share/lib/terminfo/d/dtterm
100 2854 bash W 41 /devices/pseudo/pts@0:14
100 2854 bash R 1 /devices/pseudo/pts@0:14
100 2854 bash W 1 /devices/pseudo/pts@0:14
100 2854 bash W 41 /devices/pseudo/pts@0:14
100 2854 bash R 1 /devices/pseudo/pts@0:14
100 2854 bash W 7 /devices/pseudo/pts@0:14
In the above, various bash related files such as ".bash_profile" and
".bash_history" can be seen. The ".bashrc" is also read, as it was sourced
from the .bash_profile.
Extra options with rwsnoop allow us to print zone ID, project ID, timestamps,
etc. Here we use "-v" to see the time printed, and match on "ps" processes,
# rwsnoop -vn ps
TIMESTR UID PID CMD D BYTES FILE
2005 Jul 24 04:23:45 0 2804 ps R 168 /proc/2804/auxv
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2804/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 1495 /etc/ttysrch
2005 Jul 24 04:23:45 0 2804 ps W 28 /devices/pseudo/pts.
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/0/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/1/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/3/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/218/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/7/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/9/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/360/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/91/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/112/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/307/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/226/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/242/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/228/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/243/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/234/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/119/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/143/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/361/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/20314/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/116/psinfo
[...]