1 The following are examples of opensnoop. File open events are traced
2 along with some process details.
5 This first example is of the default output. The commands "cat", "cal",
6 "ls" and "uname" were run. The returned file descriptor (or -1 for error) are
7 shown, along with the filenames.
11 100 3504 cat -1 /var/ld/ld.config
12 100 3504 cat 3 /usr/lib/libc.so.1
13 100 3504 cat 3 /etc/passwd
14 100 3505 cal -1 /var/ld/ld.config
15 100 3505 cal 3 /usr/lib/libc.so.1
16 100 3505 cal 3 /usr/share/lib/zoneinfo/Australia/NSW
17 100 3506 ls -1 /var/ld/ld.config
18 100 3506 ls 3 /usr/lib/libc.so.1
19 100 3507 uname -1 /var/ld/ld.config
20 100 3507 uname 3 /usr/lib/libc.so.1
24 Full command arguments can be fetched using -g,
28 100 3528 /var/ld/ld.config -1 cat /etc/passwd
29 100 3528 /usr/lib/libc.so.1 3 cat /etc/passwd
30 100 3528 /etc/passwd 3 cat /etc/passwd
31 100 3529 /var/ld/ld.config -1 cal
32 100 3529 /usr/lib/libc.so.1 3 cal
33 100 3529 /usr/share/lib/zoneinfo/Australia/NSW 3 cal
34 100 3530 /var/ld/ld.config -1 ls -l
35 100 3530 /usr/lib/libc.so.1 3 ls -l
36 100 3530 /var/run/name_service_door 3 ls -l
37 100 3530 /usr/share/lib/zoneinfo/Australia/NSW 4 ls -l
38 100 3531 /var/ld/ld.config -1 uname -a
39 100 3531 /usr/lib/libc.so.1 3 uname -a
44 The verbose option prints human readable timestamps,
47 STRTIME UID PID COMM FD PATH
48 2005 Jan 22 01:22:50 0 23212 df -1 /var/ld/ld.config
49 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libcmd.so.1
50 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libc.so.1
51 2005 Jan 22 01:22:50 0 23212 df 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
52 2005 Jan 22 01:22:50 0 23212 df 3 /etc/mnttab
53 2005 Jan 22 01:22:50 0 23211 dtrace 4 /usr/share/lib/zoneinfo/Australia/NSW
54 2005 Jan 22 01:22:51 0 23213 uname -1 /var/ld/ld.config
55 2005 Jan 22 01:22:51 0 23213 uname 3 /lib/libc.so.1
56 2005 Jan 22 01:22:51 0 23213 uname 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
61 Particular files can be monitored using -f. For example,
63 # ./opensnoop -vgf /etc/passwd
64 STRTIME UID PID PATH FD ARGS
65 2005 Jan 22 01:28:50 0 23242 /etc/passwd 3 cat /etc/passwd
66 2005 Jan 22 01:28:54 0 23243 /etc/passwd 4 vi /etc/passwd
67 2005 Jan 22 01:29:06 0 23244 /etc/passwd 3 passwd brendan
72 This example is of opensnoop running on a quiet system. We can see as
73 various daemons are opening files,
77 0 253 nscd 5 /etc/user_attr
78 0 253 nscd 5 /etc/hosts
79 0 419 mibiisa 2 /dev/kstat
80 0 419 mibiisa 2 /dev/rtls
81 0 419 mibiisa 2 /dev/kstat
82 0 419 mibiisa 2 /dev/kstat
83 0 419 mibiisa 2 /dev/rtls
84 0 419 mibiisa 2 /dev/kstat
85 0 253 nscd 5 /etc/user_attr
86 0 419 mibiisa 2 /dev/kstat
87 0 419 mibiisa 2 /dev/rtls
88 0 419 mibiisa 2 /dev/kstat
89 0 174 in.routed 8 /dev/kstat
90 0 174 in.routed 8 /dev/kstat
91 0 174 in.routed 6 /dev/ip
92 0 419 mibiisa 2 /dev/kstat
93 0 419 mibiisa 2 /dev/rtls
94 0 419 mibiisa 2 /dev/kstat
95 0 293 utmpd 4 /var/adm/utmpx
96 0 293 utmpd 5 /var/adm/utmpx
97 0 293 utmpd 6 /proc/442/psinfo
98 0 293 utmpd 6 /proc/567/psinfo
99 0 293 utmpd 6 /proc/567/psinfo
100 0 293 utmpd 6 /proc/567/psinfo
101 0 293 utmpd 6 /proc/567/psinfo
102 0 293 utmpd 6 /proc/567/psinfo
103 0 293 utmpd 6 /proc/567/psinfo
104 0 293 utmpd 6 /proc/567/psinfo
105 0 293 utmpd 6 /proc/567/psinfo
106 0 293 utmpd 6 /proc/3013/psinfo
107 0 419 mibiisa 2 /dev/kstat
108 0 419 mibiisa 2 /dev/rtls
109 0 419 mibiisa 2 /dev/kstat