1 The following is a demonstration of the rwsnoop program,
4 Here we run it for about a second,
7 UID PID CMD D BYTES FILE
8 100 20334 sshd R 52 <unknown>
9 100 20334 sshd W 1 /devices/pseudo/clone@0:ptm
10 0 20320 bash W 1 /devices/pseudo/pts@0:12
11 100 20334 sshd R 2 /devices/pseudo/clone@0:ptm
12 100 20334 sshd W 52 <unknown>
13 0 2848 ls W 58 /devices/pseudo/pts@0:12
14 0 2848 ls W 68 /devices/pseudo/pts@0:12
15 0 2848 ls W 57 /devices/pseudo/pts@0:12
16 0 2848 ls W 67 /devices/pseudo/pts@0:12
17 0 2848 ls W 48 /devices/pseudo/pts@0:12
18 0 2848 ls W 49 /devices/pseudo/pts@0:12
19 0 2848 ls W 33 /devices/pseudo/pts@0:12
20 0 2848 ls W 41 /devices/pseudo/pts@0:12
21 100 20334 sshd R 429 /devices/pseudo/clone@0:ptm
22 100 20334 sshd W 468 <unknown>
25 The output scrolls rather fast. Above, we can see an ls command was run,
26 and we can see as ls writes each line. The "<unknown>" read/writes are
27 socket activity, which have no corresponding filename.
30 For a summary style output, use the rwtop program.
34 If a particular program is of interest, the "-n" option can be used
35 to match on process name. Here we match on "bash" during a login where
36 the user uses the bash shell as their default,
39 UID PID CMD D BYTES FILE
40 100 2854 bash R 757 /etc/nsswitch.conf
41 100 2854 bash R 0 /etc/nsswitch.conf
42 100 2854 bash R 668 /etc/passwd
43 100 2854 bash R 980 /etc/profile
44 100 2854 bash W 15 /devices/pseudo/pts@0:14
45 100 2854 bash R 10 /export/home/brendan/.bash_profile
46 100 2854 bash R 867 /export/home/brendan/.bashrc
47 100 2854 bash R 980 /etc/profile
48 100 2854 bash W 15 /devices/pseudo/pts@0:14
49 100 2854 bash R 8951 /export/home/brendan/.bash_history
50 100 2854 bash R 8951 /export/home/brendan/.bash_history
51 100 2854 bash R 1652 /usr/share/lib/terminfo/d/dtterm
52 100 2854 bash W 41 /devices/pseudo/pts@0:14
53 100 2854 bash R 1 /devices/pseudo/pts@0:14
54 100 2854 bash W 1 /devices/pseudo/pts@0:14
55 100 2854 bash W 41 /devices/pseudo/pts@0:14
56 100 2854 bash R 1 /devices/pseudo/pts@0:14
57 100 2854 bash W 7 /devices/pseudo/pts@0:14
59 In the above, various bash related files such as ".bash_profile" and
60 ".bash_history" can be seen. The ".bashrc" is also read, as it was sourced
61 from the .bash_profile.
65 Extra options with rwsnoop allow us to print zone ID, project ID, timestamps,
66 etc. Here we use "-v" to see the time printed, and match on "ps" processes,
69 TIMESTR UID PID CMD D BYTES FILE
70 2005 Jul 24 04:23:45 0 2804 ps R 168 /proc/2804/auxv
71 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2804/psinfo
72 2005 Jul 24 04:23:45 0 2804 ps R 1495 /etc/ttysrch
73 2005 Jul 24 04:23:45 0 2804 ps W 28 /devices/pseudo/pts.
74 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/0/psinfo
75 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/1/psinfo
76 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2/psinfo
77 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/3/psinfo
78 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/218/psinfo
79 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/7/psinfo
80 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/9/psinfo
81 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/360/psinfo
82 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/91/psinfo
83 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/112/psinfo
84 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/307/psinfo
85 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/226/psinfo
86 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/242/psinfo
87 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/228/psinfo
88 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/243/psinfo
89 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/234/psinfo
90 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/119/psinfo
91 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/143/psinfo
92 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/361/psinfo
93 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/20314/psinfo
94 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/116/psinfo