1 .TH opensnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
3 opensnoop \- snoop file opens as they occur. Uses DTrace.
6 [\-a|\-A|\-ceghsvxZ] [\-f pathname] [\-n name] [\-p PID]
8 opensnoop tracks file opens. As a process issues a file open, details
9 such as UID, PID and pathname are printed out.
11 The returned file descriptor is printed,
12 a value of -1 indicates an error. This can be useful
13 for troubleshooting to determine if appliacions are attempting to
14 open files that do not exist.
16 Since this uses DTrace, only the root user or users with the
17 dtrace_kernel privilege can run this command.
21 stable - needs the syscall provider.
28 dump all data, space delimited
31 print current working directory of process
37 print full command arguments
43 print start time, string
46 only print failed opens
52 file pathname to snoop
62 Default output, print file opens by process as they occur,
67 Print human readable timestamps,
99 File Descriptor (-1 is error)
102 errno value (see /usr/include/sys/errno.h)
105 current working directory of process
108 pathname for file open
111 command name for the process
114 argument listing for the process
117 timestamp for the open event, us
120 timestamp for the open event, string
122 See the DTraceToolkit for further documentation under the
123 Docs directory. The DTraceToolkit docs may include full worked
124 examples with verbose descriptions explaining the output.
126 opensnoop will run forever until Ctrl\-C is hit.
128 occasionally the pathname for the file open cannot be read
129 and the following error will be seen,
131 dtrace: error on enabled probe ID 6 (...): invalid address
133 this is normal behaviour.