.TH opensnoop 1m "Jan 12, 2006" "version 1.60" "USER COMMANDS" .SH NAME opensnoop \- snoop file opens as they occur. Uses DTrace. .SH SYNOPSIS .B opensnoop [\-a|\-A|\-ceghsvxZ] [\-f pathname] [\-n name] [\-p PID] .SH DESCRIPTION opensnoop tracks file opens. As a process issues a file open, details such as UID, PID and pathname are printed out. The returned file descriptor is printed, a value of -1 indicates an error. This can be useful for troubleshooting to determine if appliacions are attempting to open files that do not exist. Since this uses DTrace, only users with root privileges can run this command. .SH OPTIONS .TP \-a print all data .TP \-A dump all data, space delimited .TP \-c print current working directory of process .TP \-e print errno value .TP \-g print full command arguments .TP \-s print start time, us .TP \-v print start time, string .TP \-x only print failed opens .TP \-Z print zonename .TP \-f pathname file pathname to snoop .TP \-n name process name to snoop .TP \-p PID process ID to snoop .PP .SH EXAMPLES .TP Default output, print file opens by process as they occur, # .B opensnoop .PP .TP Print human readable timestamps, # .B opensnoop \-v .PP .TP See error codes, # .B opensnoop \-e .PP .TP Snoop this file only, # .B opensnoop \-f /etc/passwd .PP .SH FIELDS .TP ZONE Zone name .TP UID User ID .TP PID Process ID .TP PPID Parent Process ID .TP FD File Descriptor (-1 is error) .TP ERR errno value (see /usr/include/sys/errno.h) .TP CWD current working directory of process .TP PATH pathname for file open .TP COMM command name for the process .TP ARGS argument listing for the process .TP TIME timestamp for the open event, us .TP STRTIME timestamp for the open event, string .SH DOCUMENTATION See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. .SH EXIT opensnoop will run forever until Ctrl\-C is hit. .SH BUGS occasionally the pathname for the file open cannot be read and the following error will be seen, dtrace: error on enabled probe ID 6 (...): invalid address this is normal behaviour. .SH AUTHOR Brendan Gregg [Sydney, Australia] .SH SEE ALSO dtrace(1M), truss(1)