1opensnoop(8)                System Manager's Manual               opensnoop(8)
2
3
4

NAME

6       opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       opensnoop.py [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID]
10                    [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER]
11

DESCRIPTION

13       opensnoop  traces  the  open()  syscall,  showing  which  processes are
14       attempting to open which files. This can be useful for determining  the
15       location  of  config and log files, or for troubleshooting applications
16       that are failing, specially on startup.
17
18       This works by tracing the  kernel  sys_open()  function  using  dynamic
19       tracing, and will need updating to match any changes to this function.
20
21       This  makes  use  of a Linux 4.5 feature (bpf_perf_event_output()); for
22       kernels older than 4.5, see the version under tools/old, which uses  an
23       older mechanism.
24
25       Since this uses BPF, only the root user can use this tool.
26

REQUIREMENTS

28       CONFIG_BPF and bcc.
29

OPTIONS

31       -h     Print usage message.
32
33       -T     Include a timestamp column.
34
35       -U     Show UID.
36
37       -x     Only print failed opens.
38
39       -p PID Trace this process ID only (filtered in-kernel).
40
41       -t TID Trace this thread ID only (filtered in-kernel).
42
43       -u UID Trace this UID only (filtered in-kernel).
44
45       -d DURATION
46              Total duration of trace in seconds.
47
48       -n name
49              Only print processes where its name partially matches 'name'
50
51       -e     Show extended fields.
52
53       -f FLAG
54              Filter on open() flags, e.g., O_WRONLY.
55

EXAMPLES

57       Trace all open() syscalls:
58              # opensnoop
59
60       Trace all open() syscalls, for 10 seconds only:
61              # opensnoop -d 10
62
63       Trace all open() syscalls, and include timestamps:
64              # opensnoop -T
65
66       Show UID:
67              # opensnoop -U
68
69       Trace only open() syscalls that failed:
70              # opensnoop -x
71
72       Trace PID 181 only:
73              # opensnoop -p 181
74
75       Trace UID 1000 only:
76              # opensnoop -u 1000
77
78       Trace  all  open()  syscalls  from  processes  where its name partially
79       matches 'ed':
80              # opensnoop -n ed
81
82       Show extended fields:
83              # opensnoop -e
84
85       Only print calls for writing:
86              # opensnoop -f O_WRONLY -f O_RDWR
87

FIELDS

89       TIME(s)
90              Time of the call, in seconds.
91
92       UID    User ID
93
94       PID    Process ID
95
96       TID    Thread ID
97
98       COMM   Process name
99
100       FD     File descriptor (if success), or -1 (if failed)
101
102       ERR    Error number (see the system's errno.h)
103
104       FLAGS  Flags passed to open(2), in octal
105
106       PATH   Open path
107

OVERHEAD

109       This traces the kernel open function and prints output for each  event.
110       As  the  rate  of  this is generally expected to be low (< 1000/s), the
111       overhead is also expected to be negligible. If you have an  application
112       that  is calling a high rate of open()s, then test and understand over‐
113       head before use.
114

SOURCE

116       This is from bcc.
117
118              https://github.com/iovisor/bcc
119
120       Also look in the bcc distribution for a  companion  _examples.txt  file
121       containing example usage, output, and commentary for this tool.
122

OS

124       Linux
125

STABILITY

127       Unstable - in development.
128

AUTHOR

130       Brendan Gregg
131

SEE ALSO

133       funccount(1)
134
135
136
137USER COMMANDS                     2015-08-18                      opensnoop(8)
Impressum