1opensnoop(8)                System Manager's Manual               opensnoop(8)
2
3
4

NAME

6       opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       opensnoop.py [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID]
10                    [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER]
11                    [--cgroupmap MAPPATH] [--mntnsmap MAPPATH]
12

DESCRIPTION

14       opensnoop  traces  the  open()  syscall,  showing  which  processes are
15       attempting to open which files. This can be useful for determining  the
16       location  of  config and log files, or for troubleshooting applications
17       that are failing, specially on startup.
18
19       This works by tracing the  kernel  sys_open()  function  using  dynamic
20       tracing, and will need updating to match any changes to this function.
21
22       This  makes  use  of a Linux 4.4 feature (bpf_perf_event_output()); for
23       kernels older than 4.4, see the version under tools/old, which uses  an
24       older mechanism.
25
26       Since this uses BPF, only the root user can use this tool.
27

REQUIREMENTS

29       CONFIG_BPF and bcc.
30

OPTIONS

32       -h     Print usage message.
33
34       -T     Include a timestamp column.
35
36       -U     Show UID.
37
38       -x     Only print failed opens.
39
40       -p PID Trace this process ID only (filtered in-kernel).
41
42       -t TID Trace this thread ID only (filtered in-kernel).
43
44       -u UID Trace this UID only (filtered in-kernel).
45
46       -d DURATION
47              Total duration of trace in seconds.
48
49       -n name
50              Only print processes where its name partially matches 'name'
51
52       -e     Show extended fields.
53
54       -f FLAG
55              Filter on open() flags, e.g., O_WRONLY.
56
57       --cgroupmap MAPPATH
58              Trace cgroups in this BPF map only (filtered in-kernel).
59
60       --mntnsmap  MAPPATH
61              Trace  mount  namespaces  in this BPF map only (filtered in-ker‐
62              nel).
63

EXAMPLES

65       Trace all open() syscalls:
66              # opensnoop
67
68       Trace all open() syscalls, for 10 seconds only:
69              # opensnoop -d 10
70
71       Trace all open() syscalls, and include timestamps:
72              # opensnoop -T
73
74       Show UID:
75              # opensnoop -U
76
77       Trace only open() syscalls that failed:
78              # opensnoop -x
79
80       Trace PID 181 only:
81              # opensnoop -p 181
82
83       Trace UID 1000 only:
84              # opensnoop -u 1000
85
86       Trace all open() syscalls  from  processes  where  its  name  partially
87       matches 'ed':
88              # opensnoop -n ed
89
90       Show extended fields:
91              # opensnoop -e
92
93       Only print calls for writing:
94              # opensnoop -f O_WRONLY -f O_RDWR
95
96       Trace  a set of cgroups only (see special_filtering.md from bcc sources
97       for more details):
98              # opensnoop --cgroupmap /sys/fs/bpf/test01
99

FIELDS

101       TIME(s)
102              Time of the call, in seconds.
103
104       UID    User ID
105
106       PID    Process ID
107
108       TID    Thread ID
109
110       COMM   Process name
111
112       FD     File descriptor (if success), or -1 (if failed)
113
114       ERR    Error number (see the system's errno.h)
115
116       FLAGS  Flags passed to open(2), in octal
117
118       PATH   Open path
119

OVERHEAD

121       This traces the kernel open function and prints output for each  event.
122       As  the  rate  of  this is generally expected to be low (< 1000/s), the
123       overhead is also expected to be negligible. If you have an  application
124       that  is calling a high rate of open()s, then test and understand over‐
125       head before use.
126

SOURCE

128       This is from bcc.
129
130              https://github.com/iovisor/bcc
131
132       Also look in the bcc distribution for a  companion  _examples.txt  file
133       containing example usage, output, and commentary for this tool.
134

OS

136       Linux
137

STABILITY

139       Unstable - in development.
140

AUTHOR

142       Brendan Gregg
143

SEE ALSO

145       execsnoop(8), funccount(1)
146
147
148
149USER COMMANDS                     2020-02-20                      opensnoop(8)
Impressum