1opensnoop(8) System Manager's Manual opensnoop(8)
2
6 opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7
9 opensnoop [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID]
10 [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER] [-F]
11 [--cgroupmap MAPPATH] [--mntnsmap MAPPATH]
12
14 opensnoop traces the open() syscall, showing which processes are at‐
15 tempting to open which files. This can be useful for determining the
16 location of config and log files, or for troubleshooting applications
17 that are failing, specially on startup.
18 This works by tracing the kernel sys_open() function using dynamic
20 tracing, and will need updating to match any changes to this function.
21 This makes use of a Linux 4.4 feature (bpf_perf_event_output()); for
23 kernels older than 4.4, see the version under tools/old, which uses an
24 older mechanism.
25 Since this uses BPF, only the root user can use this tool.
27
29 CONFIG_BPF and bcc.
30
32 -h Print usage message.
33 -T Include a timestamp column.
35 -U Show UID.
37 -x Only print failed opens.
39 -p PID Trace this process ID only (filtered in-kernel).
41 -t TID Trace this thread ID only (filtered in-kernel).
43 -u UID Trace this UID only (filtered in-kernel).
45 -d DURATION
47 Total duration of trace in seconds.
48 -n name
50 Only print processes where its name partially matches 'name'
51 -e Show extended fields.
53 -f FLAG
55 Filter on open() flags, e.g., O_WRONLY.
56 -F Show full path for an open file with relative path.
58 --cgroupmap MAPPATH
60 Trace cgroups in this BPF map only (filtered in-kernel).
61 --mntnsmap MAPPATH
63 Trace mount namespaces in this BPF map only (filtered in-ker‐
64 nel).
65
67 Trace all open() syscalls:
68 # opensnoop
69 Trace all open() syscalls, for 10 seconds only:
71 # opensnoop -d 10
72 Trace all open() syscalls, and include timestamps:
74 # opensnoop -T
75 Show UID:
77 # opensnoop -U
78 Trace only open() syscalls that failed:
80 # opensnoop -x
81 Trace PID 181 only:
83 # opensnoop -p 181
84 Trace UID 1000 only:
86 # opensnoop -u 1000
87 Trace all open() syscalls from processes where its name partially
89 matches 'ed':
90 # opensnoop -n ed
91 Show extended fields:
93 # opensnoop -e
94 Only print calls for writing:
96 # opensnoop -f O_WRONLY -f O_RDWR
97 Trace a set of cgroups only (see special_filtering.md from bcc sources
99 for more details):
100 # opensnoop --cgroupmap /sys/fs/bpf/test01
101
103 TIME(s)
104 Time of the call, in seconds.
105 UID User ID
107 PID Process ID
109 TID Thread ID
111 COMM Process name
113 FD File descriptor (if success), or -1 (if failed)
115 ERR Error number (see the system's errno.h)
117 FLAGS Flags passed to open(2), in octal
119 PATH Open path
121
123 This traces the kernel open function and prints output for each event.
124 As the rate of this is generally expected to be low (< 1000/s), the
125 overhead is also expected to be negligible. If you have an application
126 that is calling a high rate of open()s, then test and understand over‐
127 head before use.
128
130 This is from bcc.
131 https://github.com/iovisor/bcc
133 Also look in the bcc distribution for a companion _examples.txt file
135 containing example usage, output, and commentary for this tool.
136
138 Linux
139
141 Unstable - in development.
142
144 Brendan Gregg, Rocky Xing
145
147 execsnoop(8), funccount(1)
148USER COMMANDS 2020-02-20 opensnoop(8)