1opensnoop(8)                System Manager's Manual               opensnoop(8)
2
3
4

NAME

6       opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n name]
10

DESCRIPTION

12       opensnoop  traces  the  open()  syscall,  showing  which  processes are
13       attempting to open which files. This can be useful for determining  the
14       location  of  config and log files, or for troubleshooting applications
15       that are failing, specially on startup.
16
17       This works by tracing the  kernel  sys_open()  function  using  dynamic
18       tracing, and will need updating to match any changes to this function.
19
20       This  makes  use  of a Linux 4.5 feature (bpf_perf_event_output()); for
21       kernels older than 4.5, see the version under tools/old, which uses  an
22       older mechanism.
23
24       Since this uses BPF, only the root user can use this tool.
25

REQUIREMENTS

27       CONFIG_BPF and bcc.
28

OPTIONS

30       -h     Print usage message.
31
32       -T     Include a timestamp column.
33
34       -x     Only print failed opens.
35
36       -p PID Trace this process ID only (filtered in-kernel).
37
38       -t TID Trace this thread ID only (filtered in-kernel).
39
40       -d DURATION
41              Total duration of trace in seconds.
42
43       -n name
44              Only print processes where its name partially matches 'name'
45

EXAMPLES

47       Trace all open() syscalls:
48              # opensnoop
49
50       Trace all open() syscalls, for 10 seconds only:
51              # opensnoop -d 10
52
53       Trace all open() syscalls, and include timestamps:
54              # opensnoop -T
55
56       Trace only open() syscalls that failed:
57              # opensnoop -x
58
59       Trace PID 181 only:
60              # opensnoop -p 181
61
62       Trace  all  open()  syscalls  from  processes  where its name partially
63       matches 'ed':
64              # opensnoop -n ed
65

FIELDS

67       TIME(s)
68              Time of the call, in seconds.
69
70       PID    Process ID
71
72       TID    Thread ID
73
74       COMM   Process name
75
76       FD     File descriptor (if success), or -1 (if failed)
77
78       ERR    Error number (see the system's errno.h)
79
80       PATH   Open path
81

OVERHEAD

83       This traces the kernel open function and prints output for each  event.
84       As  the  rate  of  this is generally expected to be low (< 1000/s), the
85       overhead is also expected to be negligible. If you have an  application
86       that  is calling a high rate of open()s, then test and understand over‐
87       head before use.
88

SOURCE

90       This is from bcc.
91
92              https://github.com/iovisor/bcc
93
94       Also look in the bcc distribution for a  companion  _examples.txt  file
95       containing example usage, output, and commentary for this tool.
96

OS

98       Linux
99

STABILITY

101       Unstable - in development.
102

AUTHOR

104       Brendan Gregg
105

SEE ALSO

107       funccount(1)
108
109
110
111USER COMMANDS                     2015-08-18                      opensnoop(8)
Impressum