1opensnoop(8)                System Manager's Manual               opensnoop(8)
2
3
4

NAME

6       opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n name]
10

DESCRIPTION

12       opensnoop  traces  the  open()  syscall,  showing  which  processes are
13       attempting to open which files. This can be useful for determining  the
14       location  of  config and log files, or for troubleshooting applications
15       that are failing, specially on startup.
16
17       This works by tracing the  kernel  sys_open()  function  using  dynamic
18       tracing, and will need updating to match any changes to this function.
19
20       This  makes  use  of a Linux 4.5 feature (bpf_perf_event_output()); for
21       kernels older than 4.5, see the version under tools/old, which uses  an
22       older mechanism.
23
24       Since this uses BPF, only the root user can use this tool.
25

REQUIREMENTS

27       CONFIG_BPF and bcc.
28

OPTIONS

30       -h     Print usage message.
31
32       -T     Include a timestamp column.
33
34       -U     Show UID.
35
36       -x     Only print failed opens.
37
38       -p PID Trace this process ID only (filtered in-kernel).
39
40       -t TID Trace this thread ID only (filtered in-kernel).
41
42       -u UID Trace this UID only (filtered in-kernel).
43
44       -d DURATION
45              Total duration of trace in seconds.
46
47       -n name
48              Only print processes where its name partially matches 'name'
49
50       -e     Show extended fields.
51
52       -f FLAG
53              Filter on open() flags, e.g., O_WRONLY.
54

EXAMPLES

56       Trace all open() syscalls:
57              # opensnoop
58
59       Trace all open() syscalls, for 10 seconds only:
60              # opensnoop -d 10
61
62       Trace all open() syscalls, and include timestamps:
63              # opensnoop -T
64
65       Show UID:
66              # opensnoop -U
67
68       Trace only open() syscalls that failed:
69              # opensnoop -x
70
71       Trace PID 181 only:
72              # opensnoop -p 181
73
74       Trace UID 1000 only:
75              # opensnoop -u 1000
76
77       Trace  all  open()  syscalls  from  processes  where its name partially
78       matches 'ed':
79              # opensnoop -n ed
80
81       Show extended fields:
82              # opensnoop -e
83
84       Only print calls for writing:
85              # opensnoop -f O_WRONLY -f O_RDWR
86

FIELDS

88       TIME(s)
89              Time of the call, in seconds.
90
91       UID    User ID
92
93       PID    Process ID
94
95       TID    Thread ID
96
97       COMM   Process name
98
99       FD     File descriptor (if success), or -1 (if failed)
100
101       ERR    Error number (see the system's errno.h)
102
103       FLAGS  Flags passed to open(2), in octal
104
105       PATH   Open path
106

OVERHEAD

108       This traces the kernel open function and prints output for each  event.
109       As  the  rate  of  this is generally expected to be low (< 1000/s), the
110       overhead is also expected to be negligible. If you have an  application
111       that  is calling a high rate of open()s, then test and understand over‐
112       head before use.
113

SOURCE

115       This is from bcc.
116
117              https://github.com/iovisor/bcc
118
119       Also look in the bcc distribution for a  companion  _examples.txt  file
120       containing example usage, output, and commentary for this tool.
121

OS

123       Linux
124

STABILITY

126       Unstable - in development.
127

AUTHOR

129       Brendan Gregg
130

SEE ALSO

132       funccount(1)
133
134
135
136USER COMMANDS                     2015-08-18                      opensnoop(8)
Impressum