1opensnoop(8) System Manager's Manual opensnoop(8)
2
3
4
6 opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7
9 opensnoop.py [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID]
10 [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER]
11 [--cgroupmap MAPPATH] [--mntnsmap MAPPATH]
12
14 opensnoop traces the open() syscall, showing which processes are
15 attempting to open which files. This can be useful for determining the
16 location of config and log files, or for troubleshooting applications
17 that are failing, specially on startup.
18
19 This works by tracing the kernel sys_open() function using dynamic
20 tracing, and will need updating to match any changes to this function.
21
22 This makes use of a Linux 4.4 feature (bpf_perf_event_output()); for
23 kernels older than 4.4, see the version under tools/old, which uses an
24 older mechanism.
25
26 Since this uses BPF, only the root user can use this tool.
27
29 CONFIG_BPF and bcc.
30
32 -h Print usage message.
33
34 -T Include a timestamp column.
35
36 -U Show UID.
37
38 -x Only print failed opens.
39
40 -p PID Trace this process ID only (filtered in-kernel).
41
42 -t TID Trace this thread ID only (filtered in-kernel).
43
44 -u UID Trace this UID only (filtered in-kernel).
45
46 -d DURATION
47 Total duration of trace in seconds.
48
49 -n name
50 Only print processes where its name partially matches 'name'
51
52 -e Show extended fields.
53
54 -f FLAG
55 Filter on open() flags, e.g., O_WRONLY.
56
57 --cgroupmap MAPPATH
58 Trace cgroups in this BPF map only (filtered in-kernel).
59
60 --mntnsmap MAPPATH
61 Trace mount namespaces in this BPF map only (filtered in-ker‐
62 nel).
63
65 Trace all open() syscalls:
66 # opensnoop
67
68 Trace all open() syscalls, for 10 seconds only:
69 # opensnoop -d 10
70
71 Trace all open() syscalls, and include timestamps:
72 # opensnoop -T
73
74 Show UID:
75 # opensnoop -U
76
77 Trace only open() syscalls that failed:
78 # opensnoop -x
79
80 Trace PID 181 only:
81 # opensnoop -p 181
82
83 Trace UID 1000 only:
84 # opensnoop -u 1000
85
86 Trace all open() syscalls from processes where its name partially
87 matches 'ed':
88 # opensnoop -n ed
89
90 Show extended fields:
91 # opensnoop -e
92
93 Only print calls for writing:
94 # opensnoop -f O_WRONLY -f O_RDWR
95
96 Trace a set of cgroups only (see special_filtering.md from bcc sources
97 for more details):
98 # opensnoop --cgroupmap /sys/fs/bpf/test01
99
101 TIME(s)
102 Time of the call, in seconds.
103
104 UID User ID
105
106 PID Process ID
107
108 TID Thread ID
109
110 COMM Process name
111
112 FD File descriptor (if success), or -1 (if failed)
113
114 ERR Error number (see the system's errno.h)
115
116 FLAGS Flags passed to open(2), in octal
117
118 PATH Open path
119
121 This traces the kernel open function and prints output for each event.
122 As the rate of this is generally expected to be low (< 1000/s), the
123 overhead is also expected to be negligible. If you have an application
124 that is calling a high rate of open()s, then test and understand over‐
125 head before use.
126
128 This is from bcc.
129
130 https://github.com/iovisor/bcc
131
132 Also look in the bcc distribution for a companion _examples.txt file
133 containing example usage, output, and commentary for this tool.
134
136 Linux
137
139 Unstable - in development.
140
142 Brendan Gregg
143
145 execsnoop(8), funccount(1)
146
147
148
149USER COMMANDS 2020-02-20 opensnoop(8)