1opensnoop(8) System Manager's Manual opensnoop(8)
2
6 opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
7
9 opensnoop.py [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID]
10 [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER]
11 [--cgroupmap MAPPATH] [--mntnsmap MAPPATH]
12
14 opensnoop traces the open() syscall, showing which processes are
15 attempting to open which files. This can be useful for determining the
16 location of config and log files, or for troubleshooting applications
17 that are failing, specially on startup.
18 This works by tracing the kernel sys_open() function using dynamic
20 tracing, and will need updating to match any changes to this function.
21 This makes use of a Linux 4.4 feature (bpf_perf_event_output()); for
23 kernels older than 4.4, see the version under tools/old, which uses an
24 older mechanism.
25 Since this uses BPF, only the root user can use this tool.
27
29 CONFIG_BPF and bcc.
30
32 -h Print usage message.
33 -T Include a timestamp column.
35 -U Show UID.
37 -x Only print failed opens.
39 -p PID Trace this process ID only (filtered in-kernel).
41 -t TID Trace this thread ID only (filtered in-kernel).
43 -u UID Trace this UID only (filtered in-kernel).
45 -d DURATION
47 Total duration of trace in seconds.
48 -n name
50 Only print processes where its name partially matches 'name'
51 -e Show extended fields.
53 -f FLAG
55 Filter on open() flags, e.g., O_WRONLY.
56 --cgroupmap MAPPATH
58 Trace cgroups in this BPF map only (filtered in-kernel).
59 --mntnsmap MAPPATH
61 Trace mount namespaces in this BPF map only (filtered in-ker‐
62 nel).
63
65 Trace all open() syscalls:
66 # opensnoop
67 Trace all open() syscalls, for 10 seconds only:
69 # opensnoop -d 10
70 Trace all open() syscalls, and include timestamps:
72 # opensnoop -T
73 Show UID:
75 # opensnoop -U
76 Trace only open() syscalls that failed:
78 # opensnoop -x
79 Trace PID 181 only:
81 # opensnoop -p 181
82 Trace UID 1000 only:
84 # opensnoop -u 1000
85 Trace all open() syscalls from processes where its name partially
87 matches 'ed':
88 # opensnoop -n ed
89 Show extended fields:
91 # opensnoop -e
92 Only print calls for writing:
94 # opensnoop -f O_WRONLY -f O_RDWR
95 Trace a set of cgroups only (see special_filtering.md from bcc sources
97 for more details):
98 # opensnoop --cgroupmap /sys/fs/bpf/test01
99
101 TIME(s)
102 Time of the call, in seconds.
103 UID User ID
105 PID Process ID
107 TID Thread ID
109 COMM Process name
111 FD File descriptor (if success), or -1 (if failed)
113 ERR Error number (see the system's errno.h)
115 FLAGS Flags passed to open(2), in octal
117 PATH Open path
119
121 This traces the kernel open function and prints output for each event.
122 As the rate of this is generally expected to be low (< 1000/s), the
123 overhead is also expected to be negligible. If you have an application
124 that is calling a high rate of open()s, then test and understand over‐
125 head before use.
126
128 This is from bcc.
129 https://github.com/iovisor/bcc
131 Also look in the bcc distribution for a companion _examples.txt file
133 containing example usage, output, and commentary for this tool.
134
136 Linux
137
139 Unstable - in development.
140
142 Brendan Gregg
143
145 execsnoop(8), funccount(1)
146USER COMMANDS 2020-02-20 opensnoop(8)