1Demonstrations of opensnoop, the Linux eBPF/bcc version. 2 3 4opensnoop traces the open() syscall system-wide, and prints various details. 5Example output: 6 7# ./opensnoop 8PID COMM FD ERR PATH 917326 <...> 7 0 /sys/kernel/debug/tracing/trace_pipe 101576 snmpd 9 0 /proc/net/dev 111576 snmpd 11 0 /proc/net/if_inet6 121576 snmpd 11 0 /proc/sys/net/ipv4/neigh/eth0/retrans_time_ms 131576 snmpd 11 0 /proc/sys/net/ipv6/neigh/eth0/retrans_time_ms 141576 snmpd 11 0 /proc/sys/net/ipv6/conf/eth0/forwarding 151576 snmpd 11 0 /proc/sys/net/ipv6/neigh/eth0/base_reachable_time_ms 161576 snmpd 11 0 /proc/sys/net/ipv4/neigh/lo/retrans_time_ms 171576 snmpd 11 0 /proc/sys/net/ipv6/neigh/lo/retrans_time_ms 181576 snmpd 11 0 /proc/sys/net/ipv6/conf/lo/forwarding 191576 snmpd 11 0 /proc/sys/net/ipv6/neigh/lo/base_reachable_time_ms 201576 snmpd 9 0 /proc/diskstats 211576 snmpd 9 0 /proc/stat 221576 snmpd 9 0 /proc/vmstat 231956 supervise 9 0 supervise/status.new 241956 supervise 9 0 supervise/status.new 2517358 run 3 0 /etc/ld.so.cache 2617358 run 3 0 /lib/x86_64-linux-gnu/libtinfo.so.5 2717358 run 3 0 /lib/x86_64-linux-gnu/libdl.so.2 2817358 run 3 0 /lib/x86_64-linux-gnu/libc.so.6 2917358 run -1 6 /dev/tty 3017358 run 3 0 /proc/meminfo 3117358 run 3 0 /etc/nsswitch.conf 3217358 run 3 0 /etc/ld.so.cache 3317358 run 3 0 /lib/x86_64-linux-gnu/libnss_compat.so.2 3417358 run 3 0 /lib/x86_64-linux-gnu/libnsl.so.1 3517358 run 3 0 /etc/ld.so.cache 3617358 run 3 0 /lib/x86_64-linux-gnu/libnss_nis.so.2 3717358 run 3 0 /lib/x86_64-linux-gnu/libnss_files.so.2 3817358 run 3 0 /etc/passwd 3917358 run 3 0 ./run 40^C 41 42While tracing, the snmpd process opened various /proc files (reading metrics), 43and a "run" process read various libraries and config files (looks like it 44was starting up: a new process). 45 46opensnoop can be useful for discovering configuration and log files, if used 47during application startup. 48 49 50The -p option can be used to filter on a PID, which is filtered in-kernel. Here 51I've used it with -T to print timestamps: 52 53 ./opensnoop -Tp 1956 54TIME(s) PID COMM FD ERR PATH 550.000000000 1956 supervise 9 0 supervise/status.new 560.000289999 1956 supervise 9 0 supervise/status.new 571.023068000 1956 supervise 9 0 supervise/status.new 581.023381997 1956 supervise 9 0 supervise/status.new 592.046030000 1956 supervise 9 0 supervise/status.new 602.046363000 1956 supervise 9 0 supervise/status.new 613.068203997 1956 supervise 9 0 supervise/status.new 623.068544999 1956 supervise 9 0 supervise/status.new 63 64This shows the supervise process is opening the status.new file twice every 65second. 66 67 68The -x option only prints failed opens: 69 70# ./opensnoop -x 71PID COMM FD ERR PATH 7218372 run -1 6 /dev/tty 7318373 run -1 6 /dev/tty 7418373 multilog -1 13 lock 7518372 multilog -1 13 lock 7618384 df -1 2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo 7718384 df -1 2 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo 7818384 df -1 2 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo 7918384 df -1 2 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo 8018384 df -1 2 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo 8118384 df -1 2 /usr/share/locale/en/LC_MESSAGES/coreutils.mo 8218385 run -1 6 /dev/tty 8318386 run -1 6 /dev/tty 84 85This caught a df command failing to open a coreutils.mo file, and trying from 86different directories. 87 88The ERR column is the system error number. Error number 2 is ENOENT: no such 89file or directory. 90 91 92A maximum tracing duration can be set with the -d option. For example, to trace 93for 2 seconds: 94 95# ./opensnoop -d 2 96PID COMM FD ERR PATH 972191 indicator-multi 11 0 /sys/block 982191 indicator-multi 11 0 /sys/block 992191 indicator-multi 11 0 /sys/block 1002191 indicator-multi 11 0 /sys/block 1012191 indicator-multi 11 0 /sys/block 102 103 104The -n option can be used to filter on process name using partial matches: 105 106# ./opensnoop -n ed 107 108PID COMM FD ERR PATH 1092679 sed 3 0 /etc/ld.so.cache 1102679 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1 1112679 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6 1122679 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3 1132679 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2 1142679 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0 1152679 sed 3 0 /proc/filesystems 1162679 sed 3 0 /usr/lib/locale/locale-archive 1172679 sed -1 2 1182679 sed 3 0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 1192679 sed 3 0 /dev/null 1202680 sed 3 0 /etc/ld.so.cache 1212680 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1 1222680 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6 1232680 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3 1242680 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2 1252680 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0 1262680 sed 3 0 /proc/filesystems 1272680 sed 3 0 /usr/lib/locale/locale-archive 1282680 sed -1 2 129^C 130 131This caught the 'sed' command because it partially matches 'ed' that's passed 132to the '-n' option. 133 134 135USAGE message: 136 137# ./opensnoop -h 138usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n NAME] 139 140Trace open() syscalls 141 142optional arguments: 143 -h, --help show this help message and exit 144 -T, --timestamp include timestamp on output 145 -x, --failed only show failed opens 146 -p PID, --pid PID trace this PID only 147 -t TID, --tid TID trace this TID only 148 -d DURATION, --duration DURATION 149 total duration of trace in seconds 150 -n NAME, --name NAME only print process names containing this name 151 152examples: 153 ./opensnoop # trace all open() syscalls 154 ./opensnoop -T # include timestamps 155 ./opensnoop -x # only show failed opens 156 ./opensnoop -p 181 # only trace PID 181 157 ./opensnoop -t 123 # only trace TID 123 158 ./opensnoop -d 10 # trace for 10 seconds only 159 ./opensnoop -n main # only print process names containing "main" 160