1The following are examples of opensnoop. File open events are traced 2along with some process details. 3 4 5This first example is of the default output. The commands "cat", "cal", 6"ls" and "uname" were run. The returned file descriptor (or -1 for error) are 7shown, along with the filenames. 8 9 # ./opensnoop 10 UID PID COMM FD PATH 11 100 3504 cat -1 /var/ld/ld.config 12 100 3504 cat 3 /usr/lib/libc.so.1 13 100 3504 cat 3 /etc/passwd 14 100 3505 cal -1 /var/ld/ld.config 15 100 3505 cal 3 /usr/lib/libc.so.1 16 100 3505 cal 3 /usr/share/lib/zoneinfo/Australia/NSW 17 100 3506 ls -1 /var/ld/ld.config 18 100 3506 ls 3 /usr/lib/libc.so.1 19 100 3507 uname -1 /var/ld/ld.config 20 100 3507 uname 3 /usr/lib/libc.so.1 21 [...] 22 23 24Full command arguments can be fetched using -g, 25 26 # ./opensnoop -g 27 UID PID PATH FD ARGS 28 100 3528 /var/ld/ld.config -1 cat /etc/passwd 29 100 3528 /usr/lib/libc.so.1 3 cat /etc/passwd 30 100 3528 /etc/passwd 3 cat /etc/passwd 31 100 3529 /var/ld/ld.config -1 cal 32 100 3529 /usr/lib/libc.so.1 3 cal 33 100 3529 /usr/share/lib/zoneinfo/Australia/NSW 3 cal 34 100 3530 /var/ld/ld.config -1 ls -l 35 100 3530 /usr/lib/libc.so.1 3 ls -l 36 100 3530 /var/run/name_service_door 3 ls -l 37 100 3530 /usr/share/lib/zoneinfo/Australia/NSW 4 ls -l 38 100 3531 /var/ld/ld.config -1 uname -a 39 100 3531 /usr/lib/libc.so.1 3 uname -a 40 [...] 41 42 43 44The verbose option prints human readable timestamps, 45 46 # ./opensnoop -v 47 STRTIME UID PID COMM FD PATH 48 2005 Jan 22 01:22:50 0 23212 df -1 /var/ld/ld.config 49 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libcmd.so.1 50 2005 Jan 22 01:22:50 0 23212 df 3 /lib/libc.so.1 51 2005 Jan 22 01:22:50 0 23212 df 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1 52 2005 Jan 22 01:22:50 0 23212 df 3 /etc/mnttab 53 2005 Jan 22 01:22:50 0 23211 dtrace 4 /usr/share/lib/zoneinfo/Australia/NSW 54 2005 Jan 22 01:22:51 0 23213 uname -1 /var/ld/ld.config 55 2005 Jan 22 01:22:51 0 23213 uname 3 /lib/libc.so.1 56 2005 Jan 22 01:22:51 0 23213 uname 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1 57 [...] 58 59 60 61Particular files can be monitored using -f. For example, 62 63 # ./opensnoop -vgf /etc/passwd 64 STRTIME UID PID PATH FD ARGS 65 2005 Jan 22 01:28:50 0 23242 /etc/passwd 3 cat /etc/passwd 66 2005 Jan 22 01:28:54 0 23243 /etc/passwd 4 vi /etc/passwd 67 2005 Jan 22 01:29:06 0 23244 /etc/passwd 3 passwd brendan 68 [...] 69 70 71 72This example is of opensnoop running on a quiet system. We can see as 73various daemons are opening files, 74 75 # ./opensnoop 76 UID PID COMM FD PATH 77 0 253 nscd 5 /etc/user_attr 78 0 253 nscd 5 /etc/hosts 79 0 419 mibiisa 2 /dev/kstat 80 0 419 mibiisa 2 /dev/rtls 81 0 419 mibiisa 2 /dev/kstat 82 0 419 mibiisa 2 /dev/kstat 83 0 419 mibiisa 2 /dev/rtls 84 0 419 mibiisa 2 /dev/kstat 85 0 253 nscd 5 /etc/user_attr 86 0 419 mibiisa 2 /dev/kstat 87 0 419 mibiisa 2 /dev/rtls 88 0 419 mibiisa 2 /dev/kstat 89 0 174 in.routed 8 /dev/kstat 90 0 174 in.routed 8 /dev/kstat 91 0 174 in.routed 6 /dev/ip 92 0 419 mibiisa 2 /dev/kstat 93 0 419 mibiisa 2 /dev/rtls 94 0 419 mibiisa 2 /dev/kstat 95 0 293 utmpd 4 /var/adm/utmpx 96 0 293 utmpd 5 /var/adm/utmpx 97 0 293 utmpd 6 /proc/442/psinfo 98 0 293 utmpd 6 /proc/567/psinfo 99 0 293 utmpd 6 /proc/567/psinfo 100 0 293 utmpd 6 /proc/567/psinfo 101 0 293 utmpd 6 /proc/567/psinfo 102 0 293 utmpd 6 /proc/567/psinfo 103 0 293 utmpd 6 /proc/567/psinfo 104 0 293 utmpd 6 /proc/567/psinfo 105 0 293 utmpd 6 /proc/567/psinfo 106 0 293 utmpd 6 /proc/3013/psinfo 107 0 419 mibiisa 2 /dev/kstat 108 0 419 mibiisa 2 /dev/rtls 109 0 419 mibiisa 2 /dev/kstat 110 [...] 111