opensnoop traces the open() syscall, showing which processes are attempting to open which files. This can be useful for determining the location of config and log files, or for troubleshooting applications that are failing, specially on startup.
This works by tracing the open() syscall tracepoint.
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Trace all open() syscalls:
PID Process ID
File descriptor (if success), or -1 (if failed)
Error number (see the system's errno.h)
This traces the open tracepoint and prints output for each event. As the rate of this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible. If you have an application that is calling a high rate of open()s, then test and understand overhead before use.
This is from bpftrace.
Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
This is a bpftrace version of the bcc tool of the same name. The bcc tool may provide more options and customizations.
Unstable - in development.
bashreadline(8), bcc-bashreadline(8), bcc-killsnoop(8), biosnoop(8), execsnoop(8), killsnoop(8), statsnoop(8).