| .TH opensnoop 8 "2020-02-20" "USER COMMANDS" |
| .SH NAME |
| opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc. |
| .SH SYNOPSIS |
| .B opensnoop [\-h] [\-T] [\-U] [\-x] [\-p PID] [\-t TID] [\-u UID] |
| [\-d DURATION] [\-n NAME] [\-e] [\-f FLAG_FILTER] [\-F] |
| [--cgroupmap MAPPATH] [--mntnsmap MAPPATH] |
| .SH DESCRIPTION |
| opensnoop traces the open() syscall, showing which processes are attempting |
| to open which files. This can be useful for determining the location of config |
| and log files, or for troubleshooting applications that are failing, specially |
| on startup. |
| |
| This works by tracing the kernel sys_open() function using dynamic tracing, and |
| will need updating to match any changes to this function. |
| |
| This makes use of a Linux 4.4 feature (bpf_perf_event_output()); |
| for kernels older than 4.4, see the version under tools/old, |
| which uses an older mechanism. |
| |
| Since this uses BPF, only the root user can use this tool. |
| .SH REQUIREMENTS |
| CONFIG_BPF and bcc. |
| .SH OPTIONS |
| .TP |
| \-h |
| Print usage message. |
| .TP |
| \-T |
| Include a timestamp column. |
| .TP |
| \-U |
| Show UID. |
| .TP |
| \-x |
| Only print failed opens. |
| .TP |
| \-p PID |
| Trace this process ID only (filtered in-kernel). |
| .TP |
| \-t TID |
| Trace this thread ID only (filtered in-kernel). |
| .TP |
| \-u UID |
| Trace this UID only (filtered in-kernel). |
| .TP |
| \-d DURATION |
| Total duration of trace in seconds. |
| .TP |
| \-n name |
| Only print processes where its name partially matches 'name' |
| .TP |
| \-e |
| Show extended fields. |
| .TP |
| \-f FLAG |
| Filter on open() flags, e.g., O_WRONLY. |
| .TP |
| \-F |
| Show full path for an open file with relative path. |
| .TP |
| \--cgroupmap MAPPATH |
| Trace cgroups in this BPF map only (filtered in-kernel). |
| .TP |
| \--mntnsmap MAPPATH |
| Trace mount namespaces in this BPF map only (filtered in-kernel). |
| .SH EXAMPLES |
| .TP |
| Trace all open() syscalls: |
| # |
| .B opensnoop |
| .TP |
| Trace all open() syscalls, for 10 seconds only: |
| # |
| .B opensnoop -d 10 |
| .TP |
| Trace all open() syscalls, and include timestamps: |
| # |
| .B opensnoop \-T |
| .TP |
| Show UID: |
| # |
| .B opensnoop \-U |
| .TP |
| Trace only open() syscalls that failed: |
| # |
| .B opensnoop \-x |
| .TP |
| Trace PID 181 only: |
| # |
| .B opensnoop \-p 181 |
| .TP |
| Trace UID 1000 only: |
| # |
| .B opensnoop \-u 1000 |
| .TP |
| Trace all open() syscalls from processes where its name partially matches 'ed': |
| # |
| .B opensnoop \-n ed |
| .TP |
| Show extended fields: |
| # |
| .B opensnoop \-e |
| .TP |
| Only print calls for writing: |
| # |
| .B opensnoop \-f O_WRONLY \-f O_RDWR |
| .TP |
| Trace a set of cgroups only (see special_filtering.md from bcc sources for more details): |
| # |
| .B opensnoop \-\-cgroupmap /sys/fs/bpf/test01 |
| .SH FIELDS |
| .TP |
| TIME(s) |
| Time of the call, in seconds. |
| .TP |
| UID |
| User ID |
| .TP |
| PID |
| Process ID |
| .TP |
| TID |
| Thread ID |
| .TP |
| COMM |
| Process name |
| .TP |
| FD |
| File descriptor (if success), or -1 (if failed) |
| .TP |
| ERR |
| Error number (see the system's errno.h) |
| .TP |
| FLAGS |
| Flags passed to open(2), in octal |
| .TP |
| PATH |
| Open path |
| .SH OVERHEAD |
| This traces the kernel open function and prints output for each event. As the |
| rate of this is generally expected to be low (< 1000/s), the overhead is also |
| expected to be negligible. If you have an application that is calling a high |
| rate of open()s, then test and understand overhead before use. |
| .SH SOURCE |
| This is from bcc. |
| .IP |
| https://github.com/iovisor/bcc |
| .PP |
| Also look in the bcc distribution for a companion _examples.txt file containing |
| example usage, output, and commentary for this tool. |
| .SH OS |
| Linux |
| .SH STABILITY |
| Unstable - in development. |
| .SH AUTHOR |
| Brendan Gregg, Rocky Xing |
| .SH SEE ALSO |
| execsnoop(8), funccount(1) |
