Provided by: perf-tools-unstable_1.0.1~20200130+git49b8cdf-1ubuntu1_all bug

NAME
       opensnoop - trace open() syscalls with file details. Uses Linux ftrace.


SYNOPSIS
       opensnoop [-htx] [-d secs] [-p pid] [-L tid] [-n name] [filename]


DESCRIPTION
       This traces open() syscalls, showing the file name (pathname) and returned file descriptor number (or -1,
       for error).

       This  implementation is designed to work on older kernel versions, and without kernel debuginfo. It works
       by dynamic tracing of the return value of getname() as a string, and associating it  with  the  following
       open()  syscall  return.  This approach is kernel version specific, and may not work on your version.  It
       is a workaround, and proof of concept for ftrace, until more kernel tracing functionality is available.

       Since this uses ftrace, only the root user can use this tool.


REQUIREMENTS
       FTRACE and KPROBE CONFIG, the syscalls:sys_exit_open tracepoint, and the getname() kernel  function.  You
       may already have these enabled and available on recent Linux kernels. And awk.


OPTIONS
       -d secs
              Set  the  duration  of  tracing, in seconds. Trace output will be buffered and printed at the end.
              This also reduces overheads by buffering in-kernel, instead of printing events as they occur.

              The ftrace buffer has a fixed size per-CPU (see /sys/kernel/debug/tracing/buffer_size_kb). If  you
              think events are missing, try increasing that size.

       -h     Print usage message.

       -n name
              Only  show  processes  matching  this  process  name.  Partial strings and regular expressions are
              allowed. This is post-filtered using awk.

       -p PID Only trace this process ID. This is filtered in-kernel.

       -L TID Only trace this thread ID. This is filtered in-kernel.

       -t     Include timestamps, in seconds.

       -x     Only print failed open()s.

       filename
              Only show open()s which match this filename. Partial strings and regular expressions are  allowed.
              This is post-filtered using awk.


EXAMPLES
       Trace all open() syscalls with details:
              # opensnoop

       Only trace open()s for PID 81:
              # opensnoop -p 81

       Trace failed open() syscalls:
              # opensnoop -x

       Trace open() syscalls for filenames containing "conf":
              # opensnoop conf

       Trace open() syscalls for filenames ending in "log":
              # opensnoop 'log$'


FIELDS
       TIMEs  Time of open() completion, in units of seconds.

       COMM   Process name (if known).

       PID    Process ID.

       FD     File  descriptor.  If  this  is a successful open, the file descriptor number is shown. If this is
              unsuccessful, -1 is shown. Numbers beginning with 0x are hexadecimal.

       FILE   Filename (pathname) used by the open() syscall.


OVERHEAD
       This reads and open() syscalls and getname() kernel functions as they occur.  For high rates of opens  (>
       500/s),  the  overhead  may  begin  to  be  measurable.  Test yourself. You can use the -d mode to buffer
       output, reducing overheads.


SOURCE
       This is from the perf-tools collection.

              https://github.com/brendangregg/perf-tools

       Also look under the examples directory for a text file containing example usage, output,  and  commentary
       for this tool.


OS
       Linux


STABILITY
       Unstable - in development.


AUTHOR
       Brendan Gregg


SEE ALSO
       execsnoop(8), strace(1)

USER COMMANDS                                      2014-07-20                                       opensnoop(8)