Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
B
bcc
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
bcc
Commits
765dfe26
Commit
765dfe26
authored
Sep 10, 2016
by
KarimAllah Ahmed
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
opensnoop: Introduce process name filtering
Signed-off-by:
KarimAllah Ahmed
<
karim.allah.ahmed@gmail.com
>
parent
a17d1e8e
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
46 additions
and
2 deletions
+46
-2
man/man8/opensnoop.8
man/man8/opensnoop.8
+9
-2
tools/opensnoop.py
tools/opensnoop.py
+6
-0
tools/opensnoop_example.txt
tools/opensnoop_example.txt
+31
-0
No files found.
man/man8/opensnoop.8
View file @
765dfe26
...
@@ -2,11 +2,11 @@
...
@@ -2,11 +2,11 @@
.SH NAME
.SH NAME
opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
.SH SYNOPSIS
.SH SYNOPSIS
.B opensnoop [\-h] [\-t] [\-x] [\-p PID]
.B opensnoop [\-h] [\-t] [\-x] [\-p PID]
[\-n name]
.SH DESCRIPTION
.SH DESCRIPTION
opensnoop traces the open() syscall, showing which processes are attempting
opensnoop traces the open() syscall, showing which processes are attempting
to open which files. This can be useful for determining the location of config
to open which files. This can be useful for determining the location of config
and log files, or for troubleshooting applications that are failing,
e
specially
and log files, or for troubleshooting applications that are failing, specially
on startup.
on startup.
This works by tracing the kernel sys_open() function using dynamic tracing, and
This works by tracing the kernel sys_open() function using dynamic tracing, and
...
@@ -32,6 +32,9 @@ Only print failed opens.
...
@@ -32,6 +32,9 @@ Only print failed opens.
.TP
.TP
\-p PID
\-p PID
Trace this process ID only (filtered in-kernel).
Trace this process ID only (filtered in-kernel).
.TP
\-n name
Only print processes where its name partially matches 'name'
.SH EXAMPLES
.SH EXAMPLES
.TP
.TP
Trace all open() syscalls:
Trace all open() syscalls:
...
@@ -49,6 +52,10 @@ Trace only open() syscalls that failed:
...
@@ -49,6 +52,10 @@ Trace only open() syscalls that failed:
Trace PID 181 only:
Trace PID 181 only:
#
#
.B opensnoop \-p 181
.B opensnoop \-p 181
.TP
Trace all open() syscalls from processes where its name partially matches 'ed':
#
.B opensnoop \-n ed
.SH FIELDS
.SH FIELDS
.TP
.TP
TIME(s)
TIME(s)
...
...
tools/opensnoop.py
View file @
765dfe26
...
@@ -23,6 +23,7 @@ examples = """examples:
...
@@ -23,6 +23,7 @@ examples = """examples:
./opensnoop -t # include timestamps
./opensnoop -t # include timestamps
./opensnoop -x # only show failed opens
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -p 181 # only trace PID 181
./opensnoop -n main # only print process names containing "main"
"""
"""
parser
=
argparse
.
ArgumentParser
(
parser
=
argparse
.
ArgumentParser
(
description
=
"Trace open() syscalls"
,
description
=
"Trace open() syscalls"
,
...
@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true",
...
@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true",
help
=
"only show failed opens"
)
help
=
"only show failed opens"
)
parser
.
add_argument
(
"-p"
,
"--pid"
,
parser
.
add_argument
(
"-p"
,
"--pid"
,
help
=
"trace this PID only"
)
help
=
"trace this PID only"
)
parser
.
add_argument
(
"-n"
,
"--name"
,
help
=
"only print process names containing this name"
)
args
=
parser
.
parse_args
()
args
=
parser
.
parse_args
()
debug
=
0
debug
=
0
...
@@ -155,6 +158,9 @@ def print_event(cpu, data, size):
...
@@ -155,6 +158,9 @@ def print_event(cpu, data, size):
if
args
.
failed
and
(
event
.
ret
>=
0
):
if
args
.
failed
and
(
event
.
ret
>=
0
):
return
return
if
args
.
name
and
args
.
name
not
in
event
.
comm
:
return
if
args
.
timestamp
:
if
args
.
timestamp
:
delta
=
event
.
ts
-
initial_ts
delta
=
event
.
ts
-
initial_ts
print
(
"%-14.9f"
%
(
float
(
delta
)
/
1000000
),
end
=
""
)
print
(
"%-14.9f"
%
(
float
(
delta
)
/
1000000
),
end
=
""
)
...
...
tools/opensnoop_example.txt
View file @
765dfe26
...
@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
...
@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
file or directory.
file or directory.
The -n option can be used to filter on process name using partial matches:
# ./opensnoop -n ed
PID COMM FD ERR PATH
2679 sed 3 0 /etc/ld.so.cache
2679 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2679 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2679 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2679 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2679 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2679 sed 3 0 /proc/filesystems
2679 sed 3 0 /usr/lib/locale/locale-archive
2679 sed -1 2
2679 sed 3 0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
2679 sed 3 0 /dev/null
2680 sed 3 0 /etc/ld.so.cache
2680 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2680 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2680 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2680 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2680 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2680 sed 3 0 /proc/filesystems
2680 sed 3 0 /usr/lib/locale/locale-archive
2680 sed -1 2
^C
This caught the 'sed' command because it partially matches 'ed' that's passed
to the '-n' option.
USAGE message:
USAGE message:
# ./opensnoop -h
# ./opensnoop -h
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment