Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / refs/tags/rel/10/fp2/22.02.0-rel.0 / . / tools / opensnoop_example.txt
blob: 1d00f12977e95764f8af8cd2cb0fb11c351ac827 [file] [log] [blame]
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]1Demonstrations of opensnoop, the Linux eBPF/bcc version.
2
3
4opensnoop traces the open() syscall system-wide, and prints various details.
5Example output:
6
7# ./opensnoop
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800[diff] [blame]8PID COMM FD ERR PATH
917326 <...> 7 0 /sys/kernel/debug/tracing/trace_pipe
101576 snmpd 9 0 /proc/net/dev
111576 snmpd 11 0 /proc/net/if_inet6
121576 snmpd 11 0 /proc/sys/net/ipv4/neigh/eth0/retrans_time_ms
131576 snmpd 11 0 /proc/sys/net/ipv6/neigh/eth0/retrans_time_ms
141576 snmpd 11 0 /proc/sys/net/ipv6/conf/eth0/forwarding
151576 snmpd 11 0 /proc/sys/net/ipv6/neigh/eth0/base_reachable_time_ms
161576 snmpd 11 0 /proc/sys/net/ipv4/neigh/lo/retrans_time_ms
171576 snmpd 11 0 /proc/sys/net/ipv6/neigh/lo/retrans_time_ms
181576 snmpd 11 0 /proc/sys/net/ipv6/conf/lo/forwarding
191576 snmpd 11 0 /proc/sys/net/ipv6/neigh/lo/base_reachable_time_ms
201576 snmpd 9 0 /proc/diskstats
211576 snmpd 9 0 /proc/stat
221576 snmpd 9 0 /proc/vmstat
231956 supervise 9 0 supervise/status.new
241956 supervise 9 0 supervise/status.new
2517358 run 3 0 /etc/ld.so.cache
2617358 run 3 0 /lib/x86_64-linux-gnu/libtinfo.so.5
2717358 run 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2817358 run 3 0 /lib/x86_64-linux-gnu/libc.so.6
2917358 run -1 6 /dev/tty
3017358 run 3 0 /proc/meminfo
3117358 run 3 0 /etc/nsswitch.conf
3217358 run 3 0 /etc/ld.so.cache
3317358 run 3 0 /lib/x86_64-linux-gnu/libnss_compat.so.2
3417358 run 3 0 /lib/x86_64-linux-gnu/libnsl.so.1
3517358 run 3 0 /etc/ld.so.cache
3617358 run 3 0 /lib/x86_64-linux-gnu/libnss_nis.so.2
3717358 run 3 0 /lib/x86_64-linux-gnu/libnss_files.so.2
3817358 run 3 0 /etc/passwd
3917358 run 3 0 ./run
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]40^C
41
42While tracing, the snmpd process opened various /proc files (reading metrics),
43and a "run" process read various libraries and config files (looks like it
44was starting up: a new process).
45
46opensnoop can be useful for discovering configuration and log files, if used
47during application startup.
48
49
50The -p option can be used to filter on a PID, which is filtered in-kernel. Here
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]51I've used it with -T to print timestamps:
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]52
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]53 ./opensnoop -Tp 1956
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]54TIME(s) PID COMM FD ERR PATH
550.000000000 1956 supervise 9 0 supervise/status.new
560.000289999 1956 supervise 9 0 supervise/status.new
571.023068000 1956 supervise 9 0 supervise/status.new
581.023381997 1956 supervise 9 0 supervise/status.new
592.046030000 1956 supervise 9 0 supervise/status.new
602.046363000 1956 supervise 9 0 supervise/status.new
613.068203997 1956 supervise 9 0 supervise/status.new
623.068544999 1956 supervise 9 0 supervise/status.new
63
64This shows the supervise process is opening the status.new file twice every
65second.
66
67
68The -x option only prints failed opens:
69
70# ./opensnoop -x
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800[diff] [blame]71PID COMM FD ERR PATH
7218372 run -1 6 /dev/tty
7318373 run -1 6 /dev/tty
7418373 multilog -1 13 lock
7518372 multilog -1 13 lock
7618384 df -1 2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo
7718384 df -1 2 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo
7818384 df -1 2 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo
7918384 df -1 2 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo
8018384 df -1 2 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo
8118384 df -1 2 /usr/share/locale/en/LC_MESSAGES/coreutils.mo
8218385 run -1 6 /dev/tty
8318386 run -1 6 /dev/tty
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]84
85This caught a df command failing to open a coreutils.mo file, and trying from
86different directories.
87
88The ERR column is the system error number. Error number 2 is ENOENT: no such
89file or directory.
90
91
Paul Chaignon702de382018-01-28 13:41:35 +0100[diff] [blame]92A maximum tracing duration can be set with the -d option. For example, to trace
93for 2 seconds:
94
95# ./opensnoop -d 2
96PID COMM FD ERR PATH
972191 indicator-multi 11 0 /sys/block
982191 indicator-multi 11 0 /sys/block
992191 indicator-multi 11 0 /sys/block
1002191 indicator-multi 11 0 /sys/block
1012191 indicator-multi 11 0 /sys/block
102
103
KarimAllah Ahmed765dfe22016-09-10 12:01:07 +0200[diff] [blame]104The -n option can be used to filter on process name using partial matches:
105
106# ./opensnoop -n ed
107
108PID COMM FD ERR PATH
1092679 sed 3 0 /etc/ld.so.cache
1102679 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
1112679 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
1122679 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
1132679 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
1142679 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
1152679 sed 3 0 /proc/filesystems
1162679 sed 3 0 /usr/lib/locale/locale-archive
1172679 sed -1 2
1182679 sed 3 0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
1192679 sed 3 0 /dev/null
1202680 sed 3 0 /etc/ld.so.cache
1212680 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
1222680 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
1232680 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
1242680 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
1252680 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
1262680 sed 3 0 /proc/filesystems
1272680 sed 3 0 /usr/lib/locale/locale-archive
1282680 sed -1 2
129^C
130
131This caught the 'sed' command because it partially matches 'ed' that's passed
132to the '-n' option.
133
134
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]135USAGE message:
136
137# ./opensnoop -h
Paul Chaignon702de382018-01-28 13:41:35 +0100[diff] [blame]138usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n NAME]
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]139
140Trace open() syscalls
141
142optional arguments:
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]143 -h, --help show this help message and exit
144 -T, --timestamp include timestamp on output
145 -x, --failed only show failed opens
146 -p PID, --pid PID trace this PID only
147 -t TID, --tid TID trace this TID only
Paul Chaignon702de382018-01-28 13:41:35 +0100[diff] [blame]148 -d DURATION, --duration DURATION
149 total duration of trace in seconds
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]150 -n NAME, --name NAME only print process names containing this name
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]151
152examples:
153 ./opensnoop # trace all open() syscalls
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]154 ./opensnoop -T # include timestamps
Brendan Greggbedd1502015-09-17 21:52:52 -0700[diff] [blame]155 ./opensnoop -x # only show failed opens
156 ./opensnoop -p 181 # only trace PID 181
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]157 ./opensnoop -t 123 # only trace TID 123
Paul Chaignon702de382018-01-28 13:41:35 +0100[diff] [blame]158 ./opensnoop -d 10 # trace for 10 seconds only
Dina Goldshtein99a3bc82016-10-10 21:37:36 +0300[diff] [blame]159 ./opensnoop -n main # only print process names containing "main"