opensnoop - Trace open() syscalls. Uses Linux eBPF/bcc.
opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n name]
opensnoop traces the open() syscall, showing which processes are attempting to
open which files. This can be useful for determining the location of config
and log files, or for troubleshooting applications that are failing, specially
This works by tracing the kernel sys_open() function using dynamic tracing, and
will need updating to match any changes to this function.
This makes use of a Linux 4.5 feature (bpf_perf_event_output()); for kernels
older than 4.5, see the version under tools/old, which uses an older
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Print usage message.
- Include a timestamp column.
- Only print failed opens.
- -p PID
- Trace this process ID only (filtered in-kernel).
- -t TID
- Trace this thread ID only (filtered in-kernel).
- -n name
- Only print processes where its name partially matches
- Trace all open() syscalls:
- # opensnoop
- Trace all open() syscalls, and include timestamps:
- # opensnoop -T
- Trace only open() syscalls that failed:
- # opensnoop -x
- Trace PID 181 only:
- # opensnoop -p 181
- Trace all open() syscalls from processes where its name
partially matches 'ed':
- # opensnoop -n ed
- Time of the call, in seconds.
- Process ID
- Thread ID
- Process name
- File descriptor (if success), or -1 (if failed)
- Error number (see the system's errno.h)
- Open path
This traces the kernel open function and prints output for each event. As the
rate of this is generally expected to be low (< 1000/s), the overhead is
also expected to be negligible. If you have an application that is calling a
high rate of open()s, then test and understand overhead before use.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.