How to trace file access with dtrace on solaris
Brendan Gregg has a number of good dtrace
one liners on his site. Among them, this one liner to watch files opened by process:
dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
Expanding that, you can watch a particular file being opened by adding a predicate:
dtrace -n 'syscall::open*:entry /copyinstr(arg0)=="/etc/passwd"/ { printf("%s %s",execname,copyinstr(arg0)); }'
Yielding the following output:
CPU ID FUNCTION:NAME
2 12622 open64:entry cat /etc/passwd
ls
is slightly different, in that ls file
doesn't open file
. It uses stat
instead (specifically, lstat64
) so the probe would be syscall::*stat*:entry
.
Note that dtrace
implementations vary. The commands above were run on illumos. YMMV.