How to trace file access with dtrace on solaris

Brendan Gregg has a number of good dtrace one liners on his site. Among them, this one liner to watch files opened by process:

dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

Expanding that, you can watch a particular file being opened by adding a predicate:

dtrace -n 'syscall::open*:entry /copyinstr(arg0)=="/etc/passwd"/ { printf("%s %s",execname,copyinstr(arg0)); }'

Yielding the following output:

CPU     ID                    FUNCTION:NAME
  2  12622                     open64:entry cat /etc/passwd

ls is slightly different, in that ls file doesn't open file. It uses stat instead (specifically, lstat64) so the probe would be syscall::*stat*:entry.


Note that dtrace implementations vary. The commands above were run on illumos. YMMV.