from Hacker News

Show HN: Watch what files any Linux process accesses

by spieglt on 6/8/20, 10:38 PM with 37 comments

  • by hnlmorg on 6/9/20, 7:27 AM

    Not taking anything away from the worth of this tool but if you do happen to find yourself needing to quickly inspect which files a process has open you can do so using the /proc file system:

        ls -l /proc/$PID/fd/
    Additionally you can also use the /proc file system to display where the cursor is in those files by outputting the contents of

        /proc/$PID/fdinfo/$FD
    which is handy if you have a long running process but forgot to pipe it into `pv` (or any other long running ingest that lacks a progress UI)

    (Both tricks are Linux only)

  • by bostonsre on 6/9/20, 7:32 AM

    biotop and biolatency surface similar info. they come with a ton of other ridiculously awesome tools in BCC tools. they are a set of python wrapper scripts that run eBPF programs. using eBPF generally has a really low impact on performance when compared with other tools that do similar work.

    https://github.com/iovisor/bcc

  • by ravinder_sbu on 6/9/20, 7:45 AM

    How is this different from using something like,

    `strace -e trace=file`

    I see that you are using ptrace to monitor a process. That is also used by strace. Is there something else your application does that strace does not (In relation to files)?

  • by Doctor_Fegg on 6/9/20, 11:04 AM

    For macOS, fs_usage does the same job. I find it invaluable to find out what process is churning the disk (usually mds...).

  • by MCOfficer on 6/9/20, 9:39 AM

    Just a heads up (read: shameless plug), there's an AUR package:

    https://aur.archlinux.org/packages/whatfiles-git/

  • by atrudeau on 6/9/20, 1:04 PM

    For doing the opposite - what processes access a given file - I like to use Audit (https://wiki.archlinux.org/index.php/Audit_framework#Audit_f...).

  • by em500 on 6/9/20, 10:49 AM

    This looks very similar to fatrace, which is already in the standard ubuntu and fedora repos.

    edit: fatrace is system-wide, whereas the current tools monitors a specific process

    http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.ht...

    https://piware.de/2012/02/fatrace-report-system-wide-file-ac...

  • by unhammer on 6/9/20, 8:36 AM

    Lots more such tools at https://jvns.ca/debugging-zine.pdf (opensnoop-bpfcc and strace would be the most like this one)

  • by Erwin on 6/9/20, 5:37 PM

    BTW, if you are using strace for this, check out the -y option recently added to strace. It will print the filename next to each file descriptor like this:

         read(3</proc/filesystems>, "", 1024)    = 0
    Another interesting new strace option is -k which does a stack dump after each syscall. this can be useful to find out what part of the application, like some obscure lib, does weird system calls in your app.

  • by st0le on 6/9/20, 2:01 AM

    IMO ProcMon on Windows is its equivalent. Not Process Explorer.

  • by dkdk8283 on 6/9/20, 6:22 AM

    Any reason why this is better than audit? I read README but i’m still not clear.

  • by amelius on 6/9/20, 1:19 PM

    Can it be invoked recursively?

    Because strace on Linux still fails with:

        strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
    in those cases :(