Mr.X

Demonstrations of opensnoop, the Linux eBPF/bcc version.


opensnoop traces the open() syscall system-wide, and prints various details.
Example output:

# ./opensnoop
PID    COMM      FD ERR PATH
17326  <...>      7   0 /sys/kernel/debug/tracing/trace_pipe
1576   snmpd      9   0 /proc/net/dev
1576   snmpd     11   0 /proc/net/if_inet6
1576   snmpd     11   0 /proc/sys/net/ipv4/neigh/eth0/retrans_time_ms
1576   snmpd     11   0 /proc/sys/net/ipv6/neigh/eth0/retrans_time_ms
1576   snmpd     11   0 /proc/sys/net/ipv6/conf/eth0/forwarding
1576   snmpd     11   0 /proc/sys/net/ipv6/neigh/eth0/base_reachable_time_ms
1576   snmpd     11   0 /proc/sys/net/ipv4/neigh/lo/retrans_time_ms
1576   snmpd     11   0 /proc/sys/net/ipv6/neigh/lo/retrans_time_ms
1576   snmpd     11   0 /proc/sys/net/ipv6/conf/lo/forwarding
1576   snmpd     11   0 /proc/sys/net/ipv6/neigh/lo/base_reachable_time_ms
1576   snmpd      9   0 /proc/diskstats
1576   snmpd      9   0 /proc/stat
1576   snmpd      9   0 /proc/vmstat
1956   supervise  9   0 supervise/status.new
1956   supervise  9   0 supervise/status.new
17358  run        3   0 /etc/ld.so.cache
17358  run        3   0 /lib/x86_64-linux-gnu/libtinfo.so.5
17358  run        3   0 /lib/x86_64-linux-gnu/libdl.so.2
17358  run        3   0 /lib/x86_64-linux-gnu/libc.so.6
17358  run       -1   6 /dev/tty
17358  run        3   0 /proc/meminfo
17358  run        3   0 /etc/nsswitch.conf
17358  run        3   0 /etc/ld.so.cache
17358  run        3   0 /lib/x86_64-linux-gnu/libnss_compat.so.2
17358  run        3   0 /lib/x86_64-linux-gnu/libnsl.so.1
17358  run        3   0 /etc/ld.so.cache
17358  run        3   0 /lib/x86_64-linux-gnu/libnss_nis.so.2
17358  run        3   0 /lib/x86_64-linux-gnu/libnss_files.so.2
17358  run        3   0 /etc/passwd
17358  run        3   0 ./run
^C

While tracing, the snmpd process opened various /proc files (reading metrics),
and a "run" process read various libraries and config files (looks like it
was starting up: a new process).

opensnoop can be useful for discovering configuration and log files, if used
during application startup.


The -p option can be used to filter on a PID, which is filtered in-kernel. Here
I've used it with -T to print timestamps:

 ./opensnoop -Tp 1956
TIME(s)       PID    COMM               FD ERR PATH
0.000000000   1956   supervise           9   0 supervise/status.new
0.000289999   1956   supervise           9   0 supervise/status.new
1.023068000   1956   supervise           9   0 supervise/status.new
1.023381997   1956   supervise           9   0 supervise/status.new
2.046030000   1956   supervise           9   0 supervise/status.new
2.046363000   1956   supervise           9   0 supervise/status.new
3.068203997   1956   supervise           9   0 supervise/status.new
3.068544999   1956   supervise           9   0 supervise/status.new

This shows the supervise process is opening the status.new file twice every
second.


The -U option include UID on output:

# ./opensnoop -U
UID   PID    COMM               FD ERR PATH
0     27063  vminfo              5   0 /var/run/utmp
103   628    dbus-daemon        -1   2 /usr/local/share/dbus-1/system-services
103   628    dbus-daemon        18   0 /usr/share/dbus-1/system-services
103   628    dbus-daemon        -1   2 /lib/dbus-1/system-services


The -u option filtering UID:

# ./opensnoop -Uu 1000
UID   PID    COMM               FD ERR PATH
1000  30240  ls                  3   0 /etc/ld.so.cache
1000  30240  ls                  3   0 /lib/x86_64-linux-gnu/libselinux.so.1
1000  30240  ls                  3   0 /lib/x86_64-linux-gnu/libc.so.6
1000  30240  ls                  3   0 /lib/x86_64-linux-gnu/libpcre.so.3
1000  30240  ls                  3   0 /lib/x86_64-linux-gnu/libdl.so.2
1000  30240  ls                  3   0 /lib/x86_64-linux-gnu/libpthread.so.0

The -x option only prints failed opens:

# ./opensnoop -x
PID    COMM      FD ERR PATH
18372  run       -1   6 /dev/tty
18373  run       -1   6 /dev/tty
18373  multilog  -1  13 lock
18372  multilog  -1  13 lock
18384  df        -1   2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo
18384  df        -1   2 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo
18384  df        -1   2 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo
18384  df        -1   2 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo
18384  df        -1   2 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo
18384  df        -1   2 /usr/share/locale/en/LC_MESSAGES/coreutils.mo
18385  run       -1   6 /dev/tty
18386  run       -1   6 /dev/tty

This caught a df command failing to open a coreutils.mo file, and trying from
different directories.

The ERR column is the system error number. Error number 2 is ENOENT: no such
file or directory.


A maximum tracing duration can be set with the -d option. For example, to trace
for 2 seconds:

# ./opensnoop -d 2
PID    COMM               FD ERR PATH
2191   indicator-multi    11   0 /sys/block
2191   indicator-multi    11   0 /sys/block
2191   indicator-multi    11   0 /sys/block
2191   indicator-multi    11   0 /sys/block
2191   indicator-multi    11   0 /sys/block


The -n option can be used to filter on process name using partial matches:

# ./opensnoop -n ed

PID    COMM               FD ERR PATH
2679   sed                 3   0 /etc/ld.so.cache
2679   sed                 3   0 /lib/x86_64-linux-gnu/libselinux.so.1
2679   sed                 3   0 /lib/x86_64-linux-gnu/libc.so.6
2679   sed                 3   0 /lib/x86_64-linux-gnu/libpcre.so.3
2679   sed                 3   0 /lib/x86_64-linux-gnu/libdl.so.2
2679   sed                 3   0 /lib/x86_64-linux-gnu/libpthread.so.0
2679   sed                 3   0 /proc/filesystems
2679   sed                 3   0 /usr/lib/locale/locale-archive
2679   sed                -1   2
2679   sed                 3   0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
2679   sed                 3   0 /dev/null
2680   sed                 3   0 /etc/ld.so.cache
2680   sed                 3   0 /lib/x86_64-linux-gnu/libselinux.so.1
2680   sed                 3   0 /lib/x86_64-linux-gnu/libc.so.6
2680   sed                 3   0 /lib/x86_64-linux-gnu/libpcre.so.3
2680   sed                 3   0 /lib/x86_64-linux-gnu/libdl.so.2
2680   sed                 3   0 /lib/x86_64-linux-gnu/libpthread.so.0
2680   sed                 3   0 /proc/filesystems
2680   sed                 3   0 /usr/lib/locale/locale-archive
2680   sed                -1   2
^C

This caught the 'sed' command because it partially matches 'ed' that's passed
to the '-n' option.


The -e option prints out extra columns; for example, the following output
contains the flags passed to open(2), in octal:

# ./opensnoop -e
PID    COMM               FD ERR FLAGS    PATH
28512  sshd               10   0 00101101 /proc/self/oom_score_adj
28512  sshd                3   0 02100000 /etc/ld.so.cache
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libwrap.so.0
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libaudit.so.1
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libpam.so.0
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libselinux.so.1
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libsystemd.so.0
28512  sshd                3   0 02100000 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2
28512  sshd                3   0 02100000 /lib/x86_64-linux-gnu/libutil.so.1


The -f option filters based on flags to the open(2) call, for example:

# ./opensnoop -e -f O_WRONLY -f O_RDWR
PID    COMM               FD ERR FLAGS    PATH
28084  clear_console       3   0 00100002 /dev/tty
28084  clear_console      -1  13 00100002 /dev/tty0
28084  clear_console      -1  13 00100001 /dev/tty0
28084  clear_console      -1  13 00100002 /dev/console
28084  clear_console      -1  13 00100001 /dev/console
28051  sshd                8   0 02100002 /var/run/utmp
28051  sshd                7   0 00100001 /var/log/wtmp


The --cgroupmap option filters based on a cgroup set. It is meant to be used
with an externally created map.

# ./opensnoop --cgroupmap /sys/fs/bpf/test01

For more details, see docs/special_filtering.md


USAGE message:

# ./opensnoop -h
usage: opensnoop.py [-h] [-T] [-U] [-x] [-p PID] [-t TID]
                    [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] [-u UID]
                    [-d DURATION] [-n NAME] [-e] [-f FLAG_FILTER] [-F]
                    [-b BUFFER_PAGES]

Trace open() syscalls

optional arguments:
  -h, --help            show this help message and exit
  -T, --timestamp       include timestamp on output
  -U, --print-uid       print UID column
  -x, --failed          only show failed opens
  -p PID, --pid PID     trace this PID only
  -t TID, --tid TID     trace this TID only
  --cgroupmap CGROUPMAP
                        trace cgroups in this BPF map only
  --mntnsmap MNTNSMAP   trace mount namespaces in this BPF map only
  -u UID, --uid UID     trace this UID only
  -d DURATION, --duration DURATION
                        total duration of trace in seconds
  -n NAME, --name NAME  only print process names containing this name
  -e, --extended_fields
                        show extended fields
  -f FLAG_FILTER, --flag_filter FLAG_FILTER
                        filter on flags argument (e.g., O_WRONLY)
  -F, --full-path       show full path for an open file with relative path
  -b BUFFER_PAGES, --buffer-pages BUFFER_PAGES
                        size of the perf ring buffer (must be a power of two
                        number of pages and defaults to 64)

examples:
    ./opensnoop                        # trace all open() syscalls
    ./opensnoop -T                     # include timestamps
    ./opensnoop -U                     # include UID
    ./opensnoop -x                     # only show failed opens
    ./opensnoop -p 181                 # only trace PID 181
    ./opensnoop -t 123                 # only trace TID 123
    ./opensnoop -u 1000                # only trace UID 1000
    ./opensnoop -d 10                  # trace for 10 seconds only
    ./opensnoop -n main                # only print process names containing "main"
    ./opensnoop -e                     # show extended fields
    ./opensnoop -f O_WRONLY -f O_RDWR  # only print calls for writing
    ./opensnoop -F                     # show full path for an open file with relative path
    ./opensnoop --cgroupmap mappath    # only trace cgroups in this BPF map
    ./opensnoop --mntnsmap mappath     # only trace mount namespaces in the map

Name	Type	Size	Permission
lib	Folder		0755
argdist_example.txt	File	22.49 KB	0644
bashreadline_example.txt	File	882 B	0644
bindsnoop_example.txt	File	4.42 KB	0644
biolatency_example.txt	File	23.46 KB	0644
biolatpcts_example.txt	File	2.97 KB	0644
biopattern_example.txt	File	1.37 KB	0644
biosnoop_example.txt	File	3.47 KB	0644
biotop_example.txt	File	9.11 KB	0644
bitesize_example.txt	File	4.98 KB	0644
bpflist_example.txt	File	2.13 KB	0644
btrfsdist_example.txt	File	9.32 KB	0644
btrfsslower_example.txt	File	6.65 KB	0644
cachestat_example.txt	File	3.92 KB	0644
cachetop_example.txt	File	3.83 KB	0644
capable_example.txt	File	6.5 KB	0644
cobjnew_example.txt	File	2.97 KB	0644
compactsnoop_example.txt	File	9.92 KB	0644
cpudist_example.txt	File	16.48 KB	0644
cpuunclaimed_example.txt	File	15.2 KB	0644
criticalstat_example.txt	File	4.81 KB	0644
cthreads_example.txt	File	2.08 KB	0644
dbslower_example.txt	File	3.89 KB	0644
dbstat_example.txt	File	6.5 KB	0644
dcsnoop_example.txt	File	4.27 KB	0644
dcstat_example.txt	File	3.26 KB	0644
deadlock_example.txt	File	16.25 KB	0644
dirtop_example.txt	File	4.98 KB	0644
drsnoop_example.txt	File	5 KB	0644
execsnoop_example.txt	File	6.64 KB	0644
exitsnoop_example.txt	File	6.22 KB	0644
ext4dist_example.txt	File	8.78 KB	0644
ext4slower_example.txt	File	11.07 KB	0644
filegone_example.txt	File	743 B	0644
filelife_example.txt	File	2.04 KB	0644
fileslower_example.txt	File	5.58 KB	0644
filetop_example.txt	File	6.8 KB	0644
funccount_example.txt	File	13.29 KB	0644
funcinterval_example.txt	File	15.28 KB	0644
funclatency_example.txt	File	20.98 KB	0644
funcslower_example.txt	File	6.63 KB	0644
gethostlatency_example.txt	File	1.29 KB	0644
hardirqs_example.txt	File	37.05 KB	0644
inject_example.txt	File	6.67 KB	0644
javacalls_example.txt	File	3.91 KB	0644
javaflow_example.txt	File	5.88 KB	0644
javagc_example.txt	File	3.78 KB	0644
javaobjnew_example.txt	File	2.97 KB	0644
javastat_example.txt	File	2.98 KB	0644
javathreads_example.txt	File	2.08 KB	0644
killsnoop_example.txt	File	1.31 KB	0644
klockstat_example.txt	File	8.34 KB	0644
kvmexit_example.txt	File	11.63 KB	0644
llcstat_example.txt	File	3.24 KB	0644
mdflush_example.txt	File	1.74 KB	0644
memleak_example.txt	File	10.02 KB	0644
mountsnoop_example.txt	File	1.45 KB	0644
mysqld_qslower_example.txt	File	2.3 KB	0644
netqtop_example.txt	File	12.2 KB	0644
nfsdist_example.txt	File	8.31 KB	0644
nfsslower_example.txt	File	7.68 KB	0644
nodegc_example.txt	File	3.78 KB	0644
nodestat_example.txt	File	2.98 KB	0644
offcputime_example.txt	File	19.2 KB	0644
offwaketime_example.txt	File	37.36 KB	0644
oomkill_example.txt	File	1.88 KB	0644
opensnoop_example.txt	File	10.33 KB	0644
perlcalls_example.txt	File	3.91 KB	0644
perlflow_example.txt	File	5.88 KB	0644
perlstat_example.txt	File	2.98 KB	0644
phpcalls_example.txt	File	3.91 KB	0644
phpflow_example.txt	File	5.88 KB	0644
phpstat_example.txt	File	2.98 KB	0644
pidpersec_example.txt	File	677 B	0644
ppchcalls_example.txt	File	6.93 KB	0644
profile_example.txt	File	31.08 KB	0644
pythoncalls_example.txt	File	3.91 KB	0644
pythonflow_example.txt	File	5.88 KB	0644
pythongc_example.txt	File	3.78 KB	0644
pythonstat_example.txt	File	2.98 KB	0644
rdmaucma_example.txt	File	1.94 KB	0644
readahead_example.txt	File	3.17 KB	0644
reset-trace_example.txt	File	9.15 KB	0644
rubycalls_example.txt	File	3.91 KB	0644
rubyflow_example.txt	File	5.88 KB	0644
rubygc_example.txt	File	3.78 KB	0644
rubyobjnew_example.txt	File	2.97 KB	0644
rubystat_example.txt	File	2.98 KB	0644
runqlat_example.txt	File	31.3 KB	0644
runqlen_example.txt	File	11.85 KB	0644
runqslower_example.txt	File	2.13 KB	0644
shmsnoop_example.txt	File	2.73 KB	0644
slabratetop_example.txt	File	5.22 KB	0644
sofdsnoop_example.txt	File	3.14 KB	0644
softirqs_example.txt	File	11.02 KB	0644
solisten_example.txt	File	2.3 KB	0644
sslsniff_example.txt	File	6.74 KB	0644
stackcount_example.txt	File	21.45 KB	0644
statsnoop_example.txt	File	3.02 KB	0644
swapin.txt	File	2.57 KB	0644
swapin_example.txt	File	1.39 KB	0644
syncsnoop_example.txt	File	387 B	0644
syscount_example.txt	File	6.27 KB	0644
tclcalls_example.txt	File	3.91 KB	0644
tclflow_example.txt	File	5.88 KB	0644
tclobjnew_example.txt	File	2.97 KB	0644
tclstat_example.txt	File	2.98 KB	0644
tcpaccept_example.txt	File	2.76 KB	0644
tcpcong_example.txt	File	33.31 KB	0644
tcpconnect_example.txt	File	6.27 KB	0644
tcpconnlat_example.txt	File	2.55 KB	0644
tcpdrop_example.txt	File	1.95 KB	0644
tcplife_example.txt	File	6.83 KB	0644
tcpretrans_example.txt	File	3.85 KB	0644
tcprtt_example.txt	File	9.83 KB	0644
tcpstates_example.txt	File	2.84 KB	0644
tcpsubnet_example.txt	File	5.37 KB	0644
tcpsynbl_example.txt	File	1.15 KB	0644
tcptop_example.txt	File	5.75 KB	0644
tcptracer_example.txt	File	1.98 KB	0644
threadsnoop_example.txt	File	1.07 KB	0644
tplist_example.txt	File	4.4 KB	0644
trace_example.txt	File	21.62 KB	0644
ttysnoop_example.txt	File	3.24 KB	0644
vfscount_example.txt	File	2.17 KB	0644
vfsstat_example.txt	File	1.66 KB	0644
virtiostat_example.txt	File	2.62 KB	0644
wakeuptime_example.txt	File	33.25 KB	0644
xfsdist_example.txt	File	6.77 KB	0644
xfsslower_example.txt	File	6.91 KB	0644
zfsdist_example.txt	File	9.52 KB	0644
zfsslower_example.txt	File	7.37 KB	0644

Upload:

Command:

Filemanager

Server Info

System Info

User Info