The following are examples of opensnoop. File open events are traced

along with some process details.

This first example is of the default output. The commands "cat", "cal",

"ls" and "uname" were run. The returned file descriptor (or -1 for error) are

shown, along with the filenames.

# ./opensnoop

UID PID COMM FD PATH

100 3504 cat -1 /var/ld/ld.config

100 3504 cat 3 /usr/lib/libc.so.1

100 3504 cat 3 /etc/passwd

100 3505 cal -1 /var/ld/ld.config

100 3505 cal 3 /usr/lib/libc.so.1

100 3505 cal 3 /usr/share/lib/zoneinfo/Australia/NSW

100 3506 ls -1 /var/ld/ld.config

100 3506 ls 3 /usr/lib/libc.so.1

100 3507 uname -1 /var/ld/ld.config

100 3507 uname 3 /usr/lib/libc.so.1

[...]

Full command arguments can be fetched using -g,

# ./opensnoop -g

UID PID PATH FD ARGS

100 3528 /var/ld/ld.config -1 cat /etc/passwd

100 3528 /usr/lib/libc.so.1 3 cat /etc/passwd

100 3528 /etc/passwd 3 cat /etc/passwd

100 3529 /var/ld/ld.config -1 cal

100 3529 /usr/lib/libc.so.1 3 cal

100 3529 /usr/share/lib/zoneinfo/Australia/NSW 3 cal

100 3530 /var/ld/ld.config -1 ls -l

100 3530 /usr/lib/libc.so.1 3 ls -l

100 3530 /var/run/name_service_door 3 ls -l

100 3530 /usr/share/lib/zoneinfo/Australia/NSW 4 ls -l

100 3531 /var/ld/ld.config -1 uname -a

100 3531 /usr/lib/libc.so.1 3 uname -a

[...]

The verbose option prints human readable timestamps,

# ./opensnoop -v

STRTIME UID PID COMM FD PATH

2005 Jan 22 01:22:50 0 23212 df -1 /var/ld/ld.config

2005 Jan 22 01:22:50 0 23212 df 3 /lib/libcmd.so.1

2005 Jan 22 01:22:50 0 23212 df 3 /lib/libc.so.1

2005 Jan 22 01:22:50 0 23212 df 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1

2005 Jan 22 01:22:50 0 23212 df 3 /etc/mnttab

2005 Jan 22 01:22:50 0 23211 dtrace 4 /usr/share/lib/zoneinfo/Australia/NSW

2005 Jan 22 01:22:51 0 23213 uname -1 /var/ld/ld.config

2005 Jan 22 01:22:51 0 23213 uname 3 /lib/libc.so.1

2005 Jan 22 01:22:51 0 23213 uname 3 /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1

[...]

Particular files can be monitored using -f. For example,

# ./opensnoop -vgf /etc/passwd

STRTIME UID PID PATH FD ARGS

2005 Jan 22 01:28:50 0 23242 /etc/passwd 3 cat /etc/passwd

2005 Jan 22 01:28:54 0 23243 /etc/passwd 4 vi /etc/passwd

2005 Jan 22 01:29:06 0 23244 /etc/passwd 3 passwd brendan

[...]

This example is of opensnoop running on a quiet system. We can see as

various daemons are opening files,

# ./opensnoop

UID PID COMM FD PATH

0 253 nscd 5 /etc/user_attr

0 253 nscd 5 /etc/hosts

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/rtls

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/rtls

0 419 mibiisa 2 /dev/kstat

0 253 nscd 5 /etc/user_attr

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/rtls

0 419 mibiisa 2 /dev/kstat

0 174 in.routed 8 /dev/kstat

0 174 in.routed 8 /dev/kstat

0 174 in.routed 6 /dev/ip

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/rtls

0 419 mibiisa 2 /dev/kstat

0 293 utmpd 4 /var/adm/utmpx

0 293 utmpd 5 /var/adm/utmpx

0 293 utmpd 6 /proc/442/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/567/psinfo

0 293 utmpd 6 /proc/3013/psinfo

0 419 mibiisa 2 /dev/kstat

0 419 mibiisa 2 /dev/rtls

0 419 mibiisa 2 /dev/kstat

[...]