rwsnoop - snoop read/write events. Uses DTrace. rwsnoop [-jPtvZ] [-n name] [-p PID] This is measuring reads and writes at the application level. This matches the syscalls read, write, pread and pwrite. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris stable - needs the syscall provider.

-j print project ID

-P print parent process ID

-t print timestamp, us

-v print time, string

-Z print zone ID

-n name process name to track

-p PID PID to track

Default output, # rwsnoop

Print zone ID, # rwsnoop -\Z

Monitor processes named "bash", # rwsnoop -n bash

TIME timestamp, us

TIMESTR time, string

ZONE zone ID

PROJ project ID

UID user ID

PID process ID

PPID parent process ID

CMD command name for the process

D direction, Read or Write

BYTES total bytes during sample

FILE filename, if file based. Reads and writes that are not file based, for example with sockets, will print "<unknown>" as the filename.

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. rwsnoop will run forever until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] rwtop(1M), dtrace(1M)