statsnoop - snoop file stats as they occur. Uses DTrace. statsnoop [-a|-A|-ceghsvxZ] [-f pathname] [-n name] [-p PID] statsnoop traces the stat variety of syscalls. As a process issues a file stat, details such as UID, PID and pathname are printed out. The returned file descriptor is printed, a value of -1 indicates an error. This can be useful for troubleshooting to determine if appliacions are attempting to stat files that do not exist. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris stable - needs the syscall provider.

-a print all data

-A dump all data, space delimited

-c print current working directory of process

-e print errno value

-g print full command arguments

-s print start time, us

-v print start time, string

-x only print failed stats

-Z print zonename

-f pathname file pathname to snoop

-n name process name to snoop

-p PID process ID to snoop

Default output, print file stats by process as they occur, # statsnoop

Print human readable timestamps, # statsnoop -v

See error codes, # statsnoop -e

Snoop this file only, # statsnoop -f /etc/passwd

ZONE Zone name

UID User ID

PID Process ID

PPID Parent Process ID

FD File Descriptor (-1 is error)

ERR errno value (see /usr/include/sys/errno.h)

CWD current working directory of process

PATH pathname for file stat

COMM command name for the process

ARGS argument listing for the process

TIME timestamp for the stat event, us

STRTIME timestamp for the stat event, string

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. statsnoop will run forever until Ctrl-C is hit. occasionally the pathname for the file stat cannot be read and the following error will be seen, dtrace: error on enabled probe ID 6 (...): invalid address this is normal behaviour. Brendan Gregg [Sydney, Australia] dtrace(1M), truss(1)