37 comments

[ 2.7 ms ] story [ 77.6 ms ] thread
IMO ProcMon on Windows is its equivalent. Not Process Explorer.
There was news 2 years ago that MS was porting the sysinternals tool to linux. Did that ever happen?

https://mspoweruser.com/microsoft-working-on-sysinternals-fo...

Ah, the system internal tools is one thing I really miss after switching to Linux on all my pcs. This port would be so awesome
Azure Insights provides similar kind of information.

Maybe that is where the porting effort went.

Could well be. If I recall correctly the motivation behind the porting was to give their engineers a unified set of tooling for troubleshooting windows and Linux (on Azure). I just assumed that the porting efforts would result in a similar set of tools to use locally on the box.
Any reason why this is better than audit? I read README but i’m still not clear.
Auditd is system wide (as would be inotify or fanotify based solutions).

This traces file events of a single process. Strace can be coaxed into something similar.

Not taking anything away from the worth of this tool but if you do happen to find yourself needing to quickly inspect which files a process has open you can do so using the /proc file system:

    ls -l /proc/$PID/fd/
Additionally you can also use the /proc file system to display where the cursor is in those files by outputting the contents of

    /proc/$PID/fdinfo/$FD
which is handy if you have a long running process but forgot to pipe it into `pv` (or any other long running ingest that lacks a progress UI)

(Both tricks are Linux only)

Similarly, and perhaps obviously to some, you can use that to check how many files that process has open in total:

ls -al /proc/$PID/fd/ | wc -l

Useful for actually knowing what that specific process has open and is respecting your Max Open Files settings.

I'm looking at you Influx.

On Mac, there's also lsof. (Also on Linux? I always assumed it was just a standard Unix tool, but maybe not?)

    lsof -c [process name]
    lsof -p [pid]
It is available for Linux however it's not always part of the base install of every distribution (but a worthwhile install none-the-less).

Not taking anything away from lsof as I do use it myself but I do also think there is also merit in learning the /proc file system too because it helps illuminate some of the not-so-hidden magic behind Linux. Even if you then still find lsof or similar become your preferred utility.

The main drawback of this is that the program may access a file too quickly for a polling strategy to notice.
biotop and biolatency surface similar info. they come with a ton of other ridiculously awesome tools in BCC tools. they are a set of python wrapper scripts that run eBPF programs. using eBPF generally has a really low impact on performance when compared with other tools that do similar work.

https://github.com/iovisor/bcc

How is this different from using something like,

`strace -e trace=file`

I see that you are using ptrace to monitor a process. That is also used by strace. Is there something else your application does that strace does not (In relation to files)?

From the README:

> Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

> Yes. Though it aims to be simpler and more user friendly.

Just a heads up (read: shameless plug), there's an AUR package:

https://aur.archlinux.org/packages/whatfiles-git/

This is one of the reasons I love Arch so much :) Thank you!
Wow, thank you very much! I've thought about trying to get a few of my projects into distribution repos but was somewhat intimidated by the process.
You're welcome - but please check out #1/#2 so i can remove that ugly patch ;)
Oh cool, was that you also? I will after work today.
nope, someone else. I just stumbled over it and it's currently part of the package. Thanks for your effort ^^
For macOS, fs_usage does the same job. I find it invaluable to find out what process is churning the disk (usually mds...).
Can it be invoked recursively?

Because strace on Linux still fails with:

    strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
in those cases :(
I have strace'd whatfiles, in fact that was a very useful way to debug a couple things, so maybe? I have not been able to attach to the same process with both whatfiles and strace, however.
BTW, if you are using strace for this, check out the -y option recently added to strace. It will print the filename next to each file descriptor like this:

     read(3</proc/filesystems>, "", 1024)    = 0
Another interesting new strace option is -k which does a stack dump after each syscall. this can be useful to find out what part of the application, like some obscure lib, does weird system calls in your app.