I'm attempting to debug an application on Ubuntu - I need to listen to file open attempts (even for files that don't exist).
Process Monitor (formerly known as FileMon) is available on Windows - what's on Ubuntu's utility belt?
Thanks!
Ashley
Asked
Active
Viewed 9,715 times
9 Answers
9
It depends on what you want:
In the large, you want to look at inotify to see all file accesses that any process makes.
In the small, strace will let you watch the syscalls a particular process makes. Strace is pretty awesome. You can trace a process's calls to 'open' by doing
strace -f -eopen $cmd, for instance. The man page has full details on syntax, of course.
pjz
- 10,695
1
strace in front of an starting application is good to watch what the app is doing.
lsof is nice to see which files an already running app is using.
BTW:
lsof -ni:22 shows which process is using Port 22.
ThorstenS
- 3,170
1
Here is an example of using strace to track file changes:
strace -f -e trace=file -p7546 -o /tmp/outputfile
-f ensures that events from child processes are captured.
-e trace=file says that we should capture file-related syscalls (e.g. stat, open, futex etc.)
-p is the process ID (retrieved from ps -aux or other means)
-o specified the outputfile (there may be a lot of data and you could instead use grep as a filter.
waitinforatrain
- 113
0
This is old, but i think its a good idea to update it for today reality.
For debug just one process and their children, strace is still be best way. It can show easily all file acess, even on missing files.
For generic system debug, audit feature in the kernel can do that and is the recommended way. It doesnt need any patch on recent kernels, just the audit packaged installed
here is a simple gui for using it:
This replicates the windows filemon, monitoring the file acess for all places, process, etc
also check the this post
0
This is what worked well for me (Linux Mint 19.1):
sudo lsof 2>&1 | grep programnamehere
Not sure why 2>&1 was needed, but it didn't filter unless I used it.
Andrew
- 143