How to trace file access with dtrace on solaris

dtracesolaris

I would like to find out how can I trace (show) file access on Solaris.
I already found the dtrace toolkit in a hope that voptrace will fit the bill. I ran it with voptrace -t /my/path if I ls or cat files under that path it produces no output. Am I looking at the wrong tool? Can someone suggest another one to find a solution?

UPDATE
@bahamat

Okay, it was giving error messages like this:

dtrace: error on enabled probe ID 3 (ID 126: syscall::openat:entry): invalid address (0xffd19652) in predicate at DIF offset 28

After redirecting stderr it seems it actually gives quite close to what I want.

Best Answer

Brendan Gregg has a number of good dtrace one liners on his site. Among them, this one liner to watch files opened by process:

dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

Expanding that, you can watch a particular file being opened by adding a predicate:

dtrace -n 'syscall::open*:entry /copyinstr(arg0)=="/etc/passwd"/ { printf("%s %s",execname,copyinstr(arg0)); }'

Yielding the following output:

CPU     ID                    FUNCTION:NAME
  2  12622                     open64:entry cat /etc/passwd

ls is slightly different, in that ls file doesn't open file. It uses stat instead (specifically, lstat64) so the probe would be syscall::*stat*:entry.

Note that dtrace implementations vary. The commands above were run on illumos. YMMV.

Related Topic