14

I'm attempting to debug an application on Ubuntu - I need to listen to file open attempts (even for files that don't exist).

Process Monitor (formerly known as FileMon) is available on Windows - what's on Ubuntu's utility belt?

Thanks!

Ashley

waitinforatrain
  • 113
  • 6
chickeninabiscuit
  • 1,094
  • 6
  • 17
  • 33

9 Answers9

8

You're looking for strace. Have a look here: https://wiki.ubuntu.com/Strace

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 2
    As I understand it, running filemon allows the user to see all file accesses. strace on the other hand, requires you to specify which app to open first. This requires you to know beforehand, the app which is accessing those files. What if you do not know which app is accessing those files that you're interested in looking at? – chuacw Oct 19 '12 at 08:18
8

It depends on what you want:

  • In the large, you want to look at inotify to see all file accesses that any process makes.

  • In the small, strace will let you watch the syscalls a particular process makes. Strace is pretty awesome. You can trace a process's calls to 'open' by doing strace -f -eopen $cmd, for instance. The man page has full details on syntax, of course.

pjz
  • 10,497
  • 1
  • 31
  • 40
  • Thanks pjz. To be very specific - i'm having some trouble getting started with Ogre3d on Ubuntu. My test application seems to be looking for some .cfg files during start-up. I want to listen to all attempts to open files so i can ensure the correct files are available and have the correct permissions. – chickeninabiscuit Jul 07 '09 at 03:59
  • strace -e open ./app – Justin Jan 23 '10 at 00:32
2

strace in front of an starting application is good to watch what the app is doing.
lsof is nice to see which files an already running app is using.

BTW:
lsof -ni:22 shows which process is using Port 22.

ThorstenS
  • 3,084
  • 18
  • 21
2

SGI has a tool that you might want to try: http://oss.sgi.com/projects/fam/

user10103
  • 31
  • 1
1

Here is an example of using strace to track file changes:

strace -f -e trace=file -p7546 -o /tmp/outputfile

-f ensures that events from child processes are captured.
-e trace=file says that we should capture file-related syscalls (e.g. stat, open, futex etc.)
-p is the process ID (retrieved from ps -aux or other means) -o specified the outputfile (there may be a lot of data and you could instead use grep as a filter.

waitinforatrain
  • 113
  • 6
1

Try sysdig. For example:

sysdig -A -c echo_fds

Singlet
  • 111
  • 2
0

This calls for help by Mortadelo. http://gitorious.org/mortadelo

0

This is old, but i think its a good idea to update it for today reality.

For debug just one process and their children, strace is still be best way. It can show easily all file acess, even on missing files.

For generic system debug, audit feature in the kernel can do that and is the recommended way. It doesnt need any patch on recent kernels, just the audit packaged installed

here is a simple gui for using it:

audit-gui

This replicates the windows filemon, monitoring the file acess for all places, process, etc

also check the this post

Community
  • 1
higuita
  • 1,093
  • 9
  • 13
0

This is what worked well for me (Linux Mint 19.1):

sudo lsof 2>&1 | grep programnamehere

Not sure why 2>&1 was needed, but it didn't filter unless I used it.

Andrew
  • 143
  • 5