26
11
lsof -p 12345 will list all the files opened by process whose pid is 12345 but only for a particular instant of time.
How can we continuously monitor a process from the start to end(until process is terminated) to list/show every single file accessed by the process during its whole lifetime?
MA1
Posted 2011-10-20T13:50:22.987
Reputation: 1 049
32
Try with strace -p 12345; it should do what you are trying to achieve.
The output can be filtered to only display opened files (Dan D.'s comment):
strace -e open -p 12345
Note: you can also trace quickly running processes with strace -e open <command>.
Jens Erat
Posted 2011-10-20T13:50:22.987
Reputation: 14 141
When I kill the strace command, it also kills the thing it is tracing. Why is this happening (cygwin)? – CMCDragonkai – 2015-05-01T05:52:41.120
Sounds like a bug. Be aware that the cygwin-strace is probably not the Linux-strace, as strace is a Linux-specific tool. Cygwin builds a Unix-compatiblity layer, and does not try to be Linux. With cygwin, you're probably better off using the original Windows tools. – Jens Erat – 2015-05-01T08:36:04.597
output is not friendly and too much extra things. – MA1 – 2011-10-21T07:39:19.770
You can fix that by piping - strace -p {pid} | grep -i "Open" | tee files_opened.log. The key is grep, which lets you filter the output for the system call you want (e.g. open()). – None – 2012-03-08T10:26:32.790
11@Ninefingers Actually strace can do that better than grep with the -e option: strace -e open – Dan D. – 2012-03-08T10:48:39.890
@DanD oh yeah, ofc :) – None – 2012-03-08T10:51:15.020
6
The new utility fatrace will do this: https://launchpad.net/fatrace/
sudo fatrace | grep '(6514)'
Don't use the -p option, it means the opposite of what it means in lsof or other utilities.
Bryce
Posted 2011-10-20T13:50:22.987
Reputation: 2 038
3
This will loop re-running your command and clearing the screen each time:
watch "lsof -p 12345"
WARNING: this will miss quick file accesses and is only suitable to see long standing files
jcalfee314
Posted 2011-10-20T13:50:22.987
Reputation: 593
2This is somewhat clumsy compared to the other answer using strace. – David Foerster – 2013-12-05T17:32:46.507
1That's inaccurate solution - a process may use files in between executions of lsof – Dor – 2014-01-31T08:47:50.510
@Dor you can set the timing of lsof to sub 1 second and increase it's precision. While it's clumsy compared to others, you are wrong in that it's an inaccurate solution. – Jordon Bedwell – 2014-02-18T02:31:44.527
If your looking at a long file operation (like a database backup) this may a good simple alternative. – jcalfee314 – 2014-02-18T14:21:11.437
How do I monitor opened files of a process in realtime? – phuclv – 2017-05-22T03:36:42.063