opensnoop - snoop file opens as they occur. Uses DTrace.

sudo opensnoop [-a|-A|-ceghsvxZ] [-f pathname] [-n name] [-p PID]

Tracks file opens. As a process issues a file open, details such as UID, PID and pathname are output.

The returned file descriptor is ed, a value of -1 indicates an error. Useful for troubleshooting to determine if appliacions are attempting to open files that do not exist.

Since this uses DTrace, only users with root privileges can run this command.

-a all data
-A space delimited
-c current working directory of process
-e errno value
-g full command arguments
-s start time, us
-v start time, string
-x only failed opens
-Z zonename
-f pathname
-n name process
-p PID

EXAMPLES

Default output, file opens by process as they occur,
opensnoop
sudo opensnoop  2>~/0
  UID    PID COMM          FD PATH                 
  503  79104 sleep          3 /dev/dtracehelper    
  503  79106 bash           3 /tmp/dfdf_1          
  503  79108 bash           3 .                    
  503  79107 df             3 /dev/dtracehelper    
  503  79105 bash           3 /Volumes/DATA/dgerman/.bin/df 
  503  79105 bash           3 /Volumes/DATA/dgerman/.bin/df 
    0     13 taskgated      3 /usr/local/bin       
    0     13 taskgated      3 /usr/local/bin/gnused 
  503  79108 grep           3 /dev/dtracehelper    
  503  79106 gnused         3 /dev/dtracehelper    
  503  79110 awk            3 /dev/dtracehelper    
  503  79106 gnused         3 /usr/lib/charset.alias 
    0     13 taskgated      3 /usr/local/bin       
    0     13 taskgated      3 /usr/local/bin/gnused 
  503  79109 gnused         3 /dev/dtracehelper    
  503  79111 gnused         3 /dev/dtracehelper    
  503  79109 gnused         3 /usr/lib/charset.alias 
    0     13 taskgated      3 /usr/local/bin       
    0     13 taskgated      3 /usr/local/bin/gnused 
  503  79111 gnused         3 /usr/lib/charset.alias 
  503  79112 cmp            3 /dev/dtracehelper    
  503  79112 cmp            3 /tmp/dfdf_0          
  503  79112 cmp            4 /tmp/dfdf_1          
  503  79113 bash           3 /Volumes/DATA/dgerman/.bin/df 
  503  79113 bash           3 /Volumes/DATA/dgerman/.bin/df 
    0     13 taskgated      3 /usr/local/bin       
    0     13 taskgated      3 /usr/local/bin/gnused 
  503  79114 gnused         3 /dev/dtracehelper    
  503  79115 df             3 /dev/dtracehelper    
  503  79116 bash           3 .                    
human readable timestamps
opensnoop -v
sudo opensnoop -v  2>~/0
STRTIME                UID    PID COMM          FD PATH                 
2012 Oct 25 14:06:45   503  79547 bash           3 /Volumes/DATA/dgerman/.bin/df 
2012 Oct 25 14:06:45   503  79547 bash           3 /Volumes/DATA/dgerman/.bin/df 
2012 Oct 25 14:06:45     0  79546 dtrace         6 /etc/localtime       
2012 Oct 25 14:06:45   503  79548 bash           3 /tmp/dfdf_1          
2012 Oct 25 14:06:45   503  79550 bash           3 .                    
2012 Oct 25 14:06:45     0     13 taskgated      3 /usr/local/bin       
2012 Oct 25 14:06:45     0     13 taskgated      3 /usr/local/bin/gnused 
2012 Oct 25 14:06:45   503  79548 gnused         3 /dev/dtracehelper    
2012 Oct 25 14:06:45   503  79550 grep           3 /dev/dtracehelper    
2012 Oct 25 14:06:45     0     13 taskgated      3 /usr/local/bin       
2012 Oct 25 14:06:45     0     13 taskgated      3 /usr/local/bin/gnused 
2012 Oct 25 14:06:45   503  79551 gnused         3 /dev/dtracehelper    
2012 Oct 25 14:06:45   503  79549 df             3 /dev/dtracehelper    
2012 Oct 25 14:06:46   503  79552 awk            3 /dev/dtracehelper    
2012 Oct 25 14:06:46   503  79551 gnused         3 /usr/lib/charset.alias 
2012 Oct 25 14:06:46   503  79548 gnused         3 /usr/lib/charset.alias 
2012 Oct 25 14:06:46     0     13 taskgated      3 /usr/local/bin       
2012 Oct 25 14:06:46     0     13 taskgated      3 /usr/local/bin/gnused 
2012 Oct 25 14:06:46   503  79553 gnused         3 /dev/dtracehelper    
See error codes,
opensnoop -e
Snoop this file only,
opensnoop -f /etc/passwd

sudo opensnoop -a   2>~/0
TIME           STRTIME                UID    PID  FD ERR PATH                 ARGS
5038828775     2012 Oct 25 14:04:11   503  78453   3   0 /Volumes/DATA/dgerman/.bin/df bash\0
5038829571     2012 Oct 25 14:04:11   503  78453   3   0 /Volumes/DATA/dgerman/.bin/df bash\0
5038860955     2012 Oct 25 14:04:11     0  78452   6   0 /etc/localtime       dtrace\0
5038862153     2012 Oct 25 14:04:11     0     13   3   0 /usr/local/bin       taskgated\0
5038862472     2012 Oct 25 14:04:11     0     13   3   0 /usr/local/bin/gnused taskgated\0
5038861599     2012 Oct 25 14:04:11   503  78454   3   0 /tmp/dfdf_1          bash\0
5038863895     2012 Oct 25 14:04:11   503  78454   3   0 /dev/dtracehelper    gnused\0
5038906064     2012 Oct 25 14:04:11   503  78456   3   0 .                    bash\0
5038908175     2012 Oct 25 14:04:11   503  78454   3   0 /usr/lib/charset.alias gnused\0
5038920012     2012 Oct 25 14:04:11   503  78456   3   0 /dev/dtracehelper    grep\0
5038902431     2012 Oct 25 14:04:11   503  78455   3   0 /dev/dtracehelper    df\0
5039022507     2012 Oct 25 14:04:12   503  78457   3   0 /dev/dtracehelper    gnused\0
5039038891     2012 Oct 25 14:04:12   503  78458   3   0 /dev/dtracehelper    awk\0
5039020949     2012 Oct 25 14:04:12     0     13   3   0 /usr/local/bin       taskgated\0
5039021208     2012 Oct 25 14:04:12     0     13   3   0 /usr/local/bin/gnused taskgated\0
5039097260     2012 Oct 25 14:04:12   503  78459   3   0 /dev/dtracehelper    gnused\0
5039098293     2012 Oct 25 14:04:12   503  78457   3   0 /usr/lib/charset.alias gnused\0
5039096199     2012 Oct 25 14:04:12     0     13   3   0 /usr/local/bin       taskgated\0
5039096449     2012 Oct 25 14:04:12     0     13   3   0 /usr/local/bin/gnused taskgated\0
5039169530     2012 Oct 25 14:04:12   503  78459   3   0 /usr/lib/charset.alias gnused\0
5039357050     2012 Oct 25 14:04:12   503    346  15   0 /Users/dgerman/Library/Saved Application State/com.apple.Terminal.savedState/window_2.data Terminal\0
5039332224     2012 Oct 25 14:04:12   503    346  15   0 /Users/dgerman/Library/Saved Application State/com.apple.Terminal.savedState/window_1.data Terminal\0
5039353954     2012 Oct 25 14:04:12   503  78460   3   0 /dev/dtracehelper    cmp\0
5039395875     2012 Oct 25 14:04:12   503  78460   3   0 /tmp/dfdf_0          cmp\0
5039395922     2012 Oct 25 14:04:12   503  78460   4   0 /tmp/dfdf_1          cmp\0
FIELDS
FD File Descriptor (-1 is error)
ERR errno value (see /usr/include/sys/errno.h)
COMM command name for the process
TIME timestamp for the open event, us
STRTIME timestamp for the open event, string
See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

Exit

^C to quit

Bugs

occasionally the pathname for the file open cannot be read and the following error will be written to stderr,
dtrace: error on enabled probe ID 6 (...): invalid address
this is normal behaviour. See Also: dtrace, truss