Snoop file opens as they occur (Dtrace).
Syntax
opensnoop [-a|-A|-ceghsvxZ] [-f pathname] [-n name] [-p PID]
opensnoop will run forever until Ctrl-C is hit
Key
-a print all data
-A dump all data, space delimited
-c print current working directory of process
-e print errno value
-g print full command arguments
-s print start time, us
-v print start time, string
-x only print failed opens
-Z print zonename
-f pathname A file to snoop
-n name A process name to snoop
-p PID A process ID to snoop
opensnoop tracks file opens. As a process issues a file open, details such as UID, PID and pathname are printed out.
The returned file descriptor is printed, a value of -1 indicates an error. This can be useful for troubleshooting to determine if applications are attempting to open files that do not exist.
Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command.
Occasionally the pathname for the file open cannot be read and the following error will be seen:
dtrace: error on enabled probe ID 6 (...): invalid address this is normal behaviour.
Fields displayed:
ZONE Zone name
UID User ID
PID Process ID
PPID Parent Process ID
FD File Descriptor (-1 is error)
ERR errno value (see /usr/include/sys/errno.h)
CWD current working directory of process
PATH pathname for file open
COMM command name for the process
ARGS argument listing for the process
TIME timestamp for the open event, us
STRTIME
timestamp for the open event, string
Print all file opens (by process) as they occur, default:
$ sudo opensnoop
See errors only:
$ sudo opensnoop -e
Snoop the passwd file only:
$ sudo opensnoop -f /etc/passwd
Snoop the preview application only:
$ sudo opensnoop -n Preview
“Clothes make the man. Naked people have little or no influence on society” ~ Mark Twain
See the DTraceToolkit for further documentation.
apropos dtrace - list other trace scripts in macOS.
lsof - List open files.
open - Open a file/folder/URL/Application.
ps - Process status.
dtrace(1M), truss(1)