G''Day Folks,
The following program prints syscall read and writes, with other
useful info,
# rwsnoop
UID PID CMD D BYTES FILE
0 2924 sh R 128 /etc/profile
0 2924 sh R 128 /etc/profile
0 2924 sh R 128 /etc/profile
0 2924 sh R 84 /etc/profile
0 2925 quota R 757 /etc/nsswitch.conf
0 2925 quota R 0 /etc/nsswitch.conf
0 2925 quota R 668 /etc/passwd
0 2926 cat R 55 /etc/motd
0 2926 cat W 55 /devices/pseudo/pts at 0:12
100 20334 sshd R 56 /devices/pseudo/clone at 0:ptm
100 20334 sshd W 100 <unknown>
0 2926 cat R 0 /etc/motd
0 2927 mail R 757 /etc/nsswitch.conf
0 2927 mail R 0 /etc/nsswitch.conf
0 2927 mail R 275 /etc/group
0 2927 mail R 668 /etc/passwd
0 2924 sh R 0 /etc/profile
[...]
For a while I''ve had a similar iosnoop program - which only prints
activity that make it to disk. rwsnoop prints at the application level
not the disk level, and as such is far more verbose!
I didn''t write this (somewhat obvious) program sooner as I expected
going
from an integer file descriptor to a pathname would be considerable
effort. It turned out to be much easier than I was expecting as there is
now a cached (vnode_t)->v_path. Thank you!!! :-)
...
There is a companion called rwtop, which prints much more of a summary,
# rwtop
2005 Jul 24 05:00:13, load: 1.01, app_r: 38 Kb, app_w: 8 Kb
UID PID PPID CMD D BYTES
0 245 1 utmpd R 4
0 20320 20347 bash R 21
100 20317 20314 sshd R 26
100 20317 20314 sshd W 68
0 2934 20320 ps W 140
0 20320 20347 bash W 216
0 7 1 svc.startd R 672
0 2935 20320 df W 1225
0 2936 20320 ls W 1466
0 2936 20320 ls R 2485
100 20334 20331 sshd R 4241
100 20334 20331 sshd W 5717
0 2934 20320 ps R 31567
...
Both are freeware @ http://www.brendangregg.com/dtrace.html, and will be
added to the DTraceToolkit.
cheers,
Brendan Gregg
[Sydney, Australia]