2

I need to watch a program which modifies some files. I don't know which files the process is modifying_. So I'm looking for a tool that basically outputs a PID, and lista the files being accessed/modified, and what's being done to them (both read and write).

The closest thing I've found so far is iotop, which is definitely on the right track.

iotop -o -b -qqq

That gets me the process and the read/write, but it doesn't indicate the file being accessed. Alternately, I think I could try something like

inotifywatch -r /

but that just runs out of allowed inotify watches.

What is the magic tool I'm looking for?

Improve this question

2 Answers 2

Reset to default
4

You could go all the way and use strace on the program. Yes, it tracks ALL system calls (which includes file io & access and other stuff), so you will get quite a messy printout, but it is immediate and doesn't skip anything (it intercepts calls and reports them). You can do the same with library calls (ltrace).

Improve this answer
1
  • Yup. It's ugly as hell, but the information I needed was there. Thanks! Commented Mar 7, 2014 at 19:45
3

You already have your answer, but I asked a similar question before, and we came to the conclusion that fatrace is the ideal solution. It should produce much easier-to-read output than a full strace.

Documentation is on the man page. Basically, you should be able to use the -p option to restrict your view to a particular process.

Improve this answer
1
  • Amazing. fatrace is literally exactly what I needed, plus it saved me from writing an ugly, janky shell script with strace and grep. Thanks a lot! Commented Mar 7, 2014 at 21:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.