how to see which files are accessed during an application command?

StackOverflow https://stackoverflow.com/questions/23442229

  •  14-07-2023
  •  | 
  •  

Question

If I run some command-line application in Linux, how to tell which files were accessed (read and/or written) by that process? I imagine I would need to place some hooks in the file-system driver and recompile the kernel, or something like that? Is there an easier way?

Was it helpful?

Solution

strace is a command will display each system call the application makes.

From the man page:

In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

For instance, each open(), read() and write() operation will show the arguments and the return code.

OTHER TIPS

You can get list of file access by your application by lsof command in linux Here is list of example

In addition of other answers mentionning lsof, strace (maybe ltrace could be useful too!), fs_usage you could use for process 1234 the directory /proc/1234/, in particular the opened file descriptors are available from /proc/1234/fd/; from inside your program you could use /proc/self/fd/. See proc(5)

Perhaps inotify(7) or ptrace(2) is relevant too.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top