
Show HN: Watch what files any Linux process accesses - spieglt
https://github.com/spieglt/whatfiles
======
hnlmorg
Not taking anything away from the worth of this tool but if you do happen to
find yourself needing to quickly inspect which files a process has open you
can do so using the /proc file system:

    
    
        ls -l /proc/$PID/fd/
    

Additionally you can also use the /proc file system to display where the
cursor is in those files by outputting the contents of

    
    
        /proc/$PID/fdinfo/$FD
    

which is handy if you have a long running process but forgot to pipe it into
`pv` (or any other long running ingest that lacks a progress UI)

(Both tricks are Linux only)

~~~
simcop2387
Pv supports this directly with -d pid,
[http://manpages.ubuntu.com/manpages/bionic/man1/pv.1.html](http://manpages.ubuntu.com/manpages/bionic/man1/pv.1.html)

~~~
hnlmorg
I learn something new every day. Thank you

~~~
simcop2387
Yea it's really nice for making a progress bar for things like cp, mv, etc.

------
bostonsre
biotop and biolatency surface similar info. they come with a ton of other
ridiculously awesome tools in BCC tools. they are a set of python wrapper
scripts that run eBPF programs. using eBPF generally has a really low impact
on performance when compared with other tools that do similar work.

[https://github.com/iovisor/bcc](https://github.com/iovisor/bcc)

~~~
danieldk
bcc also has opensnoop, which is really nice for seeing which files are being
opened:

[https://github.com/iovisor/bcc/blob/master/tools/opensnoop_e...](https://github.com/iovisor/bcc/blob/master/tools/opensnoop_example.txt)

------
ravinder_sbu
How is this different from using something like,

`strace -e trace=file`

I see that you are using ptrace to monitor a process. That is also used by
strace. Is there something else your application does that strace does not (In
relation to files)?

~~~
capableweb
From the README:

> Isn't this just a reimplementation of strace -fe
> trace=creat,open,openat,unlink,unlinkat ./program?

> Yes. Though it aims to be simpler and more user friendly.

------
Doctor_Fegg
For macOS, fs_usage does the same job. I find it invaluable to find out what
process is churning the disk (usually mds...).

------
MCOfficer
Just a heads up ( _read: shameless plug_ ), there's an AUR package:

[https://aur.archlinux.org/packages/whatfiles-
git/](https://aur.archlinux.org/packages/whatfiles-git/)

~~~
spieglt
Wow, thank you very much! I've thought about trying to get a few of my
projects into distribution repos but was somewhat intimidated by the process.

~~~
MCOfficer
You're welcome - but please check out #1/#2 so i can remove that ugly patch ;)

~~~
spieglt
Oh cool, was that you also? I will after work today.

~~~
MCOfficer
nope, someone else. I just stumbled over it and it's currently part of the
package. Thanks for your effort ^^

~~~
spieglt
Patch merged.

------
atrudeau
For doing the opposite - what processes access a given file - I like to use
Audit
([https://wiki.archlinux.org/index.php/Audit_framework#Audit_f...](https://wiki.archlinux.org/index.php/Audit_framework#Audit_files_and_directories_access)).

------
em500
This looks very similar to _fatrace_ , which is already in the standard ubuntu
and fedora repos.

 _edit: fatrace is system-wide, whereas the current tools monitors a specific
process_

[http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.ht...](http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.html)

[https://piware.de/2012/02/fatrace-report-system-wide-file-
ac...](https://piware.de/2012/02/fatrace-report-system-wide-file-access-
events/)

------
unhammer
Lots more such tools at [https://jvns.ca/debugging-
zine.pdf](https://jvns.ca/debugging-zine.pdf) (opensnoop-bpfcc and strace
would be the most like this one)

------
Erwin
BTW, if you are using strace for this, check out the -y option recently added
to strace. It will print the filename next to each file descriptor like this:

    
    
         read(3</proc/filesystems>, "", 1024)    = 0
    

Another interesting new strace option is -k which does a stack dump after each
syscall. this can be useful to find out what part of the application, like
some obscure lib, does weird system calls in your app.

------
st0le
IMO ProcMon on Windows is its equivalent. Not Process Explorer.

~~~
ToFab123
There was news 2 years ago that MS was porting the sysinternals tool to linux.
Did that ever happen?

[https://mspoweruser.com/microsoft-working-on-sysinternals-
fo...](https://mspoweruser.com/microsoft-working-on-sysinternals-for-linux/)

~~~
pjmlp
Azure Insights provides similar kind of information.

Maybe that is where the porting effort went.

~~~
ToFab123
Could well be. If I recall correctly the motivation behind the porting was to
give their engineers a unified set of tooling for troubleshooting windows and
Linux (on Azure). I just assumed that the porting efforts would result in a
similar set of tools to use locally on the box.

------
dkdk8283
Any reason why this is better than audit? I read README but i’m still not
clear.

~~~
tyingq
Auditd is system wide (as would be inotify or fanotify based solutions).

This traces file events of a single process. Strace can be coaxed into
something similar.

------
amelius
Can it be invoked recursively?

Because strace on Linux still fails with:

    
    
        strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
    

in those cases :(

~~~
spieglt
I have strace'd whatfiles, in fact that was a very useful way to debug a
couple things, so maybe? I have not been able to attach to the same process
with both whatfiles and strace, however.

