From owner-freebsd-questions@FreeBSD.ORG  Sun Mar  1 18:24:43 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 295293DA
 for <freebsd-questions@freebsd.org>; Sun,  1 Mar 2015 18:24:43 +0000 (UTC)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com
 [IPv6:2a00:1450:4010:c03::22b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C0BCD17A
 for <freebsd-questions@freebsd.org>; Sun,  1 Mar 2015 18:24:42 +0000 (UTC)
Received: by labgf13 with SMTP id gf13so1668144lab.5
 for <freebsd-questions@freebsd.org>; Sun, 01 Mar 2015 10:24:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:from:date:message-id:subject:to:content-type;
 bh=Bv9ctc83i3pRLEINbPCHdFUDVsBHCyNwCqBYrBRJZv0=;
 b=U2hCw2A2LTelhqusQhhwSHeG1iNtmA9hFL3Ep3S7kEzp/p7I8SGGWfi2nJiGt/wN56
 H3OkxP5yp2Lkg/u+RA1jG2MFybK7UMCktAJlWsCmpqs3k7yBJ7fVfaj8MoPk/jliERcC
 wiHf0fPEEhRWZRBpxEslPQXoeFHndXoNcmtL7H0ZGYsSZ4qlEPuXvHi8x6IF1ZbIw/xx
 +RGV6agLI0uCHf1P7SbyyZDl+rCR6k3IN+mMRyqGYFV8Z+Vw0hL111JV5MYYJgUHYijG
 p2wSZ3/l51aF/N5mKz2bIYw3AGOzB0DU17867CGY7GFr6730FlNyBV9r3bnkaGS6V+lo
 Gjrw==
X-Received: by 10.112.163.229 with SMTP id yl5mr21018697lbb.60.1425234280632; 
 Sun, 01 Mar 2015 10:24:40 -0800 (PST)
MIME-Version: 1.0
Sender: daveroundy@gmail.com
Received: by 10.114.180.133 with HTTP; Sun, 1 Mar 2015 10:24:20 -0800 (PST)
From: David Roundy <roundyd@physics.oregonstate.edu>
Date: Sun, 1 Mar 2015 10:24:20 -0800
X-Google-Sender-Auth: uSklyD90CBry2uo121UYXwxV0NI
Message-ID: <CABVG1pDHi482JqdARtmuREwLhHfYMSOL_D-wioQ=e6uro5i+5A@mail.gmail.com>
Subject: using ktrace to track files modified
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 18:24:43 -0000

Hi all,

I was wondering if it is possible to use ktrace to reliably track the files
modified by a given command.  I don't see how it can be used to do this,
but that may be because I do not understand the output of kdump.  In
particular, I don't see how to interpret the arguments to the "at" versions
of syscalls, openat, renameat,etc, which require met to know the meaning of
the given directory file descriptors.  I suppose one could maybe achieve
this by tracking when those directories were opened, but this sounds
fragile.

Can anyone tell me if there is a good solution to using ktrace/kdump to
monitor the file system usage of a command?

David