From owner-freebsd-stable@FreeBSD.ORG  Sat Jun 10 20:06:48 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3FD316A4A0
	for <stable@freebsd.org>; Sat, 10 Jun 2006 20:06:47 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 65EE14426F
	for <stable@freebsd.org>; Sat, 10 Jun 2006 17:25:02 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 727CC46C91;
	Sat, 10 Jun 2006 13:25:01 -0400 (EDT)
Date: Sat, 10 Jun 2006 18:25:01 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Ulrich Spoerlein <uspoerlein@gmail.com>
In-Reply-To: <20060609190735.GB1037@roadrunner.q.local>
Message-ID: <20060610182415.M80521@fledge.watson.org>
References: <d3ea75b30606061339u55efbecemab0d3d0eb9adb636@mail.gmail.com>
	<20060607184236.P53690@fledge.watson.org>
	<20060609190735.GB1037@roadrunner.q.local>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: stable@freebsd.org
Subject: Re: How can I know which files a proccess is accessing?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2006 20:06:48 -0000


On Fri, 9 Jun 2006, Ulrich Spoerlein wrote:

> Robert Watson wrote:
>> A lot of people have answered and told you about lsof, which is a great 
>> tool, and can give you a momentary snapshot of the files a process has 
>> open. You might also be interested in getting a log of accesses, which you 
>> can do using ktrace(1).  This tracks system calls and you can see what 
>> paths are being accessed at time of open.  As of 7.x (and hopefully 6.2 
>> once the MFC happens) you'll also be able to use audit(4) to track access 
>> of files by processes.
>
> Sadly, ktrace(1) seems to be rather useless in RELENG_6 right now. Every 
> medium sized app will result in an "out of ktrace objects" error. I remember 
> that some improvements to ktrace(1) went into -CURRENT. Time for an MFC?

I fixed this in 7-CURRENT, I'll have to investigate how straight forward an 
MFC might be.  It does change the kernel thread data structure, so I'll need 
to be a bit cautious.

Robert N M Watson