2

I need to watch a program which modifies some files. I don't know which files the process is modifying_. So I'm looking for a tool that basically outputs a PID, and lista the files being accessed/modified, and what's being done to them (both read and write).

The closest thing I've found so far is iotop, which is definitely on the right track.

iotop -o -b -qqq

That gets me the process and the read/write, but it doesn't indicate the file being accessed. Alternately, I think I could try something like

inotifywatch -r /

but that just runs out of allowed inotify watches.

What is the magic tool I'm looking for?

X Tian
  • 10,463

2 Answers2

4

You could go all the way and use strace on the program. Yes, it tracks ALL system calls (which includes file io & access and other stuff), so you will get quite a messy printout, but it is immediate and doesn't skip anything (it intercepts calls and reports them). You can do the same with library calls (ltrace).

orion
  • 12,502
3

You already have your answer, but I asked a similar question before, and we came to the conclusion that fatrace is the ideal solution. It should produce much easier-to-read output than a full strace.

Documentation is on the man page. Basically, you should be able to use the -p option to restrict your view to a particular process.

Bratchley
  • 16,824
  • 14
  • 67
  • 103
  • Amazing. fatrace is literally exactly what I needed, plus it saved me from writing an ugly, janky shell script with strace and grep. Thanks a lot! – Tony Boyles Mar 07 '14 at 21:14