Is there a way to make lsof work continuously to monitor every file that is being opened in real time?
I don't know the name of the process. I want lsof to work continuously for a period of time until I see the the list contains what I want.
Monitoring files continuously with lsof
fileslsof
Related Solutions
Running it with
strace -e trace=open,close,read,write,connect,accept your-command-here
would probably be sufficient.
You'll need to use the -o option to put strace's output somewhere other than the console, if the process can print to stderr. If your process forks, you'll also need -f or -ff.
Oh, and you might want -t as well, so you can see when the calls happened.
Note, you may need to tweak the function call list depending on what your process does - I needed to add getdents for example, to get better sample using ls:
$ strace -t -e trace=open,close,read,getdents,write,connect,accept ls >/dev/null
...
09:34:48 open("/etc/ld.so.cache", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open("/lib64/libselinux.so.1", O_RDONLY) = 3
09:34:48 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@V\0\0\0\0\0\0"..., 832) = 832
09:34:48 close(3) = 0
...
09:34:48 open("/proc/filesystems", O_RDONLY) = 3
09:34:48 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 366
09:34:48 read(3, "", 1024) = 0
09:34:48 close(3) = 0
09:34:48 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
09:34:48 getdents(3, /* 5 entries */, 32768) = 144
09:34:48 getdents(3, /* 0 entries */, 32768) = 0
09:34:48 close(3) = 0
09:34:48 write(1, "file-A\nfile-B\nfile-C\n", 21) = 21
09:34:48 close(1) = 0
09:34:48 close(2) = 0
lsof has a "post-processable" output format with the -F option (see the OUTPUT FOR OTHER PROGRAMS section in the manual).
lsof -nPMp "$pid" -Fn | sed '
\|^n/|!d
s/ type=STREAM$//; t end
s/ type=DGRAM$//; t end
s/ type=SEQPACKET$//
: end
s|^n||'
Will list open files that resolve to a path on the file system.
-nPMdisables some of the processing thatlsofdoes by default and which we don't care for here like resolving IP adresses, port or rpc names.-p "$pid", specify the process whose open files to list-Fn: by field output. Ask for the name part.| sedpost process withsedto select only the part we're interested in:\|^n/|!d: skip anything that doesn't start withn/s/ type=...$/;t end: remove those strings at the end of the line and jump to theendlabel if successful.: end: theendlabel.s|^n||: remove the leadingncharacter thatlsofinserts to identify the field being output.
However note that non-printable characters in file names are encoded (like \n for newline, ^[ for ESC...) in an ambiguous way (as in ^[ could mean either ^[ and ESC).
Also, for deleted files, on Linux at least, you'll still get a file path but with (deleted) appended. Again, no way to discriminate between a deleted file and a file whose name ends in (deleted). Looking at the link count will not necessarily help as the deleted file could be linked elsewhere.
See also the removing of type=* which we do for Unix domain sockets that may have actually occurred in the file name.
What that means is that though it will work in most cases, you can't post-process that output reliably in the general case.
Not to mention that lsof itself may fail to parse the information returned by the kernel correctly, or that the kernel may fail to provide that information in a reliably parseable format
Best Answer
I believe since you do not know the file name/process id, you could specify user name option as below.
If you know the directory name under which the application is being run and do not want to specify the user name,you could use the command like,
References
View Network Activity of any application or user in real time