Running it with
strace -e trace=open,close,read,write,connect,accept your-command-here
would probably be sufficient.
You'll need to use the -o
option to put strace's output somewhere other than the console, if the process can print to stderr. If your process forks, you'll also need -f
or -ff
.
Oh, and you might want -t
as well, so you can see when the calls happened.
Note, you may need to tweak the function call list depending on what your process does - I needed to add getdents
for example, to get better sample using ls
:
$ strace -t -e trace=open,close,read,getdents,write,connect,accept ls >/dev/null
...
09:34:48 open("/etc/ld.so.cache", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open("/lib64/libselinux.so.1", O_RDONLY) = 3
09:34:48 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@V\0\0\0\0\0\0"..., 832) = 832
09:34:48 close(3) = 0
...
09:34:48 open("/proc/filesystems", O_RDONLY) = 3
09:34:48 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 366
09:34:48 read(3, "", 1024) = 0
09:34:48 close(3) = 0
09:34:48 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
09:34:48 getdents(3, /* 5 entries */, 32768) = 144
09:34:48 getdents(3, /* 0 entries */, 32768) = 0
09:34:48 close(3) = 0
09:34:48 write(1, "file-A\nfile-B\nfile-C\n", 21) = 21
09:34:48 close(1) = 0
09:34:48 close(2) = 0
lsof
has a "post-processable" output format with the -F
option (see the OUTPUT FOR OTHER PROGRAMS section in the manual).
lsof -nPMp "$pid" -Fn | sed '
\|^n/|!d
s/ type=STREAM$//; t end
s/ type=DGRAM$//; t end
s/ type=SEQPACKET$//
: end
s|^n||'
Will list open files that resolve to a path on the file system.
-nPM
disables some of the processing that lsof
does by default and which we don't care for here like resolving IP adresses, port or rpc names.
-p "$pid"
, specify the process whose open files to list
-Fn
: by field output. Ask for the name part.
| sed
post process with sed
to select only the part we're interested in:
\|^n/|!d
: skip anything that doesn't start with n/
s/ type=...$/;t end
: remove those strings at the end of the line and jump to the end
label if successful.
: end
: the end
label.
s|^n||
: remove the leading n
character that lsof
inserts to identify the field being output.
However note that non-printable characters in file names are encoded (like \n
for newline, ^[
for ESC...) in an ambiguous way (as in ^[
could mean either ^[
and ESC).
Also, for deleted files, on Linux at least, you'll still get a file path but with (deleted)
appended. Again, no way to discriminate between a deleted file and a file whose name ends in (deleted)
. Looking at the link count will not necessarily help as the deleted file could be linked elsewhere.
See also the removing of type=*
which we do for Unix domain sockets that may have actually occurred in the file name.
What that means is that though it will work in most cases, you can't post-process that output reliably in the general case.
Not to mention that lsof
itself may fail to parse the information returned by the kernel correctly, or that the kernel may fail to provide that information in a reliably parseable format
Best Answer
I believe since you do not know the file name/process id, you could specify user name option as below.
If you know the directory name under which the application is being run and do not want to specify the user name,you could use the command like,
References
View Network Activity of any application or user in real time