Finding all files a process is opening in GNU/Linux
Sometimes while debugging, we need to find all the files a process is opening for reading data from to get a hint about the program's design and workflow. Otherwise you want to follow the lengthy route of reading the source code of the program, you could leverage the powerful system call tracer tool
strace to get the job done fairly easily.
strace binary comes with the
% dpkg -S "$(command -v strace)" strace: /usr/bin/strace
The above snippet is from my
dpkg packaging based system, although the same should be true for
rpm packaging based systems.
strace binary is mostly used for tracing system calls and signals. As we're planning to get the files opened by a process, we're looking for the
open(2) call specifically.
Let's assume the program we want to check is named
foobar and we need to pass
--name spamegg argument to it i.e. from the shell we would run it as:
foobar --name spamegg
Now to trace the syscalls made by the program we need to run it as an argument to
strace, with necessary arguments e.g.:
strace foobar --name spamegg
As the above would trace all system calls
foobar is making, not just
open(), let's narrow down the traced calls to just
strace -e trace=open foobar --name spamegg
-e option lets us to apply filerting, here we're
trace-ing only the
-e open is a shorthand for
-e trace=open, so we can also write:
strace -e open foobar --name spamegg
Now we'll get all the files opened by
If you want to track all the child processes as well, we need to issue the
strace -f -e open foobar --name spamegg
strace -fe open foobar --name spamegg
You can also trace multiple calls by comma separating them e.g.:
strace -fe open,write foobar --name spamegg
strace is a powerful tool when comes to debugging, the above is just the tip of the iceberg.
As always check out the
man strace to get more ideas.
CommentsComments powered by Disqus