NAME

filemon — track interesting system calls

SYNOPSIS

#include <filemon.h>

DESCRIPTION

filemon provides a means for tracking the successful system calls performed by a process. It is used by make(1) to track the activities of build scripts, for the purpose of automatically learning dependencies.

The data captured by filemon for the script

n=`wc -l /etc/motd`; echo "int motd_lines = $n;" > foo.h.new 
cmp -s foo.h foo.h.new 2> /dev/null || mv foo.h.new foo.h

looks like:

# filemon version 4 
# Target pid 24291 
V 4 
E 29676 /bin/sh 
R 29676 /etc/ld.so.conf 
R 29676 /lib/libedit.so.2 
R 29676 /lib/libtermcap.so.0 
R 29676 /lib/libc.so.12 
F 29676 4899 
E 4899 /usr/bin/wc 
R 4899 /etc/ld.so.conf 
R 4899 /usr/lib/libc.so.12 
R 4899 /etc/motd 
X 4899 0 
W 29676 foo.h.new 
X 29676 0 
# Bye bye 
E 3250 /bin/sh 
R 3250 /etc/ld.so.conf 
R 3250 /lib/libedit.so.2 
R 3250 /lib/libtermcap.so.0 
R 3250 /lib/libc.so.12 
W 26673 /dev/null 
E 26673 /usr/bin/cmp 
R 26673 /etc/ld.so.conf 
R 26673 /usr/lib/libc.so.12 
X 26673 2 
E 576 /bin/mv 
R 576 /etc/ld.so.conf 
R 576 /lib/libc.so.12 
M 576 'foo.h.new' 'foo.h' 
X 576 0 
X 3250 0 
# Bye bye

Most records follow the format:

type pid data

where type is one of the list below, and unless otherwise specified, data is a pathname.

C

chdir(2).

D

unlink(2).

E

exec(3).

F

fork(2), vfork(2); data is the process id of the child.

L

link(2), symlink(2); data is two pathnames.

M

rename(2); data is two pathnames.

R

open(2) for read or read-write.

W

open(2) for writing or read-write.

X

exit(3); data is the exit status.

V

indicates the version of filemon.

FILES

/dev/filemon

EXAMPLES

The following example demonstrates the basic usage of filemon:

#include <filemon.h> 
 
pid_d pid; 
int fd, tfd; 
int status; 
 
filemon_fd = open("/dev/filemon", O_RDWR); 
temp_fd = mkstemp("/tmp/filemon.XXXXXXX"); 
/* give filemon the temp file to use */ 
ioctl(filemon_fd, FILEMON_SET_FD, &temp_fd); 
/* children do not need these once they exec */ 
fcntl(filemon_fd, F_SETFD, 1); 
fcntl(temp_fd, F_SETFD, 1); 
 
pid = fork(); 
switch(pid) { 
 case -1: 
     err(1, "cannot fork"); 
     break; 
 case 0: 
     pid = getpid(); 
     /* tell filemon to monitor this process */ 
     ioctl(filemon_fd, FILEMON_SET_PID, &pid); 
     execvp(...); 
     _exit(1); 
     break; 
 default: 
     status = wait(); 
     close(filemon_fd); 
     lseek(temp_fd, SEEK_SET, 0); 
     /* read the captured syscalls from temp_fd */ 
     close(temp_fd); 
     break; 
}

The output of filemon is intended to be simple to parse. It is possible to achieve almost equivalent results with dtrace(1) though on many systems this requires elevated privileges. Also, ktrace(1) can capture similar data, but records failed system calls as well as successful, and is thus more complex to post-process.

HISTORY

filemon was contributed by Juniper Networks.