1The following is a demonstration of the rwsnoop program, 2 3 4Here we run it for about a second, 5 6 # rwsnoop 7 UID PID CMD D BYTES FILE 8 100 20334 sshd R 52 <unknown> 9 100 20334 sshd W 1 /devices/pseudo/clone@0:ptm 10 0 20320 bash W 1 /devices/pseudo/pts@0:12 11 100 20334 sshd R 2 /devices/pseudo/clone@0:ptm 12 100 20334 sshd W 52 <unknown> 13 0 2848 ls W 58 /devices/pseudo/pts@0:12 14 0 2848 ls W 68 /devices/pseudo/pts@0:12 15 0 2848 ls W 57 /devices/pseudo/pts@0:12 16 0 2848 ls W 67 /devices/pseudo/pts@0:12 17 0 2848 ls W 48 /devices/pseudo/pts@0:12 18 0 2848 ls W 49 /devices/pseudo/pts@0:12 19 0 2848 ls W 33 /devices/pseudo/pts@0:12 20 0 2848 ls W 41 /devices/pseudo/pts@0:12 21 100 20334 sshd R 429 /devices/pseudo/clone@0:ptm 22 100 20334 sshd W 468 <unknown> 23 ^C 24 25The output scrolls rather fast. Above, we can see an ls command was run, 26and we can see as ls writes each line. The "<unknown>" read/writes are 27socket activity, which have no corresponding filename. 28 29 30For a summary style output, use the rwtop program. 31 32 33 34If a particular program is of interest, the "-n" option can be used 35to match on process name. Here we match on "bash" during a login where 36the user uses the bash shell as their default, 37 38 # rwsnoop -n bash 39 UID PID CMD D BYTES FILE 40 100 2854 bash R 757 /etc/nsswitch.conf 41 100 2854 bash R 0 /etc/nsswitch.conf 42 100 2854 bash R 668 /etc/passwd 43 100 2854 bash R 980 /etc/profile 44 100 2854 bash W 15 /devices/pseudo/pts@0:14 45 100 2854 bash R 10 /export/home/brendan/.bash_profile 46 100 2854 bash R 867 /export/home/brendan/.bashrc 47 100 2854 bash R 980 /etc/profile 48 100 2854 bash W 15 /devices/pseudo/pts@0:14 49 100 2854 bash R 8951 /export/home/brendan/.bash_history 50 100 2854 bash R 8951 /export/home/brendan/.bash_history 51 100 2854 bash R 1652 /usr/share/lib/terminfo/d/dtterm 52 100 2854 bash W 41 /devices/pseudo/pts@0:14 53 100 2854 bash R 1 /devices/pseudo/pts@0:14 54 100 2854 bash W 1 /devices/pseudo/pts@0:14 55 100 2854 bash W 41 /devices/pseudo/pts@0:14 56 100 2854 bash R 1 /devices/pseudo/pts@0:14 57 100 2854 bash W 7 /devices/pseudo/pts@0:14 58 59In the above, various bash related files such as ".bash_profile" and 60".bash_history" can be seen. The ".bashrc" is also read, as it was sourced 61from the .bash_profile. 62 63 64 65Extra options with rwsnoop allow us to print zone ID, project ID, timestamps, 66etc. Here we use "-v" to see the time printed, and match on "ps" processes, 67 68 # rwsnoop -vn ps 69 TIMESTR UID PID CMD D BYTES FILE 70 2005 Jul 24 04:23:45 0 2804 ps R 168 /proc/2804/auxv 71 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2804/psinfo 72 2005 Jul 24 04:23:45 0 2804 ps R 1495 /etc/ttysrch 73 2005 Jul 24 04:23:45 0 2804 ps W 28 /devices/pseudo/pts. 74 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/0/psinfo 75 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/1/psinfo 76 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2/psinfo 77 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/3/psinfo 78 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/218/psinfo 79 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/7/psinfo 80 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/9/psinfo 81 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/360/psinfo 82 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/91/psinfo 83 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/112/psinfo 84 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/307/psinfo 85 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/226/psinfo 86 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/242/psinfo 87 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/228/psinfo 88 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/243/psinfo 89 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/234/psinfo 90 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/119/psinfo 91 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/143/psinfo 92 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/361/psinfo 93 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/20314/psinfo 94 2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/116/psinfo 95 [...] 96 97 98 99