1Demonstrations of statsnoop, the Linux eBPF/bcc version.
2
3
4statsnoop traces the different stat() syscalls system-wide, and prints various
5details. Example output:
6
7# ./statsnoop
8PID    COMM               FD ERR PATH
931126  bash                0   0 .
1031126  bash               -1   2 /usr/local/sbin/iconfig
1131126  bash               -1   2 /usr/local/bin/iconfig
1231126  bash               -1   2 /usr/sbin/iconfig
1331126  bash               -1   2 /usr/bin/iconfig
1431126  bash               -1   2 /sbin/iconfig
1531126  bash               -1   2 /bin/iconfig
1631126  bash               -1   2 /usr/games/iconfig
1731126  bash               -1   2 /usr/local/games/iconfig
1831126  bash               -1   2 /apps/python/bin/iconfig
1931126  bash               -1   2 /mnt/src/llvm/build/bin/iconfig
208902   command-not-fou    -1   2 /usr/bin/Modules/Setup
218902   command-not-fou    -1   2 /usr/bin/lib/python3.4/os.py
228902   command-not-fou    -1   2 /usr/bin/lib/python3.4/os.pyc
238902   command-not-fou     0   0 /usr/lib/python3.4/os.py
248902   command-not-fou    -1   2 /usr/bin/pybuilddir.txt
258902   command-not-fou    -1   2 /usr/bin/lib/python3.4/lib-dynload
268902   command-not-fou     0   0 /usr/lib/python3.4/lib-dynload
278902   command-not-fou     0   0 /apps/python/lib/python2.7/site-packages
288902   command-not-fou     0   0 /apps/python/lib/python2.7/site-packages
298902   command-not-fou     0   0 /apps/python/lib/python2.7/site-packages
308902   command-not-fou     0   0 /usr/lib/python3.4/
318902   command-not-fou     0   0 /usr/lib/python3.4/
32[...]
33
34This output has caught me mistyping a command in another shell, "iconfig"
35instead of "ifconfig". The first several lines show the bash shell searching
36the $PATH, and failing to find it (ERR == 2 is file not found). Then, a
37"command-not-found" program executes (the name is truncated to 16 characters
38in the COMM field), which begins the process of searching for and suggesting
39a package. ie, this:
40
41# iconfig
42No command 'iconfig' found, did you mean:
43 Command 'vconfig' from package 'vlan' (main)
44 Command 'fconfig' from package 'redboot-tools' (universe)
45 Command 'mconfig' from package 'mono-devel' (main)
46 Command 'iwconfig' from package 'wireless-tools' (main)
47 Command 'zconfig' from package 'python-zconfig' (universe)
48 Command 'ifconfig' from package 'net-tools' (main)
49iconfig: command not found
50
51statsnoop can be used for general debugging, to see what file information has
52been requested, and whether those files exist. It can be used as a companion
53to opensnoop, which shows what files were actually opened.
54
55
56USAGE message:
57
58# ./statsnoop -h
59usage: statsnoop [-h] [-t] [-x] [-p PID]
60
61Trace stat() syscalls
62
63optional arguments:
64  -h, --help         show this help message and exit
65  -t, --timestamp    include timestamp on output
66  -x, --failed       only show failed stats
67  -p PID, --pid PID  trace this PID only
68
69examples:
70    ./statsnoop           # trace all stat() syscalls
71    ./statsnoop -t        # include timestamps
72    ./statsnoop -x        # only show failed stats
73    ./statsnoop -p 181    # only trace PID 181
74