Monitor How and When a Process Accesses Files with opensnoop

Oct 6, 2010 - Leave a Comment

Terminal in OS X You can watch what a process is doing with your filesystem by using the opensnoop command. To try this out, launch the Terminal and then follow along to learn how to watch by applications, file usage, process ID, and more.


There are two ways to specify which application to watch, you can use either the process name which is obviously easier, or use the processes numerical id:

sudo opensnoop -n applicationName
To track Safari, we’d use:

sudo opensnoop -n Safari

Or you can use the process ID:
sudo opensnoop -p PID

The PID is the process ID, you can get this by using the ps command with grep to grab a processes id:
ps aux|grep iTunes

Then use the resulting PID with opensnoop:
sudo opensnoop -p 4621

Likewise, you can monitor what processes are accessing a specific file with the same command:

sudo opensnoop -f filename

For example, watch what is accessing /etc/hosts
sudo opensnoop -f /etc/hosts

The opensnoop command is much more powerful than this, but these are two powerful yet easy ways to use the command. We actually covered this before with tracking an applications usage in Mac OS X but we got another question on the matter so here we are.

OpenSnoop is similar to lsof, which we have covered before when checking for spyware on your Mac and when viewing all open internet connections on your Mac.

.

Related articles:

Posted by: David Mendez in Command Line, Mac OS

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site