fsnoop/README.md

# fsnoop

fsnoop snoops on your files

ran on its own with no arguments, fsnoop will report all file modification
events in the current directory.

here's a sample session run from `/tmp/snoop`.  Lines that start with `#` were
run in a separate shell:

```
# ls
open /tmp/snoop
close /tmp/snoop
close-nowrite /tmp/snoop

# touch test
create /tmp/snoop/test
open /tmp/snoop/test
attrib /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# echo hi > test
modify /tmp/snoop/test
open /tmp/snoop/test
modify /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# echo append >> test
open /tmp/snoop/test
modify /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# mv test test.1
moved-from /tmp/snoop/test
move /tmp/snoop/test -> /tmp/snoop/test.1
moved-to /tmp/snoop/test.1

# gzip test.1
open /tmp/snoop/test.1
create /tmp/snoop/test.1.gz
open /tmp/snoop/test.1.gz
access /tmp/snoop/test.1
modify /tmp/snoop/test.1.gz
close /tmp/snoop/test.1
close-nowrite /tmp/snoop/test.1
attrib /tmp/snoop/test.1.gz
attrib /tmp/snoop/test.1.gz
attrib /tmp/snoop/test.1.gz
close /tmp/snoop/test.1.gz
close-write /tmp/snoop/test.1.gz
delete /tmp/snoop/test.1

# rm test.1.gz
delete /tmp/snoop/test.1.gz
```

of course, this is not as accurate as actually reading a program or stracing
it, but if the ordering of the file modification events is all you care about,
then fsnoop acts as a useful filter.

this thing only works on linux.

basically i reinvented a poorman's version of
[inotifywait](https://github.com/rvoicilas/inotify-tools).
readme 10 years ago			`# fsnoop`

			`fsnoop snoops on your files`

readme 10 years ago			`ran on its own with no arguments, fsnoop will report all file modification`
			`events in the current directory.`
readme 10 years ago
			here's a sample session run from `/tmp/snoop`. Lines that start with `#` were
			`run in a separate shell:`

			```
			`# ls`
			`open /tmp/snoop`
			`close /tmp/snoop`
			`close-nowrite /tmp/snoop`

			`# touch test`
			`create /tmp/snoop/test`
			`open /tmp/snoop/test`
			`attrib /tmp/snoop/test`
			`close /tmp/snoop/test`
			`close-write /tmp/snoop/test`

			`# echo hi > test`
			`modify /tmp/snoop/test`
			`open /tmp/snoop/test`
			`modify /tmp/snoop/test`
			`close /tmp/snoop/test`
			`close-write /tmp/snoop/test`

			`# echo append >> test`
			`open /tmp/snoop/test`
			`modify /tmp/snoop/test`
			`close /tmp/snoop/test`
			`close-write /tmp/snoop/test`

			`# mv test test.1`
			`moved-from /tmp/snoop/test`
			`move /tmp/snoop/test -> /tmp/snoop/test.1`
			`moved-to /tmp/snoop/test.1`

			`# gzip test.1`
			`open /tmp/snoop/test.1`
			`create /tmp/snoop/test.1.gz`
			`open /tmp/snoop/test.1.gz`
			`access /tmp/snoop/test.1`
			`modify /tmp/snoop/test.1.gz`
			`close /tmp/snoop/test.1`
			`close-nowrite /tmp/snoop/test.1`
			`attrib /tmp/snoop/test.1.gz`
			`attrib /tmp/snoop/test.1.gz`
			`attrib /tmp/snoop/test.1.gz`
			`close /tmp/snoop/test.1.gz`
			`close-write /tmp/snoop/test.1.gz`
			`delete /tmp/snoop/test.1`

			`# rm test.1.gz`
			`delete /tmp/snoop/test.1.gz`
			```

			`of course, this is not as accurate as actually reading a program or stracing`
			`it, but if the ordering of the file modification events is all you care about,`
			`then fsnoop acts as a useful filter.`

			`this thing only works on linux.`

			`basically i reinvented a poorman's version of`
			`[inotifywait](https://github.com/rvoicilas/inotify-tools).`