You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1.5 KiB

fsnoop

fsnoop snoops on your files

ran on its own with no arguments, fsnoop will report all file modification events in the current directory.

here's a sample session run from /tmp/snoop. Lines that start with # were run in a separate shell:

# ls
open /tmp/snoop
close /tmp/snoop
close-nowrite /tmp/snoop

# touch test
create /tmp/snoop/test
open /tmp/snoop/test
attrib /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# echo hi > test
modify /tmp/snoop/test
open /tmp/snoop/test
modify /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# echo append >> test
open /tmp/snoop/test
modify /tmp/snoop/test
close /tmp/snoop/test
close-write /tmp/snoop/test

# mv test test.1
moved-from /tmp/snoop/test
move /tmp/snoop/test -> /tmp/snoop/test.1
moved-to /tmp/snoop/test.1

# gzip test.1
open /tmp/snoop/test.1
create /tmp/snoop/test.1.gz
open /tmp/snoop/test.1.gz
access /tmp/snoop/test.1
modify /tmp/snoop/test.1.gz
close /tmp/snoop/test.1
close-nowrite /tmp/snoop/test.1
attrib /tmp/snoop/test.1.gz
attrib /tmp/snoop/test.1.gz
attrib /tmp/snoop/test.1.gz
close /tmp/snoop/test.1.gz
close-write /tmp/snoop/test.1.gz
delete /tmp/snoop/test.1

# rm test.1.gz
delete /tmp/snoop/test.1.gz

of course, this is not as accurate as actually reading a program or stracing it, but if the ordering of the file modification events is all you care about, then fsnoop acts as a useful filter.

this thing only works on linux.

basically i reinvented a poorman's version of inotifywait.