4.2.5. Monitoring Reads and Writes to a File
This section describes how to monitor reads from and writes to a file in real time.
inodewatch.stp
#! /usr/bin/env stap
probe vfs.write, vfs.read
{
# dev and ino are defined by vfs.write and vfs.read
if (dev == MKDEV($1,$2) # major/minor device
&& ino == $3)
printf ("%s(%d) %s 0x%x/%u\n",
execname(), pid(), probefunc(), dev, ino)
}
inodewatch.stp takes the following information about the file as arguments on the command line:
- The file's major device number.
- The file's minor device number.
- The file's
inodenumber.
To get this information, use
stat -c '%D %i' filename, where filename is an absolute path.
For instance: if you wish to monitor
/etc/crontab, run stat -c '%D %i' /etc/crontab first. This gives the following output:
805 1078319
805 is the base-16 (hexadecimal) device number. The lower two digits are the minor device number and the upper digits are the major number. 1078319 is the inode number. To start monitoring /etc/crontab, run stap inodewatch.stp 0x8 0x05 1078319 (The 0x prefixes indicate base-16 values).
The output of this command contains the name and ID of any process performing a read/write, the function it is performing (that is
vfs_read or vfs_write), the device number (in hex format), and the inode number. Example 4.9, “inodewatch.stp Sample Output” contains the output of stap inodewatch.stp 0x8 0x05 1078319 (when cat /etc/crontab is executed while the script is running) :
Example 4.9. inodewatch.stp Sample Output
cat(16437) vfs_read 0x800005/1078319 cat(16437) vfs_read 0x800005/1078319
