1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
The following is a demonstration of the rwsnoop program,
Here we run it for about a second,
# rwsnoop
UID PID CMD D BYTES FILE
100 20334 sshd R 52 <unknown>
100 20334 sshd W 1 /devices/pseudo/clone@0:ptm
0 20320 bash W 1 /devices/pseudo/pts@0:12
100 20334 sshd R 2 /devices/pseudo/clone@0:ptm
100 20334 sshd W 52 <unknown>
0 2848 ls W 58 /devices/pseudo/pts@0:12
0 2848 ls W 68 /devices/pseudo/pts@0:12
0 2848 ls W 57 /devices/pseudo/pts@0:12
0 2848 ls W 67 /devices/pseudo/pts@0:12
0 2848 ls W 48 /devices/pseudo/pts@0:12
0 2848 ls W 49 /devices/pseudo/pts@0:12
0 2848 ls W 33 /devices/pseudo/pts@0:12
0 2848 ls W 41 /devices/pseudo/pts@0:12
100 20334 sshd R 429 /devices/pseudo/clone@0:ptm
100 20334 sshd W 468 <unknown>
^C
The output scrolls rather fast. Above, we can see an ls command was run,
and we can see as ls writes each line. The "<unknown>" read/writes are
socket activity, which have no corresponding filename.
For a summary style output, use the rwtop program.
If a particular program is of interest, the "-n" option can be used
to match on process name. Here we match on "bash" during a login where
the user uses the bash shell as their default,
# rwsnoop -n bash
UID PID CMD D BYTES FILE
100 2854 bash R 757 /etc/nsswitch.conf
100 2854 bash R 0 /etc/nsswitch.conf
100 2854 bash R 668 /etc/passwd
100 2854 bash R 980 /etc/profile
100 2854 bash W 15 /devices/pseudo/pts@0:14
100 2854 bash R 10 /export/home/brendan/.bash_profile
100 2854 bash R 867 /export/home/brendan/.bashrc
100 2854 bash R 980 /etc/profile
100 2854 bash W 15 /devices/pseudo/pts@0:14
100 2854 bash R 8951 /export/home/brendan/.bash_history
100 2854 bash R 8951 /export/home/brendan/.bash_history
100 2854 bash R 1652 /usr/share/lib/terminfo/d/dtterm
100 2854 bash W 41 /devices/pseudo/pts@0:14
100 2854 bash R 1 /devices/pseudo/pts@0:14
100 2854 bash W 1 /devices/pseudo/pts@0:14
100 2854 bash W 41 /devices/pseudo/pts@0:14
100 2854 bash R 1 /devices/pseudo/pts@0:14
100 2854 bash W 7 /devices/pseudo/pts@0:14
In the above, various bash related files such as ".bash_profile" and
".bash_history" can be seen. The ".bashrc" is also read, as it was sourced
from the .bash_profile.
Extra options with rwsnoop allow us to print zone ID, project ID, timestamps,
etc. Here we use "-v" to see the time printed, and match on "ps" processes,
# rwsnoop -vn ps
TIMESTR UID PID CMD D BYTES FILE
2005 Jul 24 04:23:45 0 2804 ps R 168 /proc/2804/auxv
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2804/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 1495 /etc/ttysrch
2005 Jul 24 04:23:45 0 2804 ps W 28 /devices/pseudo/pts.
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/0/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/1/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/2/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/3/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/218/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/7/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/9/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/360/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/91/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/112/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/307/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/226/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/242/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/228/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/243/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/234/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/119/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/143/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/361/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/20314/psinfo
2005 Jul 24 04:23:45 0 2804 ps R 336 /proc/116/psinfo
[...]
|
