opensnoop-bpfcc is a BPF-based monitoring tool that traces file open system calls in real-time. It's part of the BCC (BPF Compiler Collection) toolkit and provides detailed visibility into which processes are opening files on your system.
I find it easier to use than strace, it gives simple output.
The command shown monitors all file opens by processes containing "go" in their name:
sudo opensnoop-bpfcc -n go 2> /dev/null | tee monitorSample output of running go env in another terminal:
2907925 go 3 0 /home/fred/.config/go/env
2907925 go 3 0 /usr/local/go/go.env
2907925 go -1 2 /home/fred/.config/go/telemetry/mode
2907925 go -1 2 /home/fred/.config/go/telemetry/mode
2907925 go 3 0 /home/fred/.config/go/telemetry/local/weekends
2907925 go 3 0 /home/fred/.config/go/telemetry/local/weekends
2907925 go -1 30 /home/fred/.config/go/telemetry/local/[email protected]
2907925 go -1 2 /home/fred/.config/go/telemetry/mode
2907925 go -1 2 /home/fred/.config/go/telemetry/mode
Common use cases:
- Finding the location of config files and cache for various cli tools
- Debugging application file access
- Security monitoring for suspicious file opens
- Performance analysis of I/O-heavy applications
- Troubleshooting permission issues
The tool requires root privileges due to its BPF kernel access requirements.