-
Notifications
You must be signed in to change notification settings - Fork 12
/
fatrace.8
122 lines (91 loc) · 3.12 KB
/
fatrace.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
.TH fatrace 8 "August 20, 2020" "Martin Pitt"
.SH NAME
fatrace \- report system wide file access events
.SH SYNOPSIS
.B fatrace
[
.I OPTIONS
]
.SH DESCRIPTION
.B fatrace
reports file access events from all running processes.
It does not report file access by fatrace itself, to avoid logging events
caused by writing the output into a file. It also ignores events on virtual and
kernel file systems such as sysfs, proc, and devtmpfs.
Its main purpose is to find processes which keep waking up the disk
unnecessarily and thus prevent some power saving.
By default, events are reported to stdout. This will cause some loops if you
run this tool in e. g. gnome-terminal, as this causes a disk access for every
output line. To avoid this, redirect the output into a file.
.SH OUTPUT FORMAT
A typical event looks like
.RS 4
rsyslogd(875): W /var/log/auth.log
.br
compiz(1971): O device 8:2 inode 658203
.RE
The line has the following fields:
.IP \(bu 2
Process name. This is read from /proc/pid/comm, and might be abbreviated for
long process names.
.IP \(bu 2
Process ID
.IP \(bu 2
Event type: \fBO\fRpen, \fBR\fRead, \fBW\fRrite, \fBC\fRlose. Events on
directories are \fB+\fR (create), \fBD\fRelete, \fB<\fR (moved from),
or \fB>\fR (moved to).
Combinations are possible, such as \fBCW\fR for closing a written file, or <>
for renaming a file within the same directory.
Directory events can only be detected on Linux 5.1 or higher.
.IP \(bu 2
Affected file. In some cases the path and name cannot be determined, e. g.
because it is a temporary file which is already deleted. In that case, it
prints the devices' major and minor number and the inode number. To examine
such a process in more detail, you should consider using
.BR strace (1).
.RE
If you specify the
.B \-\-timestamp
option, the first field will be the current time.
.SH OPTIONS
.TP
.B \-c\fR, \fB\-\-current-mount
Only record events on partition/mount of current directory. Without this
option, all (real) partitions/mount points are being watched.
.TP
.B \-o \fIFILE\fR, \fB\-\-output=\fIFILE
Write events to given file instead of standard output.
.TP
.B \-s \fISECONDS\fR, \fB\-\-seconds=\fISECONDS
Stop after the given number of seconds.
.TP
.B \-t\fR, \fB\-\-timestamp
Add timestamp to events. When this option is given once, the format will be a
human readable hour:minute:second.microsecond; when given twice, the timestamp
is printed as seconds/microseconds since the epoch.
.TP
.B \-u\fR, \fB\-\-user
Add process user information to events, formatted as "[uid:gid]".
.TP
.B \-p \fIPID\fR, \fB\-\-ignore\-pid=\fIPID
Ignore events for this process ID. Can be specified multiple times.
.TP
.B \-f \fITYPES\fR, \fB\-\-filter=\fITYPES
Show only the given event types.
.B TYPES
is a list of
.BR C ", " R ", " O ", " W ", " D ", " + ", or " <
with the above meanings. < and > both mean "move" and will always enable both
directions.
E. g. use
.B \--filter=OC
to only show open and close events.
.TP
.B \-C \fICOMMAND\fR, \fB\-\-command=\fICOMMAND
Show only events for this command.
.TP
.B \-h \fR, \fB\-\-help
Print help and exit.
.SH AUTHOR
.B fatrace
is developed by Martin Pitt <[email protected]>.