Watching a file system

Matthew Dillon dillon at
Tue Jun 26 13:50:31 PDT 2007

:Matthew Dillon <dillon at> writes:
:>     You can monitor system calls made by programs with ktrace.
:Ok, but what if I want to watch access to a particular file system
:(e.g. a mounted cdrom) by *all* system processes? :)
:Dave Hayes - Consultant - Altadena CA, USA - dave at 
:>>> The opinions expressed above are entirely my own <<<

    ktrace can be told to attach to a process and all its descendants.
    Attach to pid 1 with that option and BANG, every single process in
    the system will be ktraced.

    You'll get a massive amount of data and performance will be terrible,

    Another option... export the CD via NFS and access it via NFS, and
    use tcpdump to monitor access.  You won't get the cache hits, but you
    will get a good idea as to what is being accessed.  It won't be pretty

    If you just want a summary of what files were accessed you can use
    ncptrace from /usr/src/test/debug/ncptrace.c.  Read the header on
    how to compile it.  You would then be able to 'ncptrace /mnt' (or 
    wherever you mounted the CD) to dump the namecache for that mount
    point.  You can clear the cache by unmounting and remounting the CD.

					Matthew Dillon 
					<dillon at>

More information about the Users mailing list