Monitoring FS operations

Kevin Strong kstrong at criminalinfo.net
Tue May 23 19:47:48 UTC 2006 

Jon Burgess wrote:
> On Tue, 2006-05-23 at 13:48 -0400, Kevin Strong wrote:
> 
>>Jérôme Petazzoni wrote:
>>
>>>>Without going into the specific reasons why I need to do so, is anyone
>>>>aware of a method (or tool) of watching real-time, human-readable (or
>>>>system call print) of ext3 filesystem operations on a mounted, active
>>>>filesystem?
>>>
>>>
>>>Look for the lm-profiler tool in the "laptop-mode" tools. It does
>>>(almost) that :
>>>
>>>modprobe(18534): dirtied inode 457921 (irda-utils) on sda2
>>>modprobe(18534): dirtied inode 457920 (bluez) on sda2
>>>modprobe(18534): dirtied inode 49330 (display_class) on sda2
>>>
>>>That may or may not be what you want, however !
>>>
>>>regards
>>
>>Thanks.  That's a good start.  Not what I was after but I'll see what it 
>>gives me on my box.  I'm looking for something like "Filemon" from 
>>sysinternals.com (for Windows) - something that shows every operation 
>>sent to the FS driver.
> 
> 
> systemtap http://sourceware.org/systemtap/ could be used to monitor and
> report information from a selection of syscalls or ext3 specific APIs
> inside the kernel.
> 
> Internally the kernel references the files by device+inode, not path
> name. To find a path to this inode you could monitor open() calls, but
> there may be multiple file paths which link to the same inode (e.g. hard
> links). It seems filemon has to do something similar on Windows to
> convert file handles back to file names, 
> 
> - How It Works
> ...
>   "When FileMon sees an open, create or close call, it updates an
> internal hash table that serves as the mapping between internal file
> handles and file path names. Whenever it sees calls that are handle
> based, it looks up the handle in the hash table to obtain the full name
> for display. If a handle-based access references a file opened before
> FileMon started, FileMon will fail to find the mapping in its hash table
> and will simply present the handle's value instead."
> 
> 	Jon
> 
> 
> 
> _______________________________________________
> Ext3-users mailing list
> Ext3-users at redhat.com
> https://www.redhat.com/mailman/listinfo/ext3-users

THAT is what I'm looking for.  I'm assuming that there isn't anything 
that's more production-ready than that.

Thank you!

Kevin Strong
Criminal Information Network

More information about the Ext3-users mailing list