opensnoop: -d option for duration

man/man8/opensnoop.8

@@ -2,7 +2,7 @@
 .SH NAME
 opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B opensnoop [\-h] [\-T] [\-x] [\-p PID] [\-t TID] [\-n name]
+.B opensnoop [\-h] [\-T] [\-x] [\-p PID] [\-t TID] [\-d DURATION] [\-n name]
 .SH DESCRIPTION
 opensnoop traces the open() syscall, showing which processes are attempting
 to open which files. This can be useful for determining the location of config
@@ -36,6 +36,9 @@ Trace this process ID only (filtered in-kernel).
 \-t TID
 Trace this thread ID only (filtered in-kernel).
 .TP
+\-d DURATION
+Total duration of trace in seconds.
+.TP
 \-n name
 Only print processes where its name partially matches 'name'
 .SH EXAMPLES
@@ -44,6 +47,10 @@ Trace all open() syscalls:
 #
 .B opensnoop
 .TP
+Trace all open() syscalls, for 10 seconds only:
+#
+.B opensnoop -d 10
+.TP
 Trace all open() syscalls, and include timestamps:
 #
 .B opensnoop \-T

tools/opensnoop.py

@@ -4,7 +4,7 @@
 # opensnoop Trace open() syscalls.
 # For Linux, uses BCC, eBPF. Embedded C.
 #
-# USAGE: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
+# USAGE: opensnoop [-h] [-T] [-x] [-p PID] [-d DURATION] [-t TID] [-n NAME]
 #
 # Copyright (c) 2015 Brendan Gregg.
 # Licensed under the Apache License, Version 2.0 (the "License")
@@ -17,6 +17,7 @@
 from bcc import BPF
 import argparse
 import ctypes as ct
+from datetime import datetime, timedelta
 
 # arguments
 examples = """examples:
@@ -25,6 +26,7 @@
  ./opensnoop -x # only show failed opens
  ./opensnoop -p 181 # only trace PID 181
  ./opensnoop -t 123 # only trace TID 123
+ ./opensnoop -d 10 # trace for 10 seconds only
  ./opensnoop -n main # only print process names containing "main"
 """
 parser = argparse.ArgumentParser(
@@ -39,10 +41,14 @@
  help="trace this PID only")
 parser.add_argument("-t", "--tid",
  help="trace this TID only")
+parser.add_argument("-d", "--duration",
+ help="total duration of trace in seconds")
 parser.add_argument("-n", "--name",
  help="only print process names containing this name")
 args = parser.parse_args()
 debug = 0
+if args.duration:
+ args.duration = timedelta(seconds=int(args.duration))
 
 # define BPF program
 bpf_text = """
@@ -179,5 +185,6 @@ def print_event(cpu, data, size):
 
 # loop with callback to print_event
 b["events"].open_perf_buffer(print_event, page_cnt=64)
-while 1:
+start_time = datetime.now()
+while not args.duration or datetime.now() - start_time < args.duration:
  b.kprobe_poll()

tools/opensnoop_example.txt

@@ -89,6 +89,18 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
 file or directory.
 
 
+A maximum tracing duration can be set with the -d option. For example, to trace
+for 2 seconds:
+
+# ./opensnoop -d 2
+PID COMM FD ERR PATH
+2191 indicator-multi 11 0 /sys/block
+2191 indicator-multi 11 0 /sys/block
+2191 indicator-multi 11 0 /sys/block
+2191 indicator-multi 11 0 /sys/block
+2191 indicator-multi 11 0 /sys/block
+
+
 The -n option can be used to filter on process name using partial matches:
 
 # ./opensnoop -n ed
@@ -123,7 +135,7 @@ to the '-n' option.
 USAGE message:
 
 # ./opensnoop -h
-usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
+usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-d DURATION] [-n NAME]
 
 Trace open() syscalls
 
@@ -133,6 +145,8 @@ optional arguments:
  -x, --failed only show failed opens
  -p PID, --pid PID trace this PID only
  -t TID, --tid TID trace this TID only
+ -d DURATION, --duration DURATION
+ total duration of trace in seconds
  -n NAME, --name NAME only print process names containing this name
 
 examples:
@@ -141,4 +155,5 @@ examples:
  ./opensnoop -x # only show failed opens
  ./opensnoop -p 181 # only trace PID 181
  ./opensnoop -t 123 # only trace TID 123
+ ./opensnoop -d 10 # trace for 10 seconds only
  ./opensnoop -n main # only print process names containing "main"