<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi all,</p>
    <p>using ftrace events to trace the sys_open*() system calls seems
      to be a rather quick way to determine which files were used when
      running a program. E.g., recording the the start and the end of
      any open* system call while running ls /:</p>
    <blockquote>
      <p># trace-cmd record --stderr  -e syscalls:sys_enter_open* -e
        syscalls:sys_exit_open* -c -F ls / 2>/dev/null</p>
    </blockquote>
    <p>Printing the recorded trace yields::<br>
    </p>
    <blockquote>
      <p># trace-cmd report<br>
        bin    dev    home        initrd.img.old  lib32  lost+found 
        mnt  proc  run    snap  sys  usr    vmlinuz<br>
        etc    initrd.img  lib            lib64  media       opt  root 
        sbin    srv   tmp  var    vmlinuz.old<br>
        version = 6<br>
        CPU 0 is empty<br>
        CPU 1 is empty<br>
        CPU 3 is empty<br>
        CPU 4 is empty<br>
        CPU 5 is empty<br>
        CPU 6 is empty<br>
        CPU 7 is empty<br>
        cpus=8<br>
                      ls-8307  [002] 15379.397993: sys_enter_open:      
        filename: 0x7f471c8e9271, flags: 0x00080000, mode: 0x00000001<br>
                      ls-8307  [002] 15379.398000: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398012: sys_enter_open:      
        filename: 0x7f471caf0d60, flags: 0x00080000, mode:
        0x7f471caf0168<br>
                      ls-8307  [002] 15379.398013: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398043: sys_enter_open:      
        filename: 0x7f471cad14c8, flags: 0x00080000, mode:
        0x7f471caf0168<br>
                      ls-8307  [002] 15379.398045: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398070: sys_enter_open:      
        filename: 0x7f471cad19a8, flags: 0x00080000, mode:
        0x7f471cad1000<br>
                      ls-8307  [002] 15379.398071: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398092: sys_enter_open:      
        filename: 0x7f471cad1e98, flags: 0x00080000, mode:
        0x7f471cad1000<br>
                      ls-8307  [002] 15379.398094: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398113: sys_enter_open:      
        filename: 0x7f471cad0548, flags: 0x00080000, mode:
        0x7f471cad19d0<br>
                      ls-8307  [002] 15379.398115: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398326: sys_enter_open:      
        filename: 0x7f471c6bfc15, flags: 0x00000000, mode: 0x000001b6<br>
                      ls-8307  [002] 15379.398331: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398375: sys_enter_open:      
        filename: 0x7f471c470760, flags: 0x00080000, mode: 0x00000000<br>
                      ls-8307  [002] 15379.398380: sys_exit_open:       
        0x3<br>
                      ls-8307  [002] 15379.398428: sys_enter_open:      
        filename: 0x01c97cc0, flags: 0x00090800, mode: 0x00000000<br>
                      ls-8307  [002] 15379.398430: sys_exit_open:       
        0x3<br>
      </p>
    </blockquote>
    <p>Unfortunately, although ftrace prints the filename's address for
      each file being opened, I could not seen any way to obtain the
      filenames themselves.</p>
    <p>Any ideas on how to get hold of the filenames would be great,
      thanks.</p>
    <p>Cheers,</p>
    <p>Chris</p>
  </body>
</html>