I have a confession to make: I have not always been a Mac person. For the period of time between the retirement of System 9 and Panther (yes, it took Apple showing a real commitment to Unix for me to give them a shot again), I abandoned our fine operating system for greener pastures, well, green screen at least. Work drove me into Windows (as it has for about 90% of the workers out there) but my real outlet was anything Linux, BSD or Solaris-related. There was nary a distro that did not cross my hard drive (virtual or otherwise) and I was very happy programming, scripting and living life on the command line, with an occasional, lingering trip into X11 when necessary.
OS X changed all that, since Apple managed to make Unix look very good while keeping all of the real power that lies beneath the GUI.Now, one may be able to argue the aesthetics of Leopard (hey, Panic should be happy, it took Leopard to finally drive me into purchasing CandyBar), but none can dispute the gems that await those who dare to invoke the Terminal, and I’ll be taking the opportunity over some of the coming posts to dwell on the nuggets that bear a deeper look. For those that are not as comfortable with the more textual side of their systems, I’ll be making these trips as painless as possible (you may not need to delve into the Utilities folder to find the Terminal icon at all).
The first stop is a little utility called
opensnoop. Leopard ships with something called DTrace that gives developers and administrators the ability to take a peek at what all running code is doing in a flexible and dynamic way. Giving DTrace the coverage it deserves is beyond a simple blog post, but there are some smaller utilities – like
opensnoop – that take advantage of the power of DTrace, but on a more targeted scale which are worthy of a minor exposition.The main purpose of the
opensnoop utility is to provide a report of file opens as they occur. Curious as to what really happens when Safari opens a web page? Want to see what files are accessed from that latest program you downloaded? You can find the answers with
If you can get to a terminal prompt, the simplest way to see what this utility does is to just type:
Non-Terminal folks can just run the
OpenSnoop.app application from the OpenSnoop App Archive (354KB ZIP file). (Either way, you’ll be asked to enter your password since
opensnoop requires higher-level privileges to run.)
Output will look something like the following, though your listing contents should be very different:
UID PID COMM FD PATH 501 286 SystemUIServer 17 /System/Library/CoreServices/Menu Extras/Spaces.menu/Contents/Resources/SpacesBackground.pdf 501 218 Finder 11 /.vol/234881026/571978 501 286 SystemUIServer 17 /System/Library/CoreServices/Menu Extras/Spaces.menu/Contents/Resources/SpacesBackground.pdf 501 286 SystemUIServer 17 /System/Library/CoreServices/Menu Extras/Spaces.menu/Contents/Resources/SpacesBackground.pdf 0 110 WindowServer 4 /var/log/windowserver.log 0 110 WindowServer 4 /var/log/windowserver.log 501 286 SystemUIServer 17 /System/Library/CoreServices/Menu Extras/Spaces.menu/Contents/Resources/SpacesBackground.pdf
For each line:
UIDis the numerical ID of the owner of program that has the file opened.
PIDis the process ID of the program that has the file open
COMMis the actual name of the process (this is something we care about)
FDis the numerical file descriptor (ID) of the file being accessed
PATHis the full OS X path to the file being accessed (this is also something we care about)
The sample output is what occurred when I switched to/from Spaces 1 & 3. Just that simple case shows how interesting
opensnoop can be since we see that the
WindowServer were both invoked when I worked just a little bit with Spaces and that
SpacesBackground.pdf was loaded from one of the Spaces app bundles.
While this is useful in-and-of itself, we can use
opensnoop for more targeted and detailed inspection. The following command:
sudo opensnoop -avgn Safari
(Non-Terminal users can run the
SnoopSafari.app from the archive)
Produces the following output when I tell it to go to
TIME STRTIME UID PID FD ERR PATH ARGS 8071248908 2008 Jan 10 21:33:13 501 1153 17 0 /Users/bob/Library/Caches/com.apple.Safari/Cache.db-journal Safari 8071249029 2008 Jan 10 21:33:13 501 1153 18 0 /Users/bob/Library/Caches/com.apple.Safari Safari 8071249636 2008 Jan 10 21:33:13 501 1153 24 0 /var/tmp/etilqs_rjFUOz2TEh7AaoG Safari 8075981916 2008 Jan 10 21:33:18 501 1153 18 0 /Users/bob/Library/Caches/Metadata/Safari/History/.tracked filenames.plist Safari 8075982865 2008 Jan 10 21:33:18 501 1153 18 0 /Users/bob/Library/Caches/Metadata/Safari/History/http:%2F%2Fgoogle.com%2F.webhistory Safari 8075983663 2008 Jan 10 21:33:18 501 1153 18 0 /Users/bob/Library/Caches/Metadata/Safari/History/http:%2F%2Fwww.google.com%2F.webhistory Safari 8075984521 2008 Jan 10 21:33:18 501 1153 18 0 /Users/bob/Library/Caches/Metadata/Safari/History/.tracked filenames.plist Safari 8075980917 2008 Jan 10 21:33:18 501 1153 18 0 /.vol/234881026/713654 Safari 8077969298 2008 Jan 10 21:33:19 501 1153 18 0 /Users/bob/Library/Safari/.dat0481.441 Safari 8077966383 2008 Jan 10 21:33:19 501 1153 18 0 /Users/bob/Library/Safari/.dat0481.440 Safari 8080982146 2008 Jan 10 21:33:23 501 1153 18 0 /Users/bob/Library/Safari/lock/.dat0481.442 Safari 8080983115 2008 Jan 10 21:33:23 501 1153 18 0 /Users/bob/Library/Safari/lock/details.plist Safari 8081191826 2008 Jan 10 21:33:23 501 1153 18 0 /Users/bob/Library/Safari/lock/details.plist Safari 8081192743 2008 Jan 10 21:33:23 501 1153 18 0 /Users/bob/Library/Safari/lock Safari 8081193635 2008 Jan 10 21:33:23 501 1153 18 0 /Users/bob/Library/Safari/.de0481.443 Safari
The extra fields are the Unix-coded time, the translated timestamp, the error code (if any) and the file being accessed. This is a more verbose listing, but we will not see any file data from application other than Safari. You can substitute “Adium” or “Finder”, etc for “Safari” on the command line and I’ve included
SnoopFirefox.app within the archive.
Hopefully, you are beginning to see the power of this small utility.While there are many options for you to explore within
opensnoop, one of the more interesting ones is the “
-x” flag, which only displays the failed opens (I’ve included
SnoopFailed.app in the archive as well). It’s always good to peek at what applications are looking for but cannot find, especially if you are having trouble with your system or a particular application.I’m working on a more generic GUI front-end to
opensnoop and will let you know when I have something worth sharing.
These apps were all built with the extremely useful Platypus tool (which is in my developer folder once again post-Leopard install). If there’s a particular “snoop” app you’d like me to whip up, drop a note in the comments and I’ll do my best to crank’em out (I’ll post the other apps either on my .Mac iDisk or my personal site).