Hidden Gems In Leopard: OpenSnoop

I have a confession to make: I have not always been a Mac person. For the period of time between the retirement of System 9 and Panther (yes, it took Apple showing a real commitment to Unix for me to give them a shot again), I abandoned our fine operating system for greener pastures, well, green screen at least. Work drove me into Windows (as it has for about 90% of the workers out there) but my real outlet was anything Linux, BSD or Solaris-related. There was nary a distro that did not cross my hard drive (virtual or otherwise) and I was very happy programming, scripting and living life on the command line, with an occasional, lingering trip into X11 when necessary.

OS X changed all that, since Apple managed to make Unix look very good while keeping all of the real power that lies beneath the GUI.Now, one may be able to argue the aesthetics of  Leopard (hey, Panic should be happy, it took Leopard to finally drive me into purchasing CandyBar), but none can dispute the gems that await those who dare to invoke the Terminal, and I’ll be taking the opportunity over some of the coming posts to dwell on the nuggets that bear a deeper look. For those that are not as comfortable with the more textual side of their systems, I’ll be making these trips as painless as possible (you may not need to delve into the Utilities folder to find the Terminal icon at all).

The first stop is a little utility called opensnoop. Leopard ships with something called DTrace that gives developers and administrators the ability to take a peek at what all running code is doing in a flexible and dynamic way. Giving DTrace the coverage it deserves is beyond a simple blog post, but there are some smaller utilities – like opensnoop – that take advantage of the power of DTrace, but on a more targeted scale which are worthy of a minor exposition.The main purpose of the opensnoop utility is to provide a report of file opens as they occur. Curious as to what really happens when Safari opens a web page? Want to see what files are accessed from that latest program you downloaded? You can find the answers with opensnoop.

If you can get to a terminal prompt, the simplest way to see what this utility does is to just type:

sudo opensnoop 

Non-Terminal folks can just run the application from the OpenSnoop App Archive (354KB ZIP file). (Either way, you’ll be asked to enter your password since opensnoop requires higher-level privileges to run.)

Output will look something like the following, though your listing contents should be very different:

UID    PID COMM            FD PATH 
501    286 SystemUIServer  17 /System/Library/CoreServices/Menu Extras/
501    218 Finder          11 /.vol/234881026/571978
501    286 SystemUIServer  17 /System/Library/CoreServices/Menu Extras/
501    286 SystemUIServer  17 /System/Library/CoreServices/Menu Extras/
0      110 WindowServer     4 /var/log/windowserver.log 
0      110 WindowServer     4 /var/log/windowserver.log 
501    286 SystemUIServer  17 /System/Library/CoreServices/Menu Extras/

For each line:

  • UID is the numerical ID of the owner of program that has the file opened.
  • PID is the process ID of the program that has the file open
  • COMM is the actual name of the process (this is something we care about)
  • FD is the numerical file descriptor (ID) of the file being accessed
  • PATH is the full OS X path to the file being accessed (this is also something we care about)

The sample output is what occurred when I switched to/from Spaces 1 & 3. Just that simple case shows how interesting opensnoop can be since we see that the SystemUIServer and WindowServer were both invoked when I worked just a little bit with Spaces and that SpacesBackground.pdf was loaded from one of the Spaces app bundles.

While this is useful in-and-of itself, we can use opensnoop for more targeted and detailed inspection. The following command:

sudo opensnoop -avgn Safari

(Non-Terminal users can run the from the archive)

Produces the following output when I tell it to go to

TIME           STRTIME                UID    PID  FD ERR PATH                 ARGS
8071248908     2008 Jan 10 21:33:13   501   1153  17   0 /Users/bob/Library/Caches/ Safari
8071249029     2008 Jan 10 21:33:13   501   1153  18   0 /Users/bob/Library/Caches/ Safari
8071249636     2008 Jan 10 21:33:13   501   1153  24   0 /var/tmp/etilqs_rjFUOz2TEh7AaoG Safari
8075981916     2008 Jan 10 21:33:18   501   1153  18   0 /Users/bob/Library/Caches/Metadata/Safari/History/.tracked filenames.plist Safari
8075982865     2008 Jan 10 21:33:18   501   1153  18   0 /Users/bob/Library/Caches/Metadata/Safari/History/ Safari
8075983663     2008 Jan 10 21:33:18   501   1153  18   0 /Users/bob/Library/Caches/Metadata/Safari/History/ Safari
8075984521     2008 Jan 10 21:33:18   501   1153  18   0 /Users/bob/Library/Caches/Metadata/Safari/History/.tracked filenames.plist Safari
8075980917     2008 Jan 10 21:33:18   501   1153  18   0 /.vol/234881026/713654 Safari
8077969298     2008 Jan 10 21:33:19   501   1153  18   0 /Users/bob/Library/Safari/.dat0481.441 Safari
8077966383     2008 Jan 10 21:33:19   501   1153  18   0 /Users/bob/Library/Safari/.dat0481.440 Safari
8080982146     2008 Jan 10 21:33:23   501   1153  18   0 /Users/bob/Library/Safari/lock/.dat0481.442 Safari
8080983115     2008 Jan 10 21:33:23   501   1153  18   0 /Users/bob/Library/Safari/lock/details.plist Safari
8081191826     2008 Jan 10 21:33:23   501   1153  18   0 /Users/bob/Library/Safari/lock/details.plist Safari
8081192743     2008 Jan 10 21:33:23   501   1153  18   0 /Users/bob/Library/Safari/lock Safari
8081193635     2008 Jan 10 21:33:23   501   1153  18   0 /Users/bob/Library/Safari/.de0481.443 Safari

The extra fields are the Unix-coded time, the translated timestamp, the error code (if any) and the file being accessed. This is a more verbose listing, but we will not see any file data from application other than Safari. You can substitute “Adium” or “Finder”, etc for “Safari” on the command line and I’ve included, and within the archive.

Hopefully, you are beginning to see the power of this small utility.While there are many options for you to explore within opensnoop, one of the more interesting ones is the “-x” flag, which only displays the failed opens (I’ve included in the archive as well). It’s always good to peek at what applications are looking for but cannot find, especially if you are having trouble with your system or a particular application.I’m working on a more generic GUI front-end to opensnoop and will let you know when I have something worth sharing.

These apps were all built with the extremely useful Platypus tool (which is in my developer folder once again post-Leopard install). If there’s a particular “snoop” app you’d like me to whip up, drop a note in the comments and I’ll do my best to crank’em out (I’ll post the other apps either on my .Mac iDisk or my personal site).