Not taking anything away from the worth of this tool but if you do happen to find yourself needing to quickly inspect which files a process has open you can do so using the /proc file system:<p><pre><code> ls -l /proc/$PID/fd/
</code></pre>
Additionally you can also use the /proc file system to display where the cursor is in those files by outputting the contents of<p><pre><code> /proc/$PID/fdinfo/$FD
</code></pre>
which is handy if you have a long running process but forgot to pipe it into `pv` (or any other long running ingest that lacks a progress UI)<p>(Both tricks are Linux only)
biotop and biolatency surface similar info. they come with a ton of other ridiculously awesome tools in BCC tools. they are a set of python wrapper scripts that run eBPF programs. using eBPF generally has a really low impact on performance when compared with other tools that do similar work.<p><a href="https://github.com/iovisor/bcc" rel="nofollow">https://github.com/iovisor/bcc</a>
How is this different from using something like,<p>`strace -e trace=file`<p>I see that you are using ptrace to monitor a process. That is also used by strace. Is there something else your application does that strace does not (In relation to files)?
Just a heads up (<i>read: shameless plug</i>), there's an AUR package:<p><a href="https://aur.archlinux.org/packages/whatfiles-git/" rel="nofollow">https://aur.archlinux.org/packages/whatfiles-git/</a>
For doing the opposite - what processes access a given file - I like to use Audit (<a href="https://wiki.archlinux.org/index.php/Audit_framework#Audit_files_and_directories_access" rel="nofollow">https://wiki.archlinux.org/index.php/Audit_framework#Audit_f...</a>).
This looks very similar to <i>fatrace</i>, which is already in the standard ubuntu and fedora repos.<p><i>edit: fatrace is system-wide, whereas the current tools monitors a specific process</i><p><a href="http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.html" rel="nofollow">http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.ht...</a><p><a href="https://piware.de/2012/02/fatrace-report-system-wide-file-access-events/" rel="nofollow">https://piware.de/2012/02/fatrace-report-system-wide-file-ac...</a>
Lots more such tools at <a href="https://jvns.ca/debugging-zine.pdf" rel="nofollow">https://jvns.ca/debugging-zine.pdf</a> (opensnoop-bpfcc and strace would be the most like this one)
BTW, if you are using strace for this, check out the -y option recently added to strace. It will print the filename next to each file descriptor like this:<p><pre><code> read(3</proc/filesystems>, "", 1024) = 0
</code></pre>
Another interesting new strace option is -k which does a stack dump after each syscall. this can be useful to find out what part of the application, like some obscure lib, does weird system calls in your app.
Can it be invoked recursively?<p>Because strace on Linux still fails with:<p><pre><code> strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
</code></pre>
in those cases :(