February 07, 2012
fatrace - report system wide file access events
fatrace [ OPTIONS ]
fatrace reports file access events from all running processes.
It does not report file access by fatrace itself, to avoid logging events caused by writing the output into a file. It also ignores events on virtual and kernel file systems such as sysfs, proc, and devtmpfs.
Its main purpose is to find processes which keep waking up the disk unnecessarily and thus prevent some power saving.
By default, events are reported to stdout. This will cause some loops if you run this tool in e. g. gnome-terminal, as this causes a disk access for every output line. To avoid this, redirect the output into a file.
A typical event looks like
The line has the following fields:
|o||Process name. This is read from /proc/pid/comm, and might be abbreviated for long process names.|
|o||Event type: Open, Read, Write, Close. Events on directories are + (create), Delete, < (moved from), or > (moved to). Combinations are possible, such as CW for closing a written file, or <> for renaming a file within the same directory.
Directory events can only be detected on Linux 5.1 or higher.
|o||Affected file. In some cases the path and name cannot be determined, e. g. because it is a temporary file which is already deleted. In that case, it prints the devices’ major and minor number and the inode number. To examine such a process in more detail, you should consider using strace(1).|
|Only record events on partition/mount of current directory. Without this option, all (real) partitions/mount points are being watched.|
|-o FILE, --output=FILE|
|Write events to given file instead of standard output.|
|-s SECONDS, --seconds=SECONDS|
|Stop after the given number of seconds.|
|Add timestamp to events. When this option is given once, the format will be a human readable hour:minute:second.microsecond; when given twice, the timestamp is printed as seconds/microseconds since the epoch.|
|-p PID, --ignore-pid=PID|
|Ignore events for this process ID. Can be specified multiple times.|
|-f TYPES, --filter=TYPES|
|Show only the given event types. TYPES is a list of C, R, O, W, D, +, or < with the above meanings. < and > both mean "move" and will always enable both directions.
E. g. use --filter=OC to only show open and close events.
|-C COMMAND, --command=COMMAND|
|Show only events for this command.|
|-h , --help|
|Print help and exit.|
fatrace is developed by Martin Pitt <martin.pitt>.