Re: How to Identify a "Phantom" Write Operation
Re: How to Identify a "Phantom" Write Operation
- Subject: Re: How to Identify a "Phantom" Write Operation
- From: Todd Heberlein <email@hidden>
- Date: Tue, 04 Sep 2012 16:42:27 -0700
On Sep 4, 2012, at 3:17 PM, douglas welton <email@hidden> wrote:
> My question: Is there another way to check for writes to the user-selected source file?
You can use Apple's BSM audit trails. It will show all attempted reads and writes and gobs of other things by your process.
I have some information about it here:
http://www.netsq.com/Tools/AuditViewer/Docs/index.php?section=Overview
BSM is a little tough to get going, but it has a wealth of information. I have tools available, but to solve just this one problem, I would recommend you use Apple's built-in command-line tools auditreduce and praudit.
For example, after you set up BSM to record everything,
1) run your program,
2) identify the process ID for your program (e.g., using the ps command),
3) quit your program
4) close out the audit trail file (e.g., "audit -n" command)
5) use auditreduce to slice the audit records for just your process and praudit to print them.
E.g., suppose the audit trail file for your experiment is
/var/audit/20120711142107.20120712023641
and your process ID for your program was 7534. Then you can get all the audit records for your program with
$ sudo auditreduce -j 7534 /var/audit/20120711142107.20120712023641 | praudit > proc.7534.txt
Then just open of proc.7534.txt to look at each audit record. You'll probably want to search for the string for file names of interest.
Todd
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden