[CentOS] Finding wich files a writen to

Thu May 5 01:01:20 UTC 2011
Marian Marinov <mm at yuhu.biz>

On Wednesday 04 May 2011 21:01:03 Jorge Fábregas wrote:
> On 05/04/2011 12:17 PM, Nicolas Ross wrote:
> > iotop can points me to wich process, but that doesn't points me to what
> > files are the culprits...
> A rough way would be to change to the top-level directory where you
> suspect the files are being written and perform:
> find . -type f -mmin -1     (that would search for all files modified
> within the last minute)
> A more elegant way would be:
> lsof -p PID  (where PID is the process ID...of the process iotop showed
> you)

Just out of curiosity I decided to write a simple script which checks all the 
files from all pids on the system.

Here is what I got:

The idea is to read all the /proc/PID/fdinfo/ files and check the difference in 
the pos lines (the position in the file descriptor). This is both write and 
read position depending on how the application has opened the file.
So in the end it lists all pids and the respective FDs which have changes:

hackman at gamelon:~$ sudo ./read_fds.pl 4
Pid: 14229 Position change:         22 blocks FD:   4(/home/hackman/f2.tst)
Pid: 14229 Position change:         12 blocks FD:   3(/home/hackman/f1.tst)

The argument to the script is the sleep between the two checks. 
I have tested the script on a few production servers... It works as a charm :)

Thank you for the good question... now I have one good tool in my arsenal :)

Best regards,
Marian Marinov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20110505/fb98491c/attachment-0005.sig>