filegone-bpfcc(8)

Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.

Section 8 bpfcc-tools bookworm source

Description

filegone

NAME

filegone - Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.

SYNOPSIS

filegone [-h] [-p PID]

DESCRIPTION

This traces why file gone/vanished, providing information on who deleted or renamed the file.

This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename functions.

Since this uses BPF, only the root user can use this tool.

REQUIREMENTS

CONFIG_BPF and bcc.

OPTIONS

-h

Print usage message.

-p PID

Trace this process ID only (filtered in-kernel).

EXAMPLES

Trace all file gone events

# filegone

Trace file gone events caused by PID 181:

# filegone -p 181

FIELDS

TIME

Time of the event.

PID

Process ID that renamed/deleted the file.

COMM

Process name for the PID.

ACTION

action on file: ’DELETE’ or ’RENAME’

FILE

Filename.

OVERHEAD

This traces the kernel VFS file rename and delete functions and prints output for each event. As the rate of this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible. This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS

Linux

STABILITY

Unstable - in development.

AUTHOR

Curu Wong

SEE ALSO

filelife(8)

See Also

  • filelife(8)