fatrace

Print file access events in all mounted filesystems to stdout

$ sudo fatrace

$ sudo fatrace [[-c|--current-mount]] [[-t|--timestamp]]

fatrace [options] [command]

-c
    Show close events.

-r
    Show read events.

-w
    Show write events.

-d
    Show directory events.

-f file
    Write output to file instead of standard output.

-t
    Show timestamps.

-p pid
    Trace only process with specified pid.

-P
    Trace all processes (system-wide).

-q
    Be quiet; suppress per-event messages.

-V
    Show version.

-h
    Show help message.

[command]
    Execute command and trace its file activity. If no command is provided, fatrace traces system-wide.

fatrace is a Linux utility that monitors and reports real-time file system access events. It intercepts system calls related to file operations, providing insights into which processes are opening, reading, writing, and closing files. This makes it a valuable tool for debugging performance issues, understanding application behavior, and identifying potential bottlenecks.

fatrace operates by tracing system calls, presenting a dynamic log of file access patterns, showing process IDs (PIDs), timestamps, and the files involved. Its lightweight nature minimizes the impact on system performance, making it suitable for both development and production environments. It can be used to monitor all processes or target specific processes by PID. The output can be filtered using external tools such as grep to focus on files of interest.

It helps in understanding I/O patterns and identifying the cause of delays related to file I/O.

fatrace requires root privileges to trace system-wide activity. It may also generate a significant amount of output, potentially impacting performance if not used judiciously. Be aware that the output can be verbose, and filtering might be necessary for practical analysis.
The events are captured via system calls, therefore it only shows access done that way.

The output of fatrace typically includes the PID, timestamp, type of operation (e.g., open, read, write, close), and the file path. Understanding these fields allows you to correlate file access events with specific processes and their behavior.

When tracing system-wide file access, be mindful of the sensitive information that might be exposed. Avoid using fatrace in environments where sensitive data is being processed without proper authorization.

fatrace was designed to be a lightweight alternative to more comprehensive tracing tools like strace, focusing specifically on file access patterns.
It's usage become widespread for tasks such as debugging file system performance and understanding the I/O behavior of applications. Development has been focused on improving performance and adding features, such as timestamps and filtering capabilities.

strace(1), lsof(8)