peekfd

peekfd [options] pid [fd...]

peekfd attaches to a running process using ptrace and prints the bytes it reads from and writes to the specified file descriptors. It can be used to spy on stdin/stdout/stderr or on arbitrary open files and sockets without restarting the process.By default every tracked fd is shown, with a header preceding each chunk of data that identifies the pid and fd. The -8, -n, -d, and -c flags tune formatting and child-process handling.

PID

Process ID to monitor (required).

One or more file descriptor numbers to restrict output to (e.g. 0, 1, 2). If omitted, all fds are shown.

Do no post-processing on the bytes being read or written. Output is raw binary.

Do not display headers that indicate the source (pid/fd) of the dumped bytes.

Also dump file-descriptor activity in any child processes created by the target.

Remove duplicate read/writes from the output. Useful when watching a terminal with local echo enabled.

Display version information.

Display help information.

Part of psmisc. Requires kernel ptrace support and sufficient privileges (usually the same user or CAPSYSPTRACE; distros with Yama may require disabling `ptrace_scope`). Very fast I/O bursts can lead to dropped bytes. Tracing slows the target process slightly.

peekfd ships with the psmisc package alongside utilities such as fuser, killall, and pstree. It was originally written by Trent Waddington.

strace(1), ltrace(1), lsof(1), fuser(1), pstree(1)