NAME¶

filegone - Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.

SYNOPSIS¶

filegone [-h] [-p PID]

DESCRIPTION¶

This traces why file gone/vanished, providing information on who deleted or renamed the file.

This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename functions.

Since this uses BPF, only the root user can use this tool.

REQUIREMENTS¶

CONFIG_BPF and bcc.

OPTIONS¶

-h: Print usage message.
-p PID: Trace this process ID only (filtered in-kernel).

EXAMPLES¶

Trace all file gone events: # filegone
Trace file gone events caused by PID 181:: # filegone -p 181

FIELDS¶

TIME: Time of the event.
PID: Process ID that renamed/deleted the file.
COMM: Process name for the PID.
ACTION: action on file: 'DELETE' or 'RENAME'
FILE: Filename.

OVERHEAD¶

This traces the kernel VFS file rename and delete functions and prints output for each event. As the rate of this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible. This is from bcc.

: https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS¶

Linux

STABILITY¶

Unstable - in development.

AUTHOR¶

Curu Wong

Source file:	filegone-bpfcc.8.en.gz (from bpfcc-tools 0.31.0+ds-4)
Source last updated:	2024-10-02T13:57:45Z
Converted to HTML:	2024-10-21T18:51:11Z