| FILEMON(4) | Device Drivers Manual | FILEMON(4) | 
filemon —
pseudo-device filemon
filemon is not built-in to the
  kernel, and a call to open /dev/filemon will auto-load
  the filemon module (see
  module(7) for more details).
(Although not recommended, the filemon
    facility can be included in a kernel build by adding
pseudo-device filemon
to the kernel configuration file.)
filemon provides a means for tracking the
    successful system calls performed by a process and its descendants. It is
    used by make(1) to track the
    activities of build scripts, for the purpose of automatically learning
    dependencies.
The data captured by filemon for the
    script
n=`wc -l /etc/motd`; echo "int motd_lines = $n;" > foo.h.new cmp -s foo.h foo.h.new 2> /dev/null || mv foo.h.new foo.h
looks like:
# filemon version 4 # Target pid 24291 V 4 E 29676 /bin/sh R 29676 /etc/ld.so.conf R 29676 /lib/libedit.so.2 R 29676 /lib/libterminfo.so.1 R 29676 /lib/libc.so.12 F 29676 4899 E 4899 /usr/bin/wc R 4899 /etc/ld.so.conf R 4899 /usr/lib/libc.so.12 R 4899 /etc/motd X 4899 0 W 29676 foo.h.new X 29676 0 # Bye bye E 3250 /bin/sh R 3250 /etc/ld.so.conf R 3250 /lib/libedit.so.2 R 3250 /lib/libterminfo.so.1 R 3250 /lib/libc.so.12 W 26673 /dev/null E 26673 /usr/bin/cmp R 26673 /etc/ld.so.conf R 26673 /usr/lib/libc.so.12 X 26673 2 E 576 /bin/mv R 576 /etc/ld.so.conf R 576 /lib/libc.so.12 M 576 'foo.h.new' 'foo.h' X 576 0 X 3250 0 # Bye bye
Most records follow the format:
type pid data
where type is one of the list below, and unless otherwise specified, data is a pathname.
CDEFLMRWXVfilemon.A filemon instance is created by opening
    /dev/filemon. Then use
    ioctl(filemon_fd,
    FILEMON_SET_PID, &pid) to
    identify the target process to monitor, and
    ioctl(filemon_fd,
    FILEMON_SET_FD, &output_fd)
    to direct the event log to an already-opened output file.
/dev/filemon
filemon:
#include <filemon.h>
pid_t pid;
int filemon_fd, temp_fd;
int status;
filemon_fd = open("/dev/filemon", O_RDWR);
temp_fd = mkstemp("/tmp/filemon.XXXXXXX");
/* give filemon the temp file to use */
ioctl(filemon_fd, FILEMON_SET_FD, &temp_fd);
/* children do not need these once they exec */
fcntl(filemon_fd, F_SETFD, FD_CLOEXEC);
fcntl(temp_fd, F_SETFD, FD_CLOEXEC);
pid = fork();
switch(pid) {
 case -1:
     err(1, "cannot fork");
     break;
 case 0:
     pid = getpid();
     /* tell filemon to monitor this process */
     ioctl(filemon_fd, FILEMON_SET_PID, &pid);
     execvp(...);
     _exit(1);
     break;
 default:
     status = wait();
     close(filemon_fd);
     lseek(temp_fd, SEEK_SET, 0);
     /* read the captured syscalls from temp_fd */
     close(temp_fd);
     break;
}
The output of filemon is intended to be
    simple to parse. It is possible to achieve almost equivalent results with
    dtrace(1) though on many
    systems this requires elevated privileges. Also,
    ktrace(1) can capture similar
    data, but records failed system calls as well as successful, and is thus
    more complex to post-process.
filemon was contributed by Juniper Networks.
filemon will continue to report events for the new
  process (and its descendants) without any authorization checks.
Monitoring of a process enables the target process to write to the tracking process's file descriptor.
filemon facility can only be used to track processes
  running in the system's native emulation. Neither processes using any of the
  COMPAT_xxx compatibility layers nor any descendants of
  such processes can be tracked.
If two processes are monitored, and one is a descendant of the
    other, events related to the descendant process and its further descendants
    are delivered only to the descendant process's monitor. If a process is
    being monitored by two instances of filemon, events
    will be delivered only to the first instance created (when
    /dev/filemon was opened), regardless of the order in
    which the monitoring processes called
    ioctl(fd,
    FILEMON_SET_PID, pid).
| January 6, 2016 | NetBSD 9.4 |