| .TH filegone 8 "2022-11-18" "USER COMMANDS" |
| .SH NAME |
| filegone \- Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc. |
| .SH SYNOPSIS |
| .B filegone [\-h] [\-p PID] |
| .SH DESCRIPTION |
| This traces why file gone/vanished, providing information on who deleted or |
| renamed the file. |
| |
| This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename |
| functions. |
| |
| Since this uses BPF, only the root user can use this tool. |
| .SH REQUIREMENTS |
| CONFIG_BPF and bcc. |
| .SH OPTIONS |
| .TP |
| \-h |
| Print usage message. |
| .TP |
| \-p PID |
| Trace this process ID only (filtered in-kernel). |
| .SH EXAMPLES |
| .TP |
| Trace all file gone events |
| # |
| .B filegone |
| .TP |
| Trace file gone events caused by PID 181: |
| # |
| .B filegone \-p 181 |
| .SH FIELDS |
| .TP |
| TIME |
| Time of the event. |
| .TP |
| PID |
| Process ID that renamed/deleted the file. |
| .TP |
| COMM |
| Process name for the PID. |
| .TP |
| ACTION |
| action on file: 'DELETE' or 'RENAME' |
| .TP |
| FILE |
| Filename. |
| .SH OVERHEAD |
| This traces the kernel VFS file rename and delete functions and prints output |
| for each event. As the rate of this is generally expected to be low |
| (< 1000/s), the overhead is also expected to be negligible. |
| This is from bcc. |
| .IP |
| https://github.com/iovisor/bcc |
| .PP |
| Also look in the bcc distribution for a companion _examples.txt file containing |
| example usage, output, and commentary for this tool. |
| .SH OS |
| Linux |
| .SH STABILITY |
| Unstable - in development. |
| .SH AUTHOR |
| Curu Wong |
| .SH SEE ALSO |
| filelife(8) |
