Detailed Program Monitoring?

Discussion in 'OS X El Capitan (10.11)' started by Mork, Mar 11, 2016.

  1. Mork macrumors 6502

    Joined:
    Jan 9, 2009
    #1
    Is there a utility that will monitor everything a program does?

    For example, if you start a program and it creates a temp file and writes something to it, connects to a remote server, etc., I'd like to see those events. I'd like to know the path to the temp file and really get a dump on everything that program does.

    Not sure anything like this quite exists or if it does, I've never heard about it.

    Thanks in advance,

    m
     
  2. mag01 macrumors regular

    Joined:
    Apr 10, 2011
    #2
    Well, though it isn't some shiny GUI application for permanent background monitoring, but whenever you're after such kind of information, DTrace is your friend. Check out the man page of the command line tool dtrace as well as some additional resources, especially those from Brendan Gregg.
    http://www.brendangregg.com/dtrace.html
    http://www.brendangregg.com/dtracetoolkit.html
    or many others - few examples with some simple descriptions:
    https://opensourcehacker.com/2011/1...-applications-what-they-do-and-why-they-hang/
    https://blog.8thlight.com/colin-jones/2015/11/06/dtrace-even-better-than-strace-for-osx.html
    In your case you'd be looking for syscall information - open*, write*, close*, connect* and few others.

    There's also some GUI tool for DTrace included in the Xcode. It's called Instruments.

    Note that SIP may prevent you from attaching to processes of some programs. In that case you'll get a message like:
    "dtrace: failed to grab pid NNN: the current security restriction (rootless enabled) prevent dtrace from attaching to an executable not signed with the [com.apple.security.get-task-allow] entitlement"
     

Share This Page