13

I want to know what happens behind the screen when I open some application. For example, when I open firefox, I want to know which files are read and which are executed. Is there any way to do this. Even opening firefox from terminal doesn't show any information. OS:Ubuntu 12.04

sierrasdetandil
  • 2,671
  • 1
  • 25
  • 25
nitishch
  • 705

2 Answers2

22

Use strace!

Example: List all files opened by Firefox during a session:

strace -f firefox 2>&1 | grep 'open('

Results in something like this if you open a second instance of FireFox: http://pastebin.com/iRqxgiWN (The '-f' option just makes strace follow process forks.)

Example 2: List all processes executed by FireFox:

strace -f firefox 2>&1 | grep -P 'exec[vlpe]*\('

Results in something like this when visiting YouTube:

[pid 25020] execve("/usr/lib/firefox/plugin-container", ["/usr/lib/firefox/plugin-containe"..., "/usr/lib/adobe-flashplugin/libfl"..., "-greomni", "/usr/lib/firefox/omni.ja", "-appomni", "/usr/lib/firefox/browser/omni.ja", "-appdir", "/usr/lib/firefox/browser", "15198", "false", "plugin"], [/* 57 vars */]) = 0
[pid 25024] execve("/bin/sh", ["sh", "-c", "ps x | grep netscape"], [/* 57 vars */]) = 0
[pid 25025] execve("/bin/ps", ["ps", "x"], [/* 57 vars */] <unfinished ...>
[pid 25026] execve("/bin/grep", ["grep", "netscape"], [/* 57 vars */]) = 0

You can do this with many other system calls as well...

By matching the parameters of open() in your grep search you can also find out in which mode the file has been opened:

Just add | grep -P 'O_RDONLY|O_RDWR' (the leading pipe character is important!) to filter read access or | grep -P 'O_WRONLY|O_RDWR' for write access to your command...

EDIT:

As was mentioned in the comments you can also use strace -fe open firefox to list all files opened by FireFox. You can also use strace -fe trace=file firefox to list all file operations done by FireFox that have a file path as an argument (open, stat, lstat, chmod, access, ...).

Many more are available! Check out the strace(1) manual page.

Cristian Ciupitu
  • 165
  • 1
  • 16
ntninja
  • 726
  • 1
    I am rather surprised that firefox would run a shell to grep "netscape" from the process list. – Michael Sep 03 '13 at 17:01
  • 1
    strace has extensive built-in filtering capabilities. Try strace -e open to show only calls to open(), for example. – John Kugelman Sep 03 '13 at 18:54
  • @Michael it spawns a shell because it uses a pipe ("|") which is shell syntax. You can set up the same pipe manually from code but it is much easier to let a shell do it - as long as you know there's no chance of shell escape codes being passed through from the user, which can lead to security vulnerabilities. – Alistair Buxton Sep 04 '13 at 01:12
1

actually there is mode named as verbose mode but I am not sure that firefox have such option.some usually have that. But no problem , every application will consists of its log.so you can check the application activity by checking its log data.

If you want to enable the log for firefox then you might check this

http://bertrandbenoit.blogspot.in/2011/09/activate-logging-for-mozilla.html

every application activity in Ubuntu you can check with their specific logs.all the applications will log at the /var/log directory.

Raja G
  • 102,391
  • 106
  • 255
  • 328