magnusviri

fs_usage

fs_usage

In my attempts to figure out some problems I've been having I had to learn more about fs_usage. I don't see this information posted anywhere else, so here it is.

I usually use fs_usage like this.

fs_usage -w | grep /path

Or

fs_usage -w | egrep /.*process

To date, I've had no reason to care about system calls that don't involve files. Since I'm mostly interested in trying to figure out what Apple processes are doing, I have to throw a wide net and capture a multitude of processes, which is why I use grep instead of limiting to a process.

Running fs_usage generates a ton of data. It helps to understand the data a little bit so you know what you are looking for.

fs_usage statistics: System calls

I ran fs_usage while creating a user in System Preferences and I made a list of the most common system calls that showed up. Here's a description of them.

Here's the system calls that actually change something on disk.

Open Flags.

The open system call change files if it has the "W", "C", "A", or "T" flags. I had to read the fs_usage source code to find out exactly what flags the fs_usage letters meant. Here they are.

I'm pretty sure that when data is actually written to disk you'll see something like this.

14:48:08.219356  WrData[A]  D=0x001ce0c4  B=0x1000  /dev/disk2s5  /path/to/file/.BC.T_w6qwGY  0.000272 W ditto.5145

Open Errors

A number in brackets ("[ 2]") means there was an error when the syscall ran. Here is a list of the error numbers and this has a description of most errors (the other errors I had to look up in Apple's GitHub repository). Here are the errors I saw when running fs_usage.

File (directory) doesn't exist example.

14:48:07.350811  stat64  [  2]  /Users/test  0.000034   com.apple.preferences.users.remo.4460

Sometimes there was a negative number in brackets that appeared right before the path. I don't know what that meant.

14:48:08.148395  mkdirat  [-2]//Users/test  0.000064  DirectoryTools.5135

This example includes a file doesn't exist error as well.

14:48:08.152561  fstatat64  [  2]  [-2]//Users/test/Music/.BC.T_dJrTAJ  0.000004  ditto.5138

processname.thread

The number following the process name is the thread number.

SIPS

I'm pretty sure that some system calls are hidden from users unless they disable SIPS. You'd mainly be interested in seeing these system calls if you're debugging Hackintoshes or reverse engineering other "protected" Apple processes like DRM.

opensnoop

This is part of dtrace. I've heard opensnoop is an alternative to fs_usage. I never learned how to use dtrace effectively so I can't help you with this. I think opensnoop (and dtrace in general) is able to filter down the information much better than fs_usage.

Published: 2022-08-03, last edited: 2022-08-03

Copyright © 2022 James Reynolds