FileMonitor

FileMonitor monitors the activity of files, processes and network connections in ‘real time’ via lsof, returning them in a list. To launch it just use:

$> java -Djava.security.policy=path/security-client.txt -jar path/filemonitor.jar

Of course FileMonitor cannot ensure an authentic ‘real time’ for the system activity but it can work well in many situations.

Menu

FileMonitor has a main menu at the top-left, composed of:

  • Preferences (Ctrl+P): hide/show Preferences area.
  • Fullscreen (F11): enable/disable fullscreen mode.
  • About: show dialog with logo, author info, license, website and online documentation links.
  • Exit (Ctrl+Q): close application and save main window coordinates and internal widgets dispositions.

Filter Bar

Filter bar enables the user to filter for a specific text from the list. A filter has the following parameters:

  • Input field represents text to filter.
  • Column is the column to filter in. If no column is specified, the filter will be applied for every column.
  • Case sensitive enables case sensitive for text to filter.

To apply a filter press the funnel button. If input text and/or column and/or case-sensitive change before applying the next filter, it will be re-applied.

Output Table

The main table that will contain the FileMonitor’s output, has the following columns:

PROCESS contains the name of the UNIX command associated with the process.
PID is the Process IDentification number of the process.
• TID is the Task IDentification number, if a task reporting is supported by the dialect and a task is being listed.
PGID is the Process Group IDentification number associated with the process.
PPID is the Parent Process IDentification number of the process.
USER is the user ID number or login name of the user to whom the process belongs, usually the same as reported by ps(1). However, on Linux USER is the user ID number or login that owns the directory in /proc where lsof finds information about the process. Usually that is the same value reported by ps(1), but may differ when the process has changed its effective user ID.
FD is the File Descriptor number of the file.
TYPE is the type of the node associated with the file.
DEVICE contains the device numbers, separated by commas, for a character special, block special, regular, directory or NFS file.
SIZE is the size of the file or the file offset in bytes. A value is displayed in this column only if it is available.
NLINK contains the file link count.
NODE is the node number of a local file.
NAME is the name of the mount point and file system on which the file resides.
STATUS return OPEN/CLOSED if a file is respectively open or closed. For every single created preference, it is possible to select which columns to display or to hide.  Right clicking on a column’s header will display a multi-check menu.  It enables the user to hide undesired columns.  Changes are automatically saved.

Hovering mouse pointer over a row will display a tooltip showing values in readable way.

Preferences Area

On the right side there is the Preferences area that includes a top bar menu and a list of all preferences created by user, separated by the following columns: # & Preferences.  The first column’s value is a radio button and the second column’s value represents the name of the preference.  When a radio button is selected, the settings included in the relative preference will be used once FileMonitor is started.

Top bar menu is composed of four buttons:

  • Add (+) new preference
  • Edit existent preference
  • Copy existent preference
  • Remove (-) existent preference

When you click on the Add button, a popup dialog will ask you to input new preference’s name.  This name cannot be the same as another preference and it cannot be empty.  When an allowed name is inserted, a dialog (discussed in the next paragraph) will be opened to enable user to input his/her settings.

Edit, Copy and Remove buttons are enabled by clicking a preference’s name on the list. Clicking on Edit button will open the Preferences dialog (next paragraph).  Dialog will be filled with the existent settings, enabling user to change them. Clicking on Copy button will append to the list a copy of the selected preference appending a number like ‘(1)’, ‘(2)’, etc. based on the count of existent copies. Clicking on Remove button will remove the selected preference. To rename an existent preference just double click on its name in the list.  When a cursor comes out it will be possible to type in the new name.  Pressing Esc will annul the changes and Enter will save them.

Preferences Dialog

When you open the Preferences dialog you will face different options.  These options are separated in 2 areas: Main (left) and Filters (right).

At the bottom of the dialog there are 2 buttons: Cancel & Ok. When Cancel is pressed the dialog will be closed and all the changes in these areas will be lost.  When Ok is pressed the dialog will be closed and the changes saved.

Main

In the Main area are included options that affect settings in Filters and remote control. When Location remote is enabled, your current instance of FileMonitor will be able to retrieve data by a remote system.  To be able to do that, user needs to provide a valid url and port for the RMI connection on the other machine side.  To test parameters user needs to click Test button that in case of success or not will respond with a message dialog.  Below you can find more information about remote control. This is the Global options list with relative descriptions:

  • AND all settings causes all list selection options (in Filters) to be ANDed.
  • Avoid causes application to avoid kernel functions that might block – lstat(2), readlink(2), and stat(2).
  • Show addresses in IP-format inhibits the conversion of network numbers to host names for network files.  Inhibiting conversion may make application run faster.  It is also useful when host name lookup is not working properly.
  • NFS files selects the listing of NFS files.
  • Show port-numbers inhibits the conversion of port numbers to port names for network files.  Inhibiting the conversion may make application run a little faster.  It is also useful when port name lookup is not working properly.
  • UNIX domain socket files selects the listing of UNIX domain socket files.
  • ID Number inhibits the conversion of user ID numbers to login names.  It is also useful when login name lookup is working improperly or slowly.
  • Login Name displays login names instead of user ID numbers.
  • File Size alone directs application to display file size at all times.  It causes the SIZE/OFF output column title to be changed to SIZE.  If the file does not have a size, nothing is displayed.
  • File Offset directs application to display file offset at all times.  It causes the SIZE/OFF output column title to be changed to OFFSET.  Note: on some UNIX dialects it can’t obtain accurate or consistent file offset information from its kernel data sources, sometimes just for particular kinds of files (e.g., socket files).
  • Max # of links for a file enables or disables the listing of file link counts, where they are available – e.g., they aren’t available for sockets, or most FIFOs and pipes.  When it is enabled with a following zero, all link counts will be listed.  When it is disabled, no link counts will be listed.  When  it is followed by a number, only files having a link count less than that number will be listed.
  • Timeout (s) specifies an optional time-out seconds value for kernel functions – lstat(2), readlink(2), and stat(2) – that might otherwise deadlock.

Filters

In this area user can populate the table on the right mixing different type of parameters necessary to filter the information retrieved from the system.  For example selecting a specific process name, PID, network location etc. This is the list of parameters:

  • 1. Process
  • 2. ID/Login name
  • 3. File Descriptor
  • 4. PID
  • 5. PGID
  • 6. Network
  • 7. Path
  • 8. Directory

At the bottom of the table are located 8 buttons corresponding to these parameters. When one of these buttons is clicked, a dialog with specific input fields will be open.  Once the dialog has been populated and user pressed Save, a new table row is added with input values in the dialog.  If the user pressed Cancel nothing is added. It is not possible to add an option leaving the parameters empty. In this case a warning message will be displayed. Network represents an exception to this. You will find more information later.

Every new table row (filter) created in this way will have two buttons associated: Edit and Remove. Edit will let you modify the parameters displayed opening same dialogs we saw before. These changes will be displayed once user clicked Save button. Clicking on Remove will delete the associated row.

Note: Some parts of the following descriptions are extracted from Lsof’s man-page.

1) Process (-c)
This option selects the listing of files for processes executing the commands that begin with the characters of strings listed in the table. If the parameter begins and ends with a slash (‘/’), the characters between the slashes are interpreted as a regular expression. The closing slash may be followed by these modifiers:

• b the regular expression is a basic one.
• i ignore the case of letters.
• x the regular expression is an extended one (default).

2) ID/Login name (-u)
This option selects the listing of files for the user whose login names or user ID numbers are in the table. Multiple login names or user ID numbers are joined in a single ORed set before participating in AND option selection. If a login name or user ID is excluded, it becomes a negation – i.e., files of processes owned by the login name or user ID will never be listed. A negated login name or user ID selection is neither ANDed nor ORed with other selections; it is applied before all other selections and absolutely excludes the listing of the files of the process.

3) File Descriptor (-u)
This option specifies a list of file descriptors (FDs) to exclude from or include in the output listing. The list is an exclusion list if the check button on the bottom is set (“Exclude all the FDs above”), otherwise it is an inclusion list. Mixed lists are not permitted. A file descriptor number range may be in the set as long as neither member is empty, both members are numbers, and the ending member is larger than the starting one – e.g., “0-7” or “3-10”. Ranges may be specified for exclusion, e.g., “0-7” excludes all file descriptors 0 through 7 if the check button on the bottom is set. Multiple file descriptor numbers are joined in a single ORed set before participating in AND option selection. When there are exclusion and inclusion members in the set, lsof reports them as errors and exits with a non-zero return code. See the description of File Descriptor (FD) output values in the OUTPUT section for more information on file descriptor names on the lsof man page.

4) PID (-p)
This option excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the table. Multiple process ID numbers are joined in a single ORed set before participating in AND option selection. However, PID exclusions are applied without ORing or ANDing and take effect before other selection criteria are applied. Input dialog accepts only numeric values.

5) PGID (-g)
This option excludes or selects the listing of files for the processes whose optional process group IDentification (PGID) numbers are in the table. Multiple PGID numbers are joined in a single ORed set before participating in AND option selection. However, PGID exclusions are applied without ORing or ANDing and take effect before other selection criteria are applied. This option also enables the output display of PGID numbers. When specified without a PGID set that’s all it does. Input dialog accepts only numeric values.

6) Network (-i)
This option selects the listing of files whose Internet address matches the addresses specified in the table. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. The Input dialog permits adding in the network’s table an Internet address composed by Address, Port, IPV, Protocol. All these fields are optional.

An Internet address is specified in the form [IPV][Protocol][Address][Port] where:

IPV specifies the IP version, IPv4 or Ipv6 that applies to the following address. ’6′ may be be specified only if the UNIX dialect supports IPv6. If neither ’4′ nor ’6′ is specified, the following address applies to all IP versions.

Protocol is a protocol name – TCP, UDP

Address could be an Internet host name. Unless a specific IP version is specified, open network files associated with host names of all versions will be selected. Or, a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in colon form, enclosed in brackets, if the UNIX dialect supports IPv6. When an IP version is selected, only its numeric addresses may be specified.

Port could be an /etc/services name – e.g., smtp – or a list of them. Otherwise it could be a port number, or a list of them.

7) Path
This option lists all open files on device (e.g. /dev/hd4) or finds the process has /home/username/foo open.

8) Directory (+d/+D)
This option causes lsof to search for all open instances of directories in the table and the files and directories they contain at their top level. If ‘full-descent-tree’ is enabled, this option descends the directory tree, rooted at directory. Note: the authority of the user of this option limits it to searching for files that the user has permission to examine with the system stat(2) function.

Run Filemonitor

To start FileMonitor press the Start (green dot) button on the top right of the main table. Shortly afterwards, depending on the chosen directories, the main table will be populated.

The last column on the right (Status) returns when a file/process is open or closed. While FileMonitor is running, the Start button changes to Stop (red dot). Now it permits the user to stop monitoring processes, changing to Start again and so on.

Next to it there are the Clear button and the Autoscroll button. The first removes all the lines in the tables and the second enables the list to scroll automatically to the bottom when a new row is added.

Remote Configuration

Starting from the 2.0 version, FileMonitor can retrieve information not only from the local machine which runs it but from remote machines too.

Consider this example:

1) Machine (Ubuntu) to be monitored with ip: 192.168.1.20
2) FileMonitor running on Windows XP machine with ip: 192.168.1.30

(Please note that FileMonitor is not meant to be run on Windows machines as LSOF doesn’t exist for this OS.  But it is ok to run “remote” Preferences that point to systems that provide lsof and java. E.g.: Linux, Mac, etc.)

Firstly run “remote-lsof” on the Ubuntu machine with:

$> java -Djava.security.policy=path/security-client.txt -Djava.rmi.server.hostname=192.168.1.20 -jar path/remote-lsof.jar 2000

-Djava.rmi.server.hostname can be necessary for “internal routing” in your machine and it must be set up with the ip “seen” from the client machine. More information here.

2000 is a number port (values allowed 1-65535).  It is not mandatory (default 1099). The communication  is managed via Java-RMI and “remote-lsof” creates its own registry on boot.  At the moment it doesn’t support existent registries.

Look & Feel

FileMonitor is based on Java Swing that enables the FileMonitor’s interface to be run with different looks, based on the current platform.  Some examples:

$ java -Djava.security.policy=path/security-client.txt -Dswing.defaultlaf=com.sun.java.swing.plaf.nimbus.NimbusLookAndFeel -jar path/filemonitor.jar
$ java -Djava.security.policy=path/security-client.txt -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -jar path/filemonitor.jar

Comments are closed.