Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dtrace command to analyze file modification

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 261 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarlel
      last edited by stephenw10

      I am trying to find a way to detect changes to an octet file used in freeradius to track data usage for a captive portal. dtrace is a command that can do this, but I am not able to use ut in pfSense.
      Is there a way that I can enable it? Or other tools that can tell me which process is modifying a file and at what time?

      Example script with dtrace:

      Script:

      #!/usr/sbin/dtrace -s
      
      syscall::write:entry
      /execname != "dtrace" && arg0 == open("/path/to/your/file", O_WRONLY)/
      {
          printf("%Y: Process %s (PID %d) is writing to %s\n", walltimestamp, execname, pid, copyinstr(arg0));
      }
      
      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What happens when you try to run it?

        J 1 Reply Last reply Reply Quote 0
        • J
          jarlel @stephenw10
          last edited by

          @stephenw10 said in dtrace command to analyze file modification:

          What happens when you try to run it?

          I get this message:

          dtrace: failed to initialize dtrace: DTrace device not available on system

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @jarlel
            last edited by Gertjan

            @jarlel

            dtrace has quiet a list of conditions to be met for it to work.
            The kernel has to have supported modules, and compiled with 'trace' options set. I wouldn't be surprised that can't be found on pfSense, a firewall.
            A FreeBSD dev station, yeah, of course.
            Look here.

            @jarlel said in dtrace command to analyze file modification:

            I am trying to find a way to detect changes

            An idea :
            The file your interested in, change the owner and or the read write execute flags.
            Make it read only for everybody.
            What will happens now ... will the process that actually updates = writes, will it cash ? complain ?
            FreeRadius has some pretty extensive logging : just stop / kill it in the GUI, and then on the console (or SSH) access, fire it up :

            radiusd -X
            

            If a process fails, freeradius or some other process, you should see it complaining - in the logs of course.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.