Monitoring File-Level Disk I/O in Linux: Find Which Files Are Being Written (Alternative to iotop)


2 views

When troubleshooting disk I/O bottlenecks on Linux servers, tools like iotop show us which processes are performing I/O operations - but they don't reveal the actual files being accessed. This leaves a critical gap in performance analysis.

The Linux kernel provides several powerful mechanisms for tracking file access:

# Basic file activity monitoring with lsof
lsof +D /path/to/monitor | grep -i write

# Real-time monitoring with inotify
inotifywait -m /path/to/watch -e modify -e create -e delete

For a comprehensive solution, fatrace (File Activity Trace) offers process-to-file mapping:

# Install on Debian-based systems
sudo apt-get install fatrace

# Monitor all file writes system-wide
sudo fatrace -w

Sample output shows process IDs, filenames, and operation types:

chrome(1234): W /home/user/.cache/chrome/Cache/data_1
mysqld(5678): W /var/lib/mysql/ibdata1

For deeper analysis, SystemTap provides kernel-level tracing:

# File write tracking script
probe kernel.function("vfs_write") {
    printf("%s wrote %d bytes to %s\n", 
        execname(), $count, filename);
}

When dealing with heavy I/O systems, focus your monitoring:

# Track only specific processes
fatrace -p $(pgrep mysql)

# Monitor specific filesystems
fatrace -t /var

When troubleshooting disk I/O bottlenecks on Linux systems, process-level monitoring tools like iotop only tell half the story. While they show which processes are performing I/O, they don't reveal which specific files those processes are accessing.

Debian Lenny provides several powerful tools in its repositories:


# Basic file activity monitoring with lsof
sudo lsof +D /path/to/directory

# Real-time monitoring with inotifywait
sudo apt-get install inotify-tools
inotifywait -m -r /path/to/monitor -e create,modify,delete

The fatrace (File Activity Trace) tool is what you're looking for:


# Install on Debian-based systems
sudo apt-get install fatrace

# Basic usage
sudo fatrace

# Filter by process name
sudo fatrace | grep "process_name"

# Watch specific directory
sudo fatrace -o /path/to/directory

For deeper analysis, SystemTap provides scriptable monitoring:


# SystemTap script to track file writes
probe kernel.function("vfs_write") {
    printf("%s wrote %d bytes to %s\n", execname(), $count, filename)
}

Let's monitor MySQL's file writes:


# Identify MySQL's PID
pgrep mysqld

# Monitor using fatrace
sudo fatrace -p $(pgrep mysqld)

# Alternative using strace
sudo strace -p $(pgrep mysqld) -e trace=file -f

Remember that intensive monitoring tools can themselves impact performance:

  • Avoid running on production systems during peak hours
  • Consider limiting monitoring to specific directories
  • Use sampling rather than continuous monitoring for long-term analysis