Tracefs: A File System to Trace Them All

File system traces have been used for years to analyze user behavior and system software behavior, leading to advances in file system and storage technologies. Existing traces, however, are difficult to use because they were captured for a specific use and cannot be changed, they often miss vital information for others to use, they become stale as time goes by, and they cannot be easily distributed due to user privacy concerns. Other forms of traces (block level, NFS level, or system-call level) all contain one or more deficiencies, limiting their usefulness to a wider range of studies. We developed Tracefs, a thin stackable file system for capturing file system traces in a portable manner. Tracefs can capture uniform traces for any file system, without modifying the file systems being traced. Tracefs can capture traces at various degrees of granularity: by users, groups, processes, files and file names, file operations, and more; it can transform trace data into aggregate counters, compressed, checksummed, encrypted, or anonymized streams; and it can buffer and direct the resulting data to various destinations (e.g., sockets, disks, etc.). Our modular and extensible design allows for uses beyond traditional file system traces: Tracefs can wrap around other file systems for debugging as well as for feeding user activity data into an Intrusion Detection System. We have implemented and evaluated a prototype Tracefs on Linux. Our evaluation shows a highly versatile system with small overheads.

[1]  John A. Kunze,et al.  A trace-driven analysis of the UNIX 4.2 BSD file system , 1985, SOSP '85.

[2]  Alan Jay Smith,et al.  A File System Tracing Package for Berkeley UNIX , 1985 .

[3]  조위덕 Cryptography , 1987, The Official (ISC)2 SSCP CBK Reference.

[4]  Mary Baker,et al.  Measurements of a distributed file system , 1991, SOSP '91.

[5]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[6]  Matt Blaze NFS Tracing By Passive Network Monitoring , 1992 .

[7]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[8]  Andrew W. Moore,et al.  Operating system and file system monitoring: A comparison of passive network monitoring with full ke , 1995 .

[9]  Andrew W. Moore,et al.  A comparison of system monitoring methods, passive network monitoring and kernel instrumentation , 1996, OPSR.

[10]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[11]  Geoffrey H. Kuenning,et al.  Seer: predictive file hoarding for disconnected mobile operation , 1998 .

[12]  Werner Vogels,et al.  File system usage in Windows NT 4.0 , 1999, SOSP.

[13]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[14]  Thomas E. Anderson,et al.  A Comparison of File System Workloads , 2000, USENIX Annual Technical Conference, General Track.

[15]  Margo I. Seltzer,et al.  New NFS Tracing Tools and Techniques for System Analysis , 2003, LISA.

[16]  Margo I. Seltzer,et al.  Passive NFS Tracing of Email and Research Workloads , 2003, FAST.

[17]  Margo Seltzer,et al.  The Utility of File Names , 2003 .

[18]  Margo I. Seltzer,et al.  NFS Tricks and Benchmarking Traps , 2003, USENIX Annual Technical Conference, FREENIX Track.