Sniff HDD Reads and Writes?

Searching_ _ _ · May 30, 2011

Like is done with a Hub on a network, can I capture data going to the HDD regardless if the HDD is mounted or not?

mvario · May 30, 2011

Try iotop or daemonfs

Searching_ _ _ · May 30, 2011

Thanks, I'll look those up.

Mrkvonic · May 30, 2011

Searching_ _ _ said:

Like is done with a Hub on a network, can I capture data going to the HDD regardless if the HDD is mounted or not?
Click to expand...

HDD mounted? You mean partitions, right?
And going to the HDD from where? Memory? Network? Both? Else?

Mrk

Searching_ _ _ · May 31, 2011

Mrkvonic said:

HDD mounted? You mean partitions, right?
Click to expand...

Yep. Brain fade.

Mrkvonic said:

And going to the HDD from where? Memory? Network? Both? Else?
Click to expand...

Exactly. I would like to MITM the HDD.

iotop doesn't show all HDD activity, only activity started by host processes.
It also doesn't function as expected, using the -a option some processes do not remain, they pop up then disappear with no cumulative.

mvario · May 31, 2011

Searching_ _ _ said:

iotop doesn't show all HDD activity, only activity started by host processes.
It also doesn't function as expected, using the -a option some processes do not remain, they pop up then disappear with no cumulative.
Click to expand...

I found this:
http://ubuntuforums.org/showthread.php?p=2415252#post2415252
might be of help.

Searching_ _ _ · Jun 1, 2011

WooHoo! Lots of activity.

It is possible to achieve similar functionality to filemon with a linux 2.6.1 or newer kernel.
What you need to do is the following:
1. Make sure that syslog doesn't log kern.debug to a file(check /etc/syslog.conf). if it does, disable it temporarily (better), or stop syslog altogether (worse, because you will eliminate one possible cause of the disk activity)
2. type:
echo 1 > /proc/sys/vm/block_dump
3. in bash, type (modify to fit your favourite shell):
while true; do dmesg -c; sleep 1; done;

This effectively gives you a realtime live view of all disk activity
note that if you didn't dmesg -c since you booted, dmesg might contain a lot of info in the buffer, so let it barf everything onto the screen before attempting to actually read it.

remember to restore things back to the way they were when you are done:
1. echo 0 > /proc/sys/vm/block_dump
2. restore syslog activity and/or kern.debug logging

Enjoy!
Click to expand...

Works much better than iotop, except there are entries that don't need to be displayed.

How would I exclude entries from displaying?
For example:
Code:
[122468.692488] sudo(13946): READ block 79574 on loop0
[122468.735831] loop0(470): READ block 80608 on sr0
Or, as an example, should I just add "grep -i usb" to "dmesg -c"?
Can I chain multiple display filters? Ex. grep -i usb,tty,debugfs,pdq

Log in or Sign up

Sniff HDD Reads and Writes?

Searching_ _ _ Registered Member

mvario Registered Member

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Searching_ _ _ Registered Member

mvario Registered Member

Searching_ _ _ Registered Member

Log in or Sign up

Sniff HDD Reads and Writes?

Searching_ _ _ Registered Member

mvario Registered Member

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Searching_ _ _ Registered Member

mvario Registered Member

Searching_ _ _ Registered Member

Useful Searches