I want to know what happens behind the screen when I open some application. For example, when I open firefox, I want to know which files are read and which are executed. Is there any way to do this. Even opening firefox from terminal doesn't show any information.
OS:Ubuntu 12.04
Use strace!
Example: List all files opened by Firefox during a session:
strace -f firefox 2>&1 | grep 'open('
Results in something like this if you open a second instance of FireFox: http://pastebin.com/iRqxgiWN (The '-f' option just makes strace follow process forks.)
Example 2: List all processes executed by FireFox:
strace -f firefox 2>&1 | grep -P 'exec[vlpe]*('
Results in something like this when visiting YouTube:
[pid 25020] execve("/usr/lib/firefox/plugin-container", ["/usr/lib/firefox/plugin-containe"..., "/usr/lib/adobe-flashplugin/libfl"..., "-greomni", "/usr/lib/firefox/omni.ja", "-appomni", "/usr/lib/firefox/browser/omni.ja", "-appdir", "/usr/lib/firefox/browser", "15198", "false", "plugin"], [/* 57 vars */]) = 0
[pid 25024] execve("/bin/sh", ["sh", "-c", "ps x | grep netscape"], [/* 57 vars */]) = 0
[pid 25025] execve("/bin/ps", ["ps", "x"], [/* 57 vars */] <unfinished ...>
[pid 25026] execve("/bin/grep", ["grep", "netscape"], [/* 57 vars */]) = 0
You can do this with many other system calls as well...
By matching the parameters of open() in your grep search you can also find out in which mode the file has been opened:
Just add | grep -P 'O_RDONLY|O_RDWR' (the leading pipe character is important!) to filter read access or | grep -P 'O_WRONLY|O_RDWR' for write access to your command...
EDIT:
As was mentioned in the comments you can also use strace -fe open firefox to list all files opened by FireFox. You can also use strace -fe trace=file firefox to list all file operations done by FireFox that have a file path as an argument (open, stat, lstat, chmod, access, ...).
Many more are available! Check out the strace(1) manual page.
