Curious about other methods to detect hard drive access
I had an interesting problem (very minor, less of a problem and more of
a curiosity) earlier this morning and while I did solve it, I am curious
as to if there are better methods and how others might have solved it.
So I thought I would ask.
On my top Gnome desktop panel, I have the "System Monitor" displayed. I
was ssh logged into another system when I noticed my system load went
from near flat to about a quarter-to-a-third load. I wasn't doing
anything that should cause that jump, so I expanded the System Monitor
to show all of the stats (cpu, memory, network, swap, load, hard disk).
The Disk usage was at 90%!
I ran iostat to see which of the many disks it was, and saw that the hdc
drive was indeed being used. It had Blk_read/s of ~200. A quick look at
the hdc drive reminded me that it had backups (cron at midnight),
virtual machines (none of which were running), and a Samba share. A
quick look at htop confirmed that a smb process was fluctuating between
15-25%.
"Is someone pulling from my share?"
"Yup! Be done in a minute."
A quick look into the logs (ls -alh /var/log/samba/ only had one file
modified today) showed his connection but not what files he was pulling.
~30 seconds later the file finished and everything returned to normal.
Case closed, right?
The thing that got me thinking was, if this was a process generating
this disk I/O, or someone being malicious in generating this disk I/O, I
would not have known which file was actually being accessed as I only
found out the process. Is that possible? I am sure that Samba can be
configured to log the information, but what about other processes? Is
there a good way to tell what process/file is accessing the disk?
What would you have done differently?
Thanks!
Have Fun!
~S~
Reply to: