fileXray Example: The Time Filters

fileXray has the ability to rapidly run all file system objects on an HFS+ volume through a piece of code called a “filter”. A filter can examine a file system object and use arbitrary criteria to either accept or reject it. fileXray comes with more than two dozen built-in filters and you can even write your own dynamically loadable filters. Examples of built-in filters are:

  • bmactime—List objects with timestamps in a given range.
  • compressed—List HFS+ compressed files.
  • creatorcode—List files that have the given creator code.
  • device—List block or character special files.
  • dirhardlink—List directory hard links.
  • empty—List files that have no extended attributes and whose data and resource forks are both empty.
  • emptyforks—List files whose data and resource forks are both empty.
  • fifo—List named pipes.
  • hardlink—List file hard links.
  • immutable—List immutable file system objects.
  • lsR—List all paths.
  • macho—List Mach-O files along with their per architecture sizes.
  • name—List objects whose name matches a given name (case sensitive).
  • namei—List objects whose name matches a given name (case insensitive).
  • nameprefix—List objects whose name has a given prefix (case sensitive).
  • nameprefixi—List objects whose name has a given prefix (case insensitive).
  • namesuffix—List objects whose name has a given suffix (case sensitive).
  • namesuffixi—List objects whose name has a given suffix (case insensitive).
  • nodename—List the parent node IDs and node names of all objects.
  • null—Do nothing; useful for establishing baselines in benchmarks.
  • socket—List Unix Domain socket files.
  • subname—List objects whose name contains a given string (case sensitive).
  • subnamei—List objects whose name contains a given string (case insensitive).
  • sxid—List setuid and setgid files and folders.
  • symlink—List symbolic links.
  • typecode—List files that have the given file type code.
  • xattrname—List all unique extended attribute names in use.
  • xattr—List objects that have a given extended attribute.

Suppose you have a heavily populated HFS+ volume and want to see exactly which files and folders were modified in the last 60 seconds. (Perhaps you wish to know what modifications an application you just ran made to your volume.) The bmactime built-in filter can quickly show you the answer.

The bmactime filter is a family of filters—a meta filter if you will—whose names all end with the suffix “time”. The prefix can be a permutation of one or more of the characters b, m, a, and c. For example, atime, btime, ctime, mtime, bmactime, and cmtime are all valid filter names. The prefix characters represent HFS+ timestamps as follows.

b Time of creation (birthtime).
m Time of last content (data) modification.
a Time of last access.
c Time of last attribute (metadata) modification.

The bmactime filter requires as an argument a time range consisting of a beginning time and an ending time. These times can be specified either as number of seconds or as human-readable date strings, for example, “Nov 2 12:00:00 PDT 2009”. Refer to the fileXray ebook for more details on the format. In particular, you can use negative values to refer to the last so many seconds.

In the following example, we look for file system objects that were modified within the last 60 seconds. We pipe the output through the sort program to get a timeline view. (Note that fileXray output has been cropped in the following excerpt.)

$ sudo fileXray --filter builtin:mctime --filter_args -60, | sort -n
...
1256751021 Mon Nov 2 10:30:21 2009 1529932 -rw------- .m.c MacHD:/.Spotlight-V100/
1256751021 Mon Nov 2 10:30:21 2009 205344  -rw-r--r-- .m.c MacHD:/private/var/log/
1256751021 Mon Nov 2 10:30:21 2009 205858  -rw------- .m.c MacHD:/private/var/db/s
1256751021 Mon Nov 2 10:30:21 2009 302227  drwx------ .m.c MacHD:/private/var/db/s
1256751021 Mon Nov 2 10:30:21 2009 3089114 -r--r----- .m.c MacHD:/private/var/audi
1256751021 Mon Nov 2 10:30:21 2009 3169431 -rw-r----- .m.c MacHD:/private/var/log/
1256751021 Mon Nov 2 10:30:21 2009 3169532 -rw-r--r-- .m.c MacHD:/private/var/log/
...

Talking of time, how long does fileXray need to work this out? Well, the specific time taken will depend upon the volume and the hardware in question. In the above example, fileXray took 8 seconds for a volume residing on a rotational (non-SSD) disk drive and containing nearly 1.3 million files and folders.

Comments are closed.


All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.