Using OpenSnoop with process names that have spaces in them

opensnoop is a command-line tool that comes preinstalled with Mac OS X allowing you to see what’s being modified in your filesystem. If you Google some tutorials on it, you’ll see that you can track a particular process name like Safari with code like

sudo opensnoop -n Safari
but if you try to do it with a process name that has a space in it, like Google Chrome, you’ll get a token too large, exceeds YYLMAX error.

The only fix I could find for it was in Italian. Here’s the original page, and then here’s the Google Translate (to English) version of that page.

It involves editing the actual binary file, so make sure you back it up first. If you edit it using nano, you can use the -B parameter to make an automatic backup first:

sudo nano -B /usr/bin/opensnoop
and then you’re just changing these lines
inline string PATHNAME = “‘$pathname'”;
inline string NAME = “‘$pname'”;
to look like these lines instead:
inline string PATHNAME = “‘”$pathname”‘”;
inline string NAME = “‘”$pname”‘”;
You should then be able to run process names that have spaces in them. For example,
sudo opensnoop -n “Google Chrome”
sudo opensnoop -n Google\ Chrome

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.