Doing Detective Work With DTrace (Opensnoop and Rwsnoop)

  • Nov 8, 2025
  • 6 Min Read
Premiere Pro playing Netflix Open Content with DTrace's helper apps opensnoop and rwsnoop running in the background

If you’ve ever wondered:

  1. What happens when I launch my app?
  2. What is my app doing right now?
  3. Why is my app taking so long to do something?

Then you’ll want to know a little bit about using DTrace.

If you’re an artist or creative professional, DTrace itself might feel a bit tricky to use. Thankfully, some helper apps exist to make it more approachable.

Let’s talk about two of them:

  1. opensnoop
  2. rwsnoop

We’ll use these helper apps to answer those questions using one popular app: Adobe Premiere Pro (25.5, as of this writing).

Using macOS? Let’s start by making sure you can actually run DTrace.

Enabling DTrace in macOS

Using DTrace or any of its related apps means you’ll be using a command line in Terminal.app.

If you try using opensnoop straight away, you’ll learn:

  1. DTrace requires additional privileges - you’ll need access to a local Administrator account’s password.
  2. DTrace requires you to disable System Integrity Protection (SIP) on your Mac.

If that scares you a little, it should (a little).

But fear not.

Did you know you can selectively disable SIP for DTrace usage?

csrutil enable --without dtrace

Once you add this exception to your Mac’s SIP, restart, log back in, and confirm you successfully modified SIP with this command:

csrutil status

If it was successful, you’ll see a System Integrity Protection status: unknown (Custom Configuration) report with DTrace Restrictions: disabled.

And when you’re finished using anything DTrace-related? Head back into Recovery mode and fully reenable SIP on your Mac.

csrutil enable

Now you’re ready to see some stuff.

opensnoop

I work with a lot of Premiere Pro teams these days.

They frequently ask:

What is Premiere Pro doing right now?

opensnoop may give you some answers.

What does opensnoop do? (In Terminal, man opensnoop, then press Return)

Snoop file opens as they occur. Uses DTrace.

How do you use it?

  1. If Premiere Pro is open, save any open work and quit Premiere Pro.
  2. Launch Terminal.app.
  3. Resize that Terminal window to be as wide as possible.
  4. Copy/paste this command and press Return: sudo opensnoop -v -n "Adobe Premiere Pro 20XX" (where XX is the year of Premiere Pro you’re using)
  5. Launch Premiere Pro, and you’ll see that Terminal window start scrolling (and scrolling) with lines of information.

What can you learn?

  • While Premiere Pro is launching – you’ll see what it initially opens as part of its app resources: fonts, Motion Graphics Templates (.mogrt), etc.
  • When you open a Project – the full path to your .prproj will appear. Also, if Enable project locking under Preferences > Collaboration is checked, you’ll see the path to that .prlock file appear shortly thereafter.
  • While playing back a Clip or Sequence – the full path to the underlying media will appear.

How could this be helpful?

Some have asked me, “If I work with proxy media, does Premiere Pro open both the original media and the proxy media at the same time?”

Using opensnoop, you’ll find the answer is, “No.”

Try this:

  1. In Premiere Pro, make a Sequence with one Clip based on your original media.
  2. Use your favorite encoder/transcoder app to create a proxy media file. Make sure to name that file with something like “_Proxy” at the end.
  3. In Premiere Pro, attach that proxy media file to your Clip.
  4. Find the Toggle Proxies button in your Program or Source Monitor and toggle it On.

Play your Clip or Sequence, and you’ll see the full path to your proxy media appear. You can even Toggle Proxies On or Off during playback, and see Premiere Pro changes which media file it’s using on playback.


Does this feel like a Rube Goldberg device for something simple? Perhaps.

But you can Toggle Proxies with or without proxy media attached to your Clips, and Premiere Pro will playback your Clip or Sequence without any clear indication of whether proxy media is attached or not.

And, yes, you can enable three Bin columns (Control-click on a Bin column, choose Metadata Display…, search for “Proxy”) to help you see if proxy media is attached. But I’ve yet to meet a Premiere Pro user who knew about those columns without a web search.

So if you want the definitive answer to, “Is Premiere Pro playing my original or proxy media?”, use opensnoop. It’s worth the effort.


But some apps won’t allow opensnoop to do its thing. What then?

rwsnoop

rwsnoop can provide some clues when opensnoop can’t.

What does rwsnoop do? (man rwsnoop, then press Return)

snoop read/write events. Uses DTrace.

How do you use it?

  1. Launch Terminal.app, or create a new Terminal window (Command-N).
  2. Copy/paste this command and press Return: sudo rwsnoop -v -n "Adobe Premiere Pro 20XX" (where XX is the year of Premiere Pro you’re using)
  3. If it’s not open, launch Premiere Pro.

What can you learn?

rwsnoop will show you which files are being read (R) or written (W) in the D (for Direction - read or write) column.

You’ll also see how many BYTES of that file were read or written.

Unlike opensnoop, rwsnoop won’t display the full path to the file being read. But if you want a clear, focused view of which media files Premiere Pro references during playback, you can Toggle Proxies On or Off during playback, and you’ll see a tidy list of filenames Premiere Pro is referencing here.

Questions

Where can I find the correct process name to feed opensnoop and rwsnoop with -n?

  1. Launch Activity Monitor.app.
  2. In Activity Monitor, search for the name of your app, then double-click the name in the list.
  3. Locate the Executable Path. The last item in the path is the process name you’ll use after -n.

Can I save opensnoop and rwsnoop results to a file?

Yes!

Just add this to the end of the command…

> ~/Desktop/NameOfApp_Results.txt

…and you’ll see a text file appear on your Desktop.

For example:

sudo opensnoop -v -n "Adobe Premiere Pro 20XX" > ~/Desktop/PremierePro2025_Results.txt

However, anecdotally it seems DTrace won’t record all events to a file as it would if you were monitoring its output in Terminal.

You can use the excellent (and free) TextMate editor to open and live monitor this text file as opensnoop or rwsnoop writes to it.

Where can I find more DTrace helper apps/scripts?

In Terminal, copy/paste this command, and press Return:

apropos dtrace

Credits

If you get to the bottom of any man page for a DTrace script, you’ll see this name: Brendan Gregg.

We’ve never met, but thank you, Brendan, for all of your work over the years to make DTrace more approachable and useful for macOS users:

Also, check out this article by Colin Jones – A Few DTrace Gotchas and Workarounds on OS X:

https://8thlight.com/insights/a-few-dtrace-gotchas-and-workarounds-on-os-x

  • Particularly this section: SIP Strikes Back.

We’ll use this to look at why opensnoop won’t do the detective work on certain apps in a future installment. ✌🏽

ShareOpenly