User profile for user: ciclista71
ciclista71 Author
User level: Level 1
11 points

Can I know which process is using the kernel ?

Hi,

every morning at around 8AM my Mac connected to my NAS for about 1hr, using the disk like crazy.

I have tried to understand which process is doing what, but despite I was using instruments or Activity Monitor or Little Snitch, in the end I can only understand the following:


  • data is transferred from the IP address of my Mac to the IP address of my NAS using NFS
  • the process involved is kernel (id 0) whose ppid is launchd (id 1)


Of course, this is not enough because I would like to understand which process is invoking the kernel system calls to access the disk.


Is there any tool that can help me?


Wireshark tells me which files are accessed (read, mainly), but of course it doesn't tell me who is doing that.

The NAS (with iotop, for instance) shows me nfs is the main process using disk, but I cannot go any further.


So basically I am blind and so far, what I used just tells me what I already see by myself.

Any help would be appreciated.


Thanks!

Luca

iMac 24″, macOS 13.1

Posted on Jan 23, 2023 1:30 PM

Reply
Question marked as Top-ranking reply
User profile for user: ciclista71
ciclista71 Author
User level: Level 1
11 points

Posted on Feb 10, 2023 2:45 AM

After putting the folder under privacy options in Spotlight and after rebooting my mac (which got stuck when I tried to run sudo syscallbypid.d , it looks like this mad disk activity has come to an end, at least until now.

I'll close the topic, thanks!


View in context

Similar questions

8 replies
User profile for user: ciclista71
ciclista71 Author
User level: Level 1
11 points

Jan 26, 2023 1:06 AM in response to destiny241

Thanks,

I tried both with terminal and with the GUI and the output is overwhelming. Nothing relates to any files in the NAS, and it's very difficult to understand which process is doing what, being the logs not very clear.

Since my NAS HDD was working like crazy, I quickly tried to filter out the logs and the vast majority of the entries are related to SandBox 


$ log show --start "2023-01-26 09:30:00" --end "2023-01-26 09:40:00" | grep 'kernel:' | awk -F\: '{print $4}' | awk -F" " '{print $1}' | sort | uniq -c | sort -nr | head -n 10 
1049 (Sandbox)
 120 (AppleBCMWLANCore)
 100 PMRD
  19 (AppleSEPKeyStore)
  13 (apfs)
  12 (CoreAnalyticsFamily)
  10 (IOTimeSyncFamily)
  10 (AppleSmartBatteryManager)
   6 (AppleMobileFileIntegrity)
   5 (Quarantine)


But the content of such logs doesn't mean anything to me


2023-01-26 09:36:07.174426+0100 0x1fdc54f  Error       0x0                  0      0    kernel: (Sandbox) Sandbox: imagent(5098) deny(1) user-preference-write com.apple.messages.commsafety
2023-01-26 09:36:07.175739+0100 0x1fd974a  Error       0x0                  0      0    kernel: (Sandbox) 1 duplicate report for Sandbox: imagent(5098) deny(1) user-preference-write com.apple.messages.commsafety
2023-01-26 09:36:07.175747+0100 0x1fd974a  Error       0x0                  0      0    kernel: (Sandbox) Sandbox: imagent(5098) deny(1) mach-lookup com.apple.familycircle.agent
2023-01-26 09:36:07.176289+0100 0x1fdc54f  Error       0x0                  0      0    kernel: (Sandbox) Sandbox: imagent(5098) deny(1) user-preference-write com.apple.messages.commsafety
2023-01-26 09:36:14.938087+0100 0x1fdc799  Error       0x0                  0      0    kernel: (Sandbox) 1 duplicate report for Sandbox: imagent(5098) deny(1) user-preference-write com.apple.messages.commsafety
2023-01-26 09:36:14.938107+0100 0x1fdc799  Error       0x0                  0      0    kernel: (Sandbox) Sandbox: cloudpaird(31325) deny(1) system-fsctl (_IO "h" 47)
2023-01-26 09:36:14.941416+0100 0x1fd974a  Error       0x0                  0      0    kernel: (Sandbox) Sandbox: cloudpaird(31325) deny(1) mach-lookup com.apple.metadata.mds
2023-01-26 09:36:14.944464+0100 0x1fdc798  Error       0x0                  0      0    kernel: (Sandbox) 1 duplicate report for Sandbox: cloudpaird(31325) deny(1) mach-lookup com.apple.metadata.mds


I have decided to disable Spotlight for the mounted NFS volume, think this could be an issue (I saw high CPU pecentage usage of mds), but nothing has changed so far.


I have filtered the tcpdump I get from the NAS and I see the following, which means some programs is indexing (or accessing) my pictures.


[~] # tcpdump -i eth0 | grep lookup | awk -F" " '{print $NF}'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
"._20181102_115339_001.jpg"
directory
"._20181102_120114(0).jpg"
directory
"._20181102_140653.jpg"
directory
"._20181102_140720.jpg"
directory
"._20181102_141305.jpg"
directory
"._20181102_152707.jpg"
directory
"._20181102_153217.jpg"
directory
"._20181102_155324.jpg"
directory
"._20181102_162442.jpg"
directory
"._20181102_162712.jpg"


Unfortunately, nothing in the Mac logs, if I look for those images. It's also interesting to see the vast majority of the files start with ._, which are the extended attributes that NASes take from Macs and create



Reply
User profile for user: ciclista71
ciclista71 Author
User level: Level 1
11 points

Feb 1, 2023 6:20 AM in response to ciclista71

Hi

I checked fs_usage and it looks like mds is the cause of it, although I mount my NAS on mount in my home folder (Users/luca/mount) and this folder is in the Privacy section of Spotlight, so it should not be indexed. I am not too sure about mds since I do not see the entire amount of files I get from tcpdump.


I also checked the zprint command but frankly, speaking, I couldn't get any value out of it because I cannot understand how to get benefit from its output.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Can I know which process is using the kernel ?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up