NAME¶

SYNOPSIS¶

DESCRIPTION¶

It works by traces the execve() system call (commonly used exec() variant). This catches new processes that follow the fork->exec sequence, as well as processes that re-exec() themselves. Some applications fork() but do not exec(), eg, for worker processes, which won't be included in the execsnoop output.

This works by tracing the kernel sys_execve() function using dynamic tracing, and will need updating to match any changes to this function.

Since this uses BPF, only the root user can use this tool.

REQUIREMENTS¶

OPTIONS¶

-h

Print usage message.

-t

Include a timestamp column.

-x

Include failed exec()s

-q

Add "quotemarks" around arguments. Escape quotemarks in arguments with a backslash. For tracing empty arguments or arguments that contain whitespace.

-n NAME

Only print command lines matching this name (regex)

-l LINE

Only print commands where arg contains this line (regex)

--max-args MAXARGS

Maximum number of arguments parsed and displayed, defaults to 20

EXAMPLES¶

Trace all exec() syscalls:

# execsnoop

Trace all exec() syscalls, and include timestamps:

# execsnoop -t

Include failed exec()s:

# execsnoop -x

Put quotemarks around arguments.

# execsnoop -q

Only trace exec()s where the filename contains "mount":

# execsnoop -n mount

Only trace exec()s where argument's line contains "testpkg":

# execsnoop -l testpkg

FIELDS¶

TIME(s)

Time of exec() return, in seconds.

PCOMM

Parent process/command name.

PID

Process ID

RET

Return value of exec(). 0 == successs. Failures are only shown when using the -x option.

ARGS

Filename for the exec(), followed be up to 19 arguments. An ellipsis "..." is shown if the argument list is known to be truncated.

OVERHEAD¶

SOURCE¶

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS¶

STABILITY¶

AUTHOR¶

SEE ALSO¶