NAME¶
execsnoop - trace process exec() with arguments. Uses Linux ftrace.
SYNOPSIS¶
execsnoop [-h] [-n name]
DESCRIPTION¶
execsnoop traces process execution, showing PID, PPID, and argument details if
possible.
This traces exec() from the fork()->exec() sequence, which means it won't
catch new processes that only fork(), and, it will catch processes that
re-exec. This instruments sched:sched_process_exec without buffering, and then
in user-space (this program) reads PPID and process arguments asynchronously
from /proc.
If the process traced is very short-lived, this program may miss reading
arguments and PPID details. In that case, "<?>" and
"?" will be printed respectively.
This program is best-effort (a hack), and should be improved in the future when
other kernel capabilities are made available. It may be useful in the
meantime. If you need a more reliable tool now, consider other tracing
alternates (eg, SystemTap). This tool is really a proof of concept to see what
ftrace can currently do.
Since this uses ftrace, only the root user can use this tool.
REQUIREMENTS¶
FTRACE CONFIG and the sched:sched_process_exec tracepoint, which you may already
have enabled and available on recent kernels, and Perl.
OPTIONS¶
-n name Only show processes that match this name. This is filtered in user
space.
- -h
- Print usage message.
EXAMPLES¶
- Trace all new processes and arguments (if possible):
- execsnoop
- Trace all new processes with process name "sed":
- execsnoop -n sed
FIELDS¶
- TIME
- Time of process exec(): HH:MM:SS.
- PID
- Process ID.
- PPID
- Parent process ID, if this was able to be read (may be missed for
short-lived processes). If it is unable to be read, "?" is
printed.
- ARGS
- Command line arguments, if these were able to be read in time (may be
missed for short-lived processes). If they are unable to be read,
"<?>" is printed.
OVERHEAD¶
This reads and processes exec() events in user space as they occur. Since the
rate of exec() is expected to be low (< 500/s), the overhead is expected to
be small or negligible.
SOURCE¶
This is from the perf-tools collection.
- https://github.com/brendangregg/perf-tools
Also look under the examples directory for a text file containing example usage,
output, and commentary for this tool.
Linux
STABILITY¶
Unstable - in development.
AUTHOR¶
Brendan Gregg
SEE ALSO¶
top(1)