| Demonstrations of killsnoop, the Linux eBPF/bcc version. |
| |
| |
| This traces signals sent via the kill() syscall. For example: |
| |
| # ./killsnoop |
| PID COMM SIG TPID RESULT |
| 17064 bash 9 27682 0 |
| 17064 bash 9 27682 -3 |
| 17064 bash 0 17064 0 |
| |
| The first line showed a SIGKILL (9) sent from PID 17064 (a bash shell) to |
| PID 27682. The result, 0, means success. |
| |
| The second line showed the same signal sent, this time resulting in a -3 |
| (ESRCH: no such process). |
| |
| |
| USAGE message: |
| |
| # ./killsnoop -h |
| usage: killsnoop [-h] [-t] [-x] [-p PID] |
| |
| Trace signals issued by the kill() syscall |
| |
| optional arguments: |
| -h, --help show this help message and exit |
| -t, --timestamp include timestamp on output |
| -x, --failed only show failed opens |
| -p PID, --pid PID trace this PID only |
| |
| examples: |
| ./killsnoop # trace all kill() signals |
| ./killsnoop -t # include timestamps |
| ./killsnoop -x # only show failed kills |
| ./killsnoop -p 181 # only trace PID 181 |