Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 1 | Demonstrations of killsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This traces signals sent via the kill() syscall. For example: |
| 5 | |
Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 6 | # ./killsnoop |
Junli Ou | 5eee5ff | 2016-08-13 17:12:45 +0800 | [diff] [blame] | 7 | TIME PID COMM SIG TPID RESULT |
| 8 | 12:10:51 13967 bash 9 13885 0 |
| 9 | 12:11:34 13967 bash 9 1024 -3 |
| 10 | 12:11:41 815 systemd-udevd 15 14076 0 |
Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 11 | |
Junli Ou | 5eee5ff | 2016-08-13 17:12:45 +0800 | [diff] [blame] | 12 | The first line showed a SIGKILL (9) sent from PID 13967 (a bash shell) to |
| 13 | PID 13885. The result, 0, means success. |
Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 14 | |
| 15 | The second line showed the same signal sent, this time resulting in a -3 |
| 16 | (ESRCH: no such process). |
| 17 | |
| 18 | |
| 19 | USAGE message: |
| 20 | |
| 21 | # ./killsnoop -h |
Junli Ou | 5eee5ff | 2016-08-13 17:12:45 +0800 | [diff] [blame] | 22 | usage: killsnoop [-h] [-x] [-p PID] |
Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 23 | |
| 24 | Trace signals issued by the kill() syscall |
| 25 | |
| 26 | optional arguments: |
| 27 | -h, --help show this help message and exit |
Chris Down | 8ddcbdf | 2016-07-13 15:18:35 +0100 | [diff] [blame] | 28 | -x, --failed only show failed kill syscalls |
Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 29 | -p PID, --pid PID trace this PID only |
| 30 | |
| 31 | examples: |
| 32 | ./killsnoop # trace all kill() signals |
Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 33 | ./killsnoop -x # only show failed kills |
| 34 | ./killsnoop -p 181 # only trace PID 181 |