| Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 1 | Demonstrations of killsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This traces signals sent via the kill() syscall. For example: |
| 5 | |
| Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 6 | # ./killsnoop |
| Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 7 | PID COMM SIG TPID RESULT |
| 8 | 17064 bash 9 27682 0 |
| 9 | 17064 bash 9 27682 -3 |
| 10 | 17064 bash 0 17064 0 |
| 11 | |
| 12 | The first line showed a SIGKILL (9) sent from PID 17064 (a bash shell) to |
| 13 | PID 27682. The result, 0, means success. |
| 14 | |
| 15 | The second line showed the same signal sent, this time resulting in a -3 |
| 16 | (ESRCH: no such process). |
| 17 | |
| 18 | |
| 19 | USAGE message: |
| 20 | |
| 21 | # ./killsnoop -h |
| 22 | usage: killsnoop [-h] [-t] [-x] [-p PID] |
| 23 | |
| 24 | Trace signals issued by the kill() syscall |
| 25 | |
| 26 | optional arguments: |
| 27 | -h, --help show this help message and exit |
| 28 | -t, --timestamp include timestamp on output |
| Chris Down | 8ddcbdf | 2016-07-13 15:18:35 +0100 | [diff] [blame^] | 29 | -x, --failed only show failed kill syscalls |
| Brendan Gregg | d9e578b | 2015-09-21 11:59:42 -0700 | [diff] [blame] | 30 | -p PID, --pid PID trace this PID only |
| 31 | |
| 32 | examples: |
| 33 | ./killsnoop # trace all kill() signals |
| 34 | ./killsnoop -t # include timestamps |
| 35 | ./killsnoop -x # only show failed kills |
| 36 | ./killsnoop -p 181 # only trace PID 181 |