Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 1 | Demonstrations of execsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
Brendan Gregg | 151a43a | 2016-02-09 00:28:09 -0800 | [diff] [blame] | 4 | execsnoop traces new processes. For example, tracing the commands invoked when |
| 5 | running "man ls": |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 6 | |
Brendan Gregg | 151a43a | 2016-02-09 00:28:09 -0800 | [diff] [blame] | 7 | # ./execsnoop |
| 8 | PCOMM PID RET ARGS |
| 9 | bash 15887 0 /usr/bin/man ls |
| 10 | preconv 15894 0 /usr/bin/preconv -e UTF-8 |
| 11 | man 15896 0 /usr/bin/tbl |
| 12 | man 15897 0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8 |
| 13 | man 15898 0 /usr/bin/pager -s |
| 14 | nroff 15900 0 /usr/bin/locale charmap |
| 15 | nroff 15901 0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n |
| 16 | groff 15902 0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8 |
| 17 | groff 15903 0 /usr/bin/grotty |
| 18 | |
| 19 | The output shows the parent process/command name (PCOMM), the PID, the return |
| 20 | value of the exec() (RET), and the filename with arguments (ARGS). |
| 21 | |
| 22 | This works by traces the execve() system call (commonly used exec() variant), |
| 23 | and shows details of the arguments and return value. This catches new processes |
| 24 | that follow the fork->exec sequence, as well as processes that re-exec() |
| 25 | themselves. Some applications fork() but do not exec(), eg, for worker |
| 26 | processes, which won't be included in the execsnoop output. |
| 27 | |
| 28 | |
| 29 | The -x option can be used to include failed exec()s. For example: |
| 30 | |
| 31 | # ./execsnoop -x |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 32 | PCOMM PID RET ARGS |
| 33 | supervise 9660 0 ./run |
| 34 | supervise 9661 0 ./run |
| 35 | mkdir 9662 0 /bin/mkdir -p ./main |
| 36 | run 9663 0 ./run |
| 37 | chown 9664 0 /bin/chown nobody:nobody ./main |
| 38 | run 9665 0 /bin/mkdir -p ./main |
| 39 | supervise 9667 0 ./run |
| 40 | run 9660 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main |
| 41 | chown 9668 0 /bin/chown nobody:nobody ./main |
| 42 | run 9666 0 /bin/chmod 0777 main |
| 43 | run 9663 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main |
| 44 | run 9669 0 /bin/mkdir -p ./main |
| 45 | run 9661 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main |
| 46 | supervise 9670 0 ./run |
| 47 | [...] |
| 48 | |
Brendan Gregg | 151a43a | 2016-02-09 00:28:09 -0800 | [diff] [blame] | 49 | This example shows various regular system daemon activity, including some |
| 50 | failures (trying to execute a /usr/local/bin/setuidgid, which I just noticed |
| 51 | doesn't exist). |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 52 | |
| 53 | |
| 54 | A -t option can be used to include a timestamp column, and a -n option to match |
Nikita V. Shirokov | 0a01506 | 2017-04-19 13:07:08 -0700 | [diff] [blame] | 55 | on a name. Regular expressions are allowed. |
| 56 | For example, matching commands containing "mount": |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 57 | |
| 58 | # ./execsnoop -tn mount |
| 59 | TIME(s) PCOMM PID RET ARGS |
Nikita V. Shirokov | 0a01506 | 2017-04-19 13:07:08 -0700 | [diff] [blame] | 60 | 2.849 mount 18049 0 /bin/mount -p |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 61 | |
Nikita V. Shirokov | 0a01506 | 2017-04-19 13:07:08 -0700 | [diff] [blame] | 62 | The -l option can be used to only show command where one of the arguments |
| 63 | matches specified line. The limitation is that we are looking only into first 20 |
| 64 | arguments of the command. For example, matching all command where one of the argument |
| 65 | is "testpkg": |
| 66 | |
| 67 | # ./execsnoop.py -l testpkg |
| 68 | PCOMM PID PPID RET ARGS |
| 69 | service 3344535 4146419 0 /usr/sbin/service testpkg status |
| 70 | systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service |
| 71 | yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg |
| 72 | python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg |
| 73 | yum 3344856 4146419 0 /usr/bin/yum remove testpkg |
| 74 | yum 3345086 4146419 0 /usr/local/bin/yum install testpkg |
| 75 | python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg |
| 76 | yum 3345086 4146419 0 /usr/bin/yum install testpkg |
| 77 | rpm 3345452 4146419 0 /bin/rpm -qa testpkg |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 78 | |
| 79 | USAGE message: |
| 80 | |
| 81 | # ./execsnoop -h |
Paul Chaignon | a0c9b48 | 2017-09-29 13:42:18 +0200 | [diff] [blame] | 82 | usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS] |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 83 | |
| 84 | Trace exec() syscalls |
| 85 | |
| 86 | optional arguments: |
| 87 | -h, --help show this help message and exit |
| 88 | -t, --timestamp include timestamp on output |
Brendan Gregg | 151a43a | 2016-02-09 00:28:09 -0800 | [diff] [blame] | 89 | -x, --fails include failed exec()s |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 90 | -n NAME, --name NAME only print commands matching this name (regex), any |
| 91 | arg |
Nikita V. Shirokov | 0a01506 | 2017-04-19 13:07:08 -0700 | [diff] [blame] | 92 | -l LINE, --line LINE only print commands where arg contains this line |
| 93 | (regex) |
Paul Chaignon | a0c9b48 | 2017-09-29 13:42:18 +0200 | [diff] [blame] | 94 | --max-args MAX_ARGS maximum number of arguments parsed and displayed, |
| 95 | defaults to 20 |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 96 | |
| 97 | examples: |
| 98 | ./execsnoop # trace all exec() syscalls |
Paul Chaignon | a0c9b48 | 2017-09-29 13:42:18 +0200 | [diff] [blame] | 99 | ./execsnoop -x # include failed exec()s |
Brendan Gregg | af18bb3 | 2016-02-07 15:28:50 -0800 | [diff] [blame] | 100 | ./execsnoop -t # include timestamps |
| 101 | ./execsnoop -n main # only print command lines containing "main" |
Nikita V. Shirokov | 0a01506 | 2017-04-19 13:07:08 -0700 | [diff] [blame] | 102 | ./execsnoop -l tpkg # only print command where arguments contains "tpkg" |