Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / refs/tags/rel/10/fp2/22.12.0-rel.0 / . / tools / execsnoop_example.txt
blob: ad5f65b80e1ae254f88c713da9d0dfb8eb02320b [file] [log] [blame]
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]1Demonstrations of execsnoop, the Linux eBPF/bcc version.
2
3
Brendan Gregg151a43a2016-02-09 00:28:09 -0800[diff] [blame]4execsnoop traces new processes. For example, tracing the commands invoked when
5running "man ls":
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]6
Brendan Gregg151a43a2016-02-09 00:28:09 -0800[diff] [blame]7# ./execsnoop
8PCOMM PID RET ARGS
9bash 15887 0 /usr/bin/man ls
10preconv 15894 0 /usr/bin/preconv -e UTF-8
11man 15896 0 /usr/bin/tbl
12man 15897 0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8
13man 15898 0 /usr/bin/pager -s
14nroff 15900 0 /usr/bin/locale charmap
15nroff 15901 0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n
16groff 15902 0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8
17groff 15903 0 /usr/bin/grotty
18
19The output shows the parent process/command name (PCOMM), the PID, the return
20value of the exec() (RET), and the filename with arguments (ARGS).
21
22This works by traces the execve() system call (commonly used exec() variant),
23and shows details of the arguments and return value. This catches new processes
24that follow the fork->exec sequence, as well as processes that re-exec()
25themselves. Some applications fork() but do not exec(), eg, for worker
26processes, which won't be included in the execsnoop output.
27
28
29The -x option can be used to include failed exec()s. For example:
30
31# ./execsnoop -x
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]32PCOMM PID RET ARGS
33supervise 9660 0 ./run
34supervise 9661 0 ./run
35mkdir 9662 0 /bin/mkdir -p ./main
36run 9663 0 ./run
37chown 9664 0 /bin/chown nobody:nobody ./main
38run 9665 0 /bin/mkdir -p ./main
39supervise 9667 0 ./run
40run 9660 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
41chown 9668 0 /bin/chown nobody:nobody ./main
42run 9666 0 /bin/chmod 0777 main
43run 9663 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
44run 9669 0 /bin/mkdir -p ./main
45run 9661 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
46supervise 9670 0 ./run
47[...]
48
Brendan Gregg151a43a2016-02-09 00:28:09 -0800[diff] [blame]49This example shows various regular system daemon activity, including some
50failures (trying to execute a /usr/local/bin/setuidgid, which I just noticed
51doesn't exist).
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]52
53
54A -t option can be used to include a timestamp column, and a -n option to match
Nikita V. Shirokov0a015062017-04-19 13:07:08 -0700[diff] [blame]55on a name. Regular expressions are allowed.
56For example, matching commands containing "mount":
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]57
58# ./execsnoop -tn mount
59TIME(s) PCOMM PID RET ARGS
Nikita V. Shirokov0a015062017-04-19 13:07:08 -0700[diff] [blame]602.849 mount 18049 0 /bin/mount -p
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]61
Nikita V. Shirokov0a015062017-04-19 13:07:08 -0700[diff] [blame]62The -l option can be used to only show command where one of the arguments
63matches specified line. The limitation is that we are looking only into first 20
64arguments of the command. For example, matching all command where one of the argument
65is "testpkg":
66
67# ./execsnoop.py -l testpkg
68PCOMM PID PPID RET ARGS
69service 3344535 4146419 0 /usr/sbin/service testpkg status
70systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service
71yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg
72python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg
73yum 3344856 4146419 0 /usr/bin/yum remove testpkg
74yum 3345086 4146419 0 /usr/local/bin/yum install testpkg
75python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg
76yum 3345086 4146419 0 /usr/bin/yum install testpkg
77rpm 3345452 4146419 0 /bin/rpm -qa testpkg
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]78
79USAGE message:
80
81# ./execsnoop -h
Paul Chaignona0c9b482017-09-29 13:42:18 +0200[diff] [blame]82usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS]
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]83
84Trace exec() syscalls
85
86optional arguments:
87 -h, --help show this help message and exit
88 -t, --timestamp include timestamp on output
Brendan Gregg151a43a2016-02-09 00:28:09 -0800[diff] [blame]89 -x, --fails include failed exec()s
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]90 -n NAME, --name NAME only print commands matching this name (regex), any
91 arg
Nikita V. Shirokov0a015062017-04-19 13:07:08 -0700[diff] [blame]92 -l LINE, --line LINE only print commands where arg contains this line
93 (regex)
Paul Chaignona0c9b482017-09-29 13:42:18 +0200[diff] [blame]94 --max-args MAX_ARGS maximum number of arguments parsed and displayed,
95 defaults to 20
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]96
97examples:
98 ./execsnoop # trace all exec() syscalls
Paul Chaignona0c9b482017-09-29 13:42:18 +0200[diff] [blame]99 ./execsnoop -x # include failed exec()s
Brendan Greggaf18bb32016-02-07 15:28:50 -0800[diff] [blame]100 ./execsnoop -t # include timestamps
101 ./execsnoop -n main # only print command lines containing "main"
Nikita V. Shirokov0a015062017-04-19 13:07:08 -0700[diff] [blame]102 ./execsnoop -l tpkg # only print command where arguments contains "tpkg"