| Brendan Gregg | aa87997 | 2016-01-28 22:43:37 -0800 | [diff] [blame] | 1 | Demonstrations of bashreadline, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This prints bash commands from all running bash shells on the system. For |
| 5 | example: |
| 6 | |
| 7 | # ./bashreadline |
| 8 | TIME PID COMMAND |
| 9 | 05:28:25 21176 ls -l |
| 10 | 05:28:28 21176 date |
| 11 | 05:28:35 21176 echo hello world |
| 12 | 05:28:43 21176 foo this command failed |
| 13 | 05:28:45 21176 df -h |
| 14 | 05:29:04 3059 echo another shell |
| 15 | 05:29:13 21176 echo first shell again |
| 16 | |
| JayceCao | b26e26b | 2019-02-18 14:55:12 +0800 | [diff] [blame] | 17 | When running the script on Arch Linux, you may need to specify the location |
| 18 | of libreadline.so library: |
| 19 | |
| 20 | # ./bashreadline -s /lib/libreadline.so |
| 21 | TIME PID COMMAND |
| 22 | 11:17:34 28796 whoami |
| 23 | 11:17:41 28796 ps -ef |
| 24 | 11:17:51 28796 echo "Hello eBPF!" |
| 25 | |
| 26 | |
| Brendan Gregg | aa87997 | 2016-01-28 22:43:37 -0800 | [diff] [blame] | 27 | The entered command may fail. This is just showing what command lines were |
| 28 | entered interactively for bash to process. |
| 29 | |
| 30 | It works by tracing the return of the readline() function using uprobes |
| 31 | (specifically a uretprobe). |