1execsnoop(8)                System Manager's Manual               execsnoop(8)
2
3
4

NAME

6       execsnoop  -  Trace  new  processes  via  exec()  syscalls.  Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE]
11

DESCRIPTION

13       execsnoop traces new processes, showing the filename executed and argu‐
14       ment list.
15
16       It works by traces the execve() system call (commonly used exec() vari‐
17       ant).  This catches new processes that follow the fork->exec  sequence,
18       as  well  as  processes  that  re-exec()  themselves. Some applications
19       fork() but do not exec(), eg, for  worker  processes,  which  won't  be
20       included in the execsnoop output.
21
22       This  works  by  tracing the kernel sys_execve() function using dynamic
23       tracing, and will need updating to match any changes to this function.
24
25       Since this uses BPF, only the root user can use this tool.
26

REQUIREMENTS

28       CONFIG_BPF and bcc.
29

OPTIONS

31       -h     Print usage message.
32
33       -t     Include a timestamp column.
34
35       -x     Include failed exec()s
36
37       -q     Add "quotemarks" around arguments. Escape  quotemarks  in  argu‐
38              ments with a backslash. For tracing empty arguments or arguments
39              that contain whitespace.
40
41       -n NAME
42              Only print command lines matching this name (regex)
43
44       -l LINE
45              Only print commands where arg contains this line (regex)
46
47       --max-args MAXARGS
48              Maximum number of arguments parsed and displayed, defaults to 20
49

EXAMPLES

51       Trace all exec() syscalls:
52              # execsnoop
53
54       Trace all exec() syscalls, and include timestamps:
55              # execsnoop -t
56
57       Include failed exec()s:
58              # execsnoop -x
59
60       Put quotemarks around arguments.
61              # execsnoop -q
62
63       Only trace exec()s where the filename contains "mount":
64              # execsnoop -n mount
65
66       Only trace exec()s where argument's line contains "testpkg":
67              # execsnoop -l testpkg
68

FIELDS

70       TIME(s)
71              Time of exec() return, in seconds.
72
73       PCOMM  Parent process/command name.
74
75       PID    Process ID
76
77       RET    Return value of exec(). 0 == successs. Failures are  only  shown
78              when using the -x option.
79
80       ARGS   Filename  for  the  exec(),  followed  be up to 19 arguments. An
81              ellipsis "..." is shown if the argument  list  is  known  to  be
82              truncated.
83

OVERHEAD

85       This  traces  the  kernel  execve  function  and prints output for each
86       event. As the rate of this is generally expected to be low (<  1000/s),
87       the overhead is also expected to be negligible. If you have an applica‐
88       tion that is calling a high rate of exec()s, then test  and  understand
89       overhead before use.
90

SOURCE

92       This is from bcc.
93
94              https://github.com/iovisor/bcc
95
96       Also  look  in  the bcc distribution for a companion _examples.txt file
97       containing example usage, output, and commentary for this tool.
98

OS

100       Linux
101

STABILITY

103       Unstable - in development.
104

AUTHOR

106       Brendan Gregg
107

SEE ALSO

109       opensnoop(1)
110
111
112
113USER COMMANDS                     2016-02-07                      execsnoop(8)
Impressum