1execsnoop(8)                System Manager's Manual               execsnoop(8)
2
3
4

NAME

6       execsnoop  -  Trace  new  processes  via  exec()  syscalls.  Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       execsnoop [-h] [-T] [-t] [-x] [-q]  [-n  NAME]  [-l  LINE]  [--max-args
11       MAX_ARGS]
12

DESCRIPTION

14       execsnoop traces new processes, showing the filename executed and argu‐
15       ment list.
16
17       It works by traces the execve() system call (commonly used exec() vari‐
18       ant).   This catches new processes that follow the fork->exec sequence,
19       as well as  processes  that  re-exec()  themselves.  Some  applications
20       fork()  but  do  not  exec(),  eg, for worker processes, which won't be
21       included in the execsnoop output.
22
23       This works by tracing the kernel sys_execve()  function  using  dynamic
24       tracing, and will need updating to match any changes to this function.
25
26       Since this uses BPF, only the root user can use this tool.
27

REQUIREMENTS

29       CONFIG_BPF and bcc.
30

OPTIONS

32       -h     Print usage message.
33
34       -T     Include a time column (HH:MM:SS).
35
36       -t     Include a timestamp column.
37
38       -x     Include failed exec()s
39
40       -q     Add  "quotemarks"  around  arguments. Escape quotemarks in argu‐
41              ments with a backslash. For tracing empty arguments or arguments
42              that contain whitespace.
43
44       -n NAME
45              Only print command lines matching this name (regex)
46
47       -l LINE
48              Only print commands where arg contains this line (regex)
49
50       --max-args MAXARGS
51              Maximum number of arguments parsed and displayed, defaults to 20
52

EXAMPLES

54       Trace all exec() syscalls:
55              # execsnoop
56
57       Trace all exec() syscalls, and include timestamps:
58              # execsnoop -t
59
60       Include failed exec()s:
61              # execsnoop -x
62
63       Put quotemarks around arguments.
64              # execsnoop -q
65
66       Only trace exec()s where the filename contains "mount":
67              # execsnoop -n mount
68
69       Only trace exec()s where argument's line contains "testpkg":
70              # execsnoop -l testpkg
71

FIELDS

73       TIME   Time of exec() return, in HH:MM:SS format.
74
75       TIME(s)
76              Time of exec() return, in seconds.
77
78       PCOMM  Parent process/command name.
79
80       PID    Process ID
81
82       PPID   Parent process ID
83
84       RET    Return  value  of exec(). 0 == successs. Failures are only shown
85              when using the -x option.
86
87       ARGS   Filename for the exec(), followed be  up  to  19  arguments.  An
88              ellipsis  "..."  is  shown  if  the argument list is known to be
89              truncated.
90

OVERHEAD

92       This traces the kernel execve  function  and  prints  output  for  each
93       event.  As the rate of this is generally expected to be low (< 1000/s),
94       the overhead is also expected to be negligible. If you have an applica‐
95       tion  that  is calling a high rate of exec()s, then test and understand
96       overhead before use.
97

SOURCE

99       This is from bcc.
100
101              https://github.com/iovisor/bcc
102
103       Also look in the bcc distribution for a  companion  _examples.txt  file
104       containing example usage, output, and commentary for this tool.
105

OS

107       Linux
108

STABILITY

110       Unstable - in development.
111

AUTHOR

113       Brendan Gregg
114

SEE ALSO

116       opensnoop(1)
117
118
119
120USER COMMANDS                     2016-02-07                      execsnoop(8)
Impressum