killsnoop(8)

1killsnoop(8)                System Manager's Manual               killsnoop(8)
2
3
4

NAME

6       killsnoop.bt  -  Trace  signals issued by the kill() syscall. Uses bpf‐
7       trace/eBPF.
8

SYNOPSIS

10       killsnoop.bt
11

DESCRIPTION

13       killsnoop traces the kill() syscall, to  show  signals  sent  via  this
14       method.  This may be useful to troubleshoot failing applications, where
15       an unknown mechanism is sending signals.
16
17       This works by tracing the kill() syscall tracepoints.
18
19       Since this uses BPF, only the root user can use this tool.
20

REQUIREMENTS

22       CONFIG_BPF and bpftrace.
23

EXAMPLES

25       Trace all kill() syscalls:
26              # killsnoop.bt
27

FIELDS

29       TIME   Time of the kill call.
30
31       PID    Source process ID
32
33       COMM   Source process name
34
35       SIG    Signal number. See signal(7).
36
37       TPID   Target process ID
38
39       RES    Result. 0 == success, a negative value (of the error  code)  for
40              failure.
41

OVERHEAD

43       This  traces the kernel kill function and prints output for each event.
44       As the rate of this is generally expected to  be  low  (<  100/s),  the
45       overhead  is also expected to be negligible. If you have an application
46       that is calling a very high rate of kill()s for some reason, then  test
47       and understand overhead before use.
48

SOURCE

50       This is from bpftrace.
51
52              https://github.com/iovisor/bpftrace
53
54       Also  look  in  the bpftrace distribution for a companion _examples.txt
55       file containing example usage, output, and commentary for this tool.
56
57       This is a bpftrace version of the bcc tool of the same  name.  The  bcc
58       tool may provide more options and customizations.
59
60              https://github.com/iovisor/bcc
61

OS

63       Linux
64

STABILITY

66       Unstable - in development.
67

AUTHOR

69       Brendan Gregg
70