1killsnoop(8) System Manager's Manual killsnoop(8)
2
3
4
6 killsnoop.bt - Trace signals issued by the kill() syscall. Uses bpf‐
7 trace/eBPF.
8
10 killsnoop.bt
11
13 killsnoop traces the kill() syscall, to show signals sent via this
14 method. This may be useful to troubleshoot failing applications, where
15 an unknown mechanism is sending signals.
16
17 This works by tracing the kill() syscall tracepoints.
18
19 Since this uses BPF, only the root user can use this tool.
20
22 CONFIG_BPF and bpftrace.
23
25 Trace all kill() syscalls:
26 # killsnoop.bt
27
29 TIME Time of the kill call.
30
31 PID Source process ID
32
33 COMM Source process name
34
35 SIG Signal number. See signal(7).
36
37 TPID Target process ID
38
39 RES Result. 0 == success, a negative value (of the error code) for
40 failure.
41
43 This traces the kernel kill function and prints output for each event.
44 As the rate of this is generally expected to be low (< 100/s), the
45 overhead is also expected to be negligible. If you have an application
46 that is calling a very high rate of kill()s for some reason, then test
47 and understand overhead before use.
48
50 This is from bpftrace.
51
52 https://github.com/iovisor/bpftrace
53
54 Also look in the bpftrace distribution for a companion _examples.txt
55 file containing example usage, output, and commentary for this tool.
56
57 This is a bpftrace version of the bcc tool of the same name. The bcc
58 tool may provide more options and customizations.
59
60 https://github.com/iovisor/bcc
61
63 Linux
64
66 Unstable - in development.
67
69 Brendan Gregg
70
72 opensnoop(8)
73
74
75
76USER COMMANDS 2018-09-07 killsnoop(8)