1execsnoop(8) System Manager's Manual execsnoop(8)
2
6 execsnoop.bt - Trace new processes via exec() syscalls. Uses bpf‐
7 trace/eBPF.
8
10 execsnoop.bt
11
13 This traces when processes call exec() (execve()). It is handy for
14 identifying new processes created via the usual fork()->exec() se‐
15 quence. Note that the return value is not currently traced, so the
16 exec() may have failed.
17 This tool is useful for debugging shell scripts, including application
19 startup. It is also useful for identifying a type of performance is‐
20 sue: a flood of short-lived processes, that end quickly and aren't
21 readily visible in top(1).
22 Since this uses BPF, only the root user can use this tool.
24
26 CONFIG_BPF and bpftrace.
27
29 Trace all new processes calling execve():
30 # execsnoop.bt
31
33 TIME Time of the exec() call, in milliseconds since program start.
34 PID Process ID
36 ARGS Process name and arguments (16 word maximum).
38
40 This traces the execve() tracepoint and prints output for each event.
41 As the rate of this is generally expected to be low (< 100/s), the
42 overhead is also expected to be negligible. If you have an application
43 that is spawning a high rate of new processes for a reason (large build
44 process), this could cause a small amount of overhead: test and under‐
45 stand overhead before use.
46
48 This is from bpftrace.
49 https://github.com/iovisor/bpftrace
51 Also look in the bpftrace distribution for a companion _examples.txt
53 file containing example usage, output, and commentary for this tool.
54 This is a bpftrace version of the bcc tool of the same name. The bcc
56 tool provides more fields and options to customize the output.
57 https://github.com/iovisor/bcc
59
61 Linux
62
64 Unstable - in development.
65
67 Brendan Gregg
68
70 opensnoop(8)
71USER COMMANDS 2018-09-11 execsnoop(8)