1killsnoop(8)                System Manager's Manual               killsnoop(8)
2
3
4

NAME

6       killsnoop  -  Trace  signals  issued  by the kill() syscall. Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       killsnoop [-h] [-x] [-p PID] [-T PID] [-s SIGNAL]
11

DESCRIPTION

13       killsnoop traces the kill() syscall, to  show  signals  sent  via  this
14       method.  This may be useful to troubleshoot failing applications, where
15       an unknown mechanism is sending signals.
16
17       This works by tracing the  kernel  sys_kill()  function  using  dynamic
18       tracing, and will need updating to match any changes to this function.
19
20       This  makes  use  of a Linux 4.4 feature (bpf_perf_event_output()); for
21       kernels older than 4.4, see the version under tools/old, which uses  an
22       older mechanism.
23
24       Since this uses BPF, only the root user can use this tool.
25

REQUIREMENTS

27       CONFIG_BPF and bcc.
28

OPTIONS

30       -h     Print usage message.
31
32       -x     Only print failed kill() syscalls.
33
34       -p PID Trace  this  process ID only which is the sender of signal (fil‐
35              tered in-kernel).
36
37       -T PID Trace this target process ID only which is the receiver of  sig‐
38              nal (filtered in-kernel).
39
40       -s SIGNAL
41              Trace this signal only (filtered in-kernel).
42

EXAMPLES

44       Trace all kill() syscalls:
45              # killsnoop
46
47       Trace only kill() syscalls that failed:
48              # killsnoop -x
49
50       Trace PID 181 only:
51              # killsnoop -p 181
52
53       Trace target PID 189 only:
54              # killsnoop -T 189
55
56       Trace signal 9 only:
57              # killsnoop -s 9
58

FIELDS

60       TIME   Time of the kill call.
61
62       PID    Source process ID
63
64       COMM   Source process name
65
66       SIG    Signal number. See signal(7).
67
68       TPID   Target process ID
69
70       RES    Result.  0  == success, a negative value (of the error code) for
71              failure.
72

OVERHEAD

74       This traces the kernel kill function and prints output for each  event.
75       As  the  rate  of  this  is generally expected to be low (< 100/s), the
76       overhead is also expected to be negligible. If you have an  application
77       that  is calling a very high rate of kill()s for some reason, then test
78       and understand overhead before use.
79

SOURCE

81       This is from bcc.
82
83              https://github.com/iovisor/bcc
84
85       Also look in the bcc distribution for a  companion  _examples.txt  file
86       containing example usage, output, and commentary for this tool.
87

OS

89       Linux
90

STABILITY

92       Unstable - in development.
93

AUTHOR

95       Brendan Gregg
96

SEE ALSO

98       opensnoop(8), funccount(8)
99
100
101
102USER COMMANDS                     2015-08-20                      killsnoop(8)
Impressum