bionic (8) execsnoop-bpfcc.8.gz

Provided by: bpfcc-tools_0.5.0-5ubuntu1_all bug

NAME
       execsnoop - Trace new processes via exec() syscalls. Uses Linux eBPF/bcc.


SYNOPSIS
       execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE]


DESCRIPTION
       execsnoop traces new processes, showing the filename executed and argument list.

       It  works  by traces the execve() system call (commonly used exec() variant).  This catches new processes
       that follow the fork->exec sequence, as well as processes that re-exec()  themselves.  Some  applications
       fork() but do not exec(), eg, for worker processes, which won't be included in the execsnoop output.

       This  works  by tracing the kernel sys_execve() function using dynamic tracing, and will need updating to
       match any changes to this function.

       Since this uses BPF, only the root user can use this tool.


REQUIREMENTS
       CONFIG_BPF and bcc.


OPTIONS
       -h     Print usage message.

       -t     Include a timestamp column.

       -x     Include failed exec()s

       -n NAME
              Only print command lines matching this name (regex)

       -l LINE
              Only print commands where arg contains this line (regex)

       --max-args MAXARGS
              Maximum number of arguments parsed and displayed, defaults to 20


EXAMPLES
       Trace all exec() syscalls:
              # execsnoop

       Trace all exec() syscalls, and include timestamps:
              # execsnoop -t

       Include failed exec()s:
              # execsnoop -x

       Only trace exec()s where the filename contains "mount":
              # execsnoop -n mount

       Only trace exec()s where argument's line contains "testpkg":
              # execsnoop -l testpkg


FIELDS
       TIME(s)
              Time of exec() return, in seconds.

       PCOMM  Parent process/command name.

       PID    Process ID

       RET    Return value of exec(). 0 == successs. Failures are only shown when using the -x option.

       ARGS   Filename for the exec(), followed be up to 19  arguments.  An  ellipsis  "..."  is  shown  if  the
              argument list is known to be truncated.


OVERHEAD
       This traces the kernel execve function and prints output for each event. As the rate of this is generally
       expected to be low (< 1000/s), the overhead is also expected to be negligible. If you have an application
       that is calling a high rate of exec()s, then test and understand overhead before use.


SOURCE
       This is from bcc.

              https://github.com/iovisor/bcc

       Also  look  in  the bcc distribution for a companion _examples.txt file containing example usage, output,
       and commentary for this tool.


OS
       Linux


STABILITY
       Unstable - in development.


AUTHOR
       Brendan Gregg


SEE ALSO
       opensnoop(1)