Provided by: perf-tools-unstable_0.0.1~20150130+git85414b0-1_all bug


       execsnoop - trace process exec() with arguments. Uses Linux ftrace.


       execsnoop [-hrt] [-a argc] [-d secs] [name]


       execsnoop  traces  process  execution,  showing PID, PPID, and argument
       details if possible.

       This traces exec() from the fork()->exec()  sequence,  which  means  it
       won't catch new processes that only fork(). With the -r option, it will
       also catch processes that re-exec. It makes a  best-effort  attempt  to
       retrieve  the  program  arguments and PPID; if these are unavailable, 0
       and "[?]" are printed respectively. There is also a limit to the number
       of arguments printed (by default, 8), which can be increased using -a.

       This  implementation  is designed to work on older kernel versions, and
       without kernel debuginfo. It works by dynamic tracing an execve  kernel
       function to read the arguments from the %si register. The stub_execve()
       function is  tried  first,  and  then  the  do_execve()  function.  The
       sched:sched_process_fork  tracepoint,  is  used  for  the PPID. Tracing
       registers and kernel functions is an unstable technique, and this  tool
       may not work for some kernels or platforms.

       This program is a workaround that should be improved in the future when
       other kernel capabilities are  made  available.  If  you  need  a  more
       reliable  tool  now,  then  consider  other  tracing  alternatives (eg,
       SystemTap). This tool is really a proof of concept to see  what  ftrace
       can currently do.

       Since this uses ftrace, only the root user can use this tool.


       FTRACE  and  KPROBE  CONFIG,  sched:sched_process_fork  tracepoint, and
       either the  stub_execve()  or  do_execve()  kernel  function.  You  may
       already have these on recent kernels. And awk.


       -a argc
              Maximum  number  of arguments to show. The default is 8, and the
              maximum allowed is 16. If execsnoop thinks it has truncated  the
              argument list, an ellipsis "[...]" will be shown.

       -d seconds
              Duration   to  trace,  in  seconds.  This  also  uses  in-kernel

       -h     Print usage message.

       -r     Include re-exec()s.

       -t     Include timestamps in units of seconds.

       name   Only show processes that match this name.  Partials and  regular
              expressions  are  allowed,  as this is filtered in user space by


       Trace all new processes and arguments (if possible):
              # execsnoop

       Trace all new process names containing the text "http":
              # execsnoop http


       TIMEs  Time of the exec(), in seconds.

       PID    Process ID.

       PPID   Parent process ID, if this was able to be read. If it wasn't,  0
              is printed.

       ARGS   Command  line  arguments, if these were able to be read. If they
              aren't able to be read, "[?]" is printed (which would be due  to
              a  limitation  in  this  tools  implementation,  since  this  is
              workaround for older kernels;  if  you  need  reliable  argument
              tracing,  use a different tracer). They will be truncated to the
              argc limit, and an ellipsis "[...]" may be printed if  execsnoop
              is aware of the truncation.


       This  reads  and  processes  exec() events in user space as they occur.
       Since the rate of exec() is expected to be low (< 500/s), the  overhead
       is expected to be small or negligible.


       This is from the perf-tools collection.


       Also  look  under  the  examples  directory  for a text file containing
       example usage, output, and commentary for this tool.




       Unstable - in development.


       Brendan Gregg