Provided by: perf-tools-unstable_1.0+git7ffb3fd-1ubuntu1_all bug

NAME

       killsnoop - trace kill() syscalls with process and signal details. Uses Linux ftrace.

SYNOPSIS

       killsnoop [-hst] [-d secs] [-p pid] [-n name]

DESCRIPTION

       This  traces  kill()  syscalls,  showing  which  process  killed which pid and returns the
       returncode (0 for success, -1 for error).

       This implementation is designed to work on  older  kernel  versions,  and  without  kernel
       debuginfo.  It  works  by dynamic tracing of the return value of kill() and associating it
       with the previous kill() syscall return.  This approach is kernel  version  specific,  and
       may  not work on your version.  It is a workaround, and proof of concept for ftrace, until
       more kernel tracing functionality is available.

       Since this uses ftrace, only the root user can use this tool.

REQUIREMENTS

       FTRACE  and  KPROBE  CONFIG,  syscalls:sys_enter_kill  and  syscalls:sys_exit_kill  kernel
       tracepoints (you may already have these on recent kernels) and awk.

OPTIONS

       -d secs
              Set  the duration of tracing, in seconds. Trace output will be buffered and printed
              at the end. This also reduces overheads by buffering in-kernel, instead of printing
              events as they occur.

              The      ftrace      buffer      has      a     fixed     size     per-CPU     (see
              /sys/kernel/debug/tracing/buffer_size_kb). If you think  events  are  missing,  try
              increasing that size.

       -h     Print usage message.

       -n name
              Only  show  processes  matching  this  process  name.  Partial  strings and regular
              expressions are allowed. This is post-filtered using awk.

       -p PID Only trace this process ID. This is filtered in-kernel.

       -s     Use human readable signal names, instead of signal numbers.

       -t     Include timestamps, in seconds.

EXAMPLES

       Trace all kill() syscalls with details:
              # killsnoop

       Trace kill() syscalls with readable signal names, and times:
              # killsnoop -st

       Track kill() syscalls for processes named "httpd":
              # killsnoop -n httpd

FIELDS

       TIMEs  Time of open() completion, in units of seconds.

       COMM   Process name (if known) of the process that issued the signal.

       PID    Process ID that issued the signal.

       TPID   Target PID for the signal.

       SIGNAL Signal number sent to the target process, or name if -s is used.

       RETURN Return status: 0 for success, -1 for failure.

OVERHEAD

       This reads and kill() syscalls as they occur. For high  rates  of  kills  (>  500/s),  the
       overhead  may  begin to be measurable, however, the rate is unlikely to get this high. And
       if it is: you should investigate why. Test yourself. You can  also  use  the  -d  mode  to
       buffer output, reducing overheads.

SOURCE

       This is from the perf-tools collection.

              https://github.com/brendangregg/perf-tools

       Also  look  under the examples directory for a text file containing example usage, output,
       and commentary for this tool.

OS

       Linux

STABILITY

       Unstable - in development.

AUTHOR

       Martin Probst

SEE ALSO

       tpoint(8), execsnoop(8), opensnoop(8)