Provided by: forkstat_0.02.17-1_amd64 
NAME
forkstat - a tool to show process fork/exec/exit activity
SYNOPSIS
forkstat [-c] [-d] [-D] [-e] [-E] [-g] [-h] [-l] [-r] [-s] [-S] [-q] [-x] [-X]
DESCRIPTION
Forkstat is a program that logs process fork(), exec(), exit(), coredump and process name
change activity. It is useful for monitoring system behaviour and to track down rogue
processes that are spawning off processes and potentially abusing the system.
Note that forkstat uses the Linux netlink connector to gather process activity and this
may miss events if the system is overly busy. Netlink connector also requires root
privilege.
Forkstat will display several columns of process related information:
Title Description
Time When the fork/exec/exit event occurred.
Event Type of event.
PID Process or thread ID.
Info Parent or child if a fork, or process exit(2) value.
Duration On exit, the duration the command ran for in
seconds.
Process The process name. The name will be in [ ] brackets
if it is a kernel thread.
OPTIONS
forkstat options are as follow:
-c use the process 16 character comm field for the process name rather than command
line information.
-d strip off the directory path from the process name.
-D seconds
specify duration in seconds to run forkstat.
-e specify events to trace as a comma separated list. By default the fork, exec and
exit events are traced. Available events are:
Event Description
fork forks
exec execs
exit exits
core core dumps
comm process name changes in comm field
clone clone (normally on thread creation)
ptrce ptrace attach or detach
uid uid/gid events
sid sid events
all all the events above
-E enable all events, equivalent to -e all
-g show glyph annotations of events, useful for easier identification of different
events.
-h show brief help summary.
-l set stdout to line-buffered mode.
-r run with real time FIFO scheduling with maximum priority to keep up with high
volumes of process events.
-s show short process name information.
-S show event statistics.
-q run quietly and enable the -S option.
-x show extra process related information: user ID and TTY of the process.
-X equivalent to options -E -g -r -S -x, all events, glyphs, real time FIFO
scheduling, statistics and extra process information.
EXAMPLES
Show process activity with short process names and directory base path stripped off:
forkstat -s -d
Trace forks and core dumps only:
forkstat -e fork,core
Trace all events and print statistics at end:
forkstat -e all -S
Trace all events for 10 minutes:
forkstat -E -D 600
Trace clones for 1 minute:
forkstat -e clone -D 60
SEE ALSO
vmstat(8)
AUTHOR
forkstat was written by Colin Ian King <colin.i.king@gmail.com>. Thanks also for
contributions from Philipp Gesang.
This manual page was written by Colin Ian King <colin.i.king@gmail.com>, for the Ubuntu
project (but may be used by others).
COPYRIGHT
Copyright © 2014-2021 Canonical Ltd, Copyright © 2021 Colin Ian King.
This is free software; see the source for copying conditions. There is NO warranty; not
even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
15 November 2021 FORKSTAT(8)