xenial (8) forkstat.8.gz

NAME

       forkstat - a tool to show process fork/exec/exit activity

SYNOPSIS

       forkstat [-d] [-D] [-e] [-h] [-s] [-S] [-q]

DESCRIPTION

       Forkstat  is  a  program  that  logs  process  fork(),  exec(),  exit(), coredump and process name change
       activity.  It is useful for monitoring system behaviour and  to  track  down  rogue  processes  that  are
       spawning off processes and potentially abusing the system.

       Note  that  forkstat uses the Linux netlink connector to gather process activity and this may miss events
       if the system is overly busy. Netlink connector also requires root privilege.

       Forkstat will display several columns of process related information:

       Title      Description
       Time       When the fork/exec/exit event occurred.
       Event      Type of event.
       PID        Process or thread ID.
       Info       Parent or child if a fork, or exit value.
       Duration   On exit, the duration the command ran for in seconds.
       Process    The process name. The name will be in [ ] brackets if it is a kernel thread.

OPTIONS

       forkstat options are as follow:

       -d     strip off the directory path from the process name.

       -D seconds
              specify duration in seconds to run forkstat.

       -e     specify events to trace as a comma seperated list. By default the fork, exec and exit  events  are
              traced. Available events are:

              Event   Description
              fork    forks
              exec    execs
              exit    exits
              core    core dumps
              comm    process name changes in comm field
              clone   clone (normally on thread creation)
              all     all the events above

       -h     show brief help summary.

       -s     show short process name information.

       -S     show event statistics.

       -q     run quietly and enable the -S option.

EXAMPLES

       Show process activity with short process names and directory base path stripped off:
               forkstat -s -d

       Trace forks and core dumps only:
               forkstat -e fork,core

       Trace all events and print statistics at end:
               forkstat -e all -S

       Trace all events for 10 minutes:
               forkstat -e all -D 600

       Trace clones for 1 minute:
               forkstat -e clone -D 60

SEE ALSO

       vmstat(8)

AUTHOR

       forkstat was written by Colin King <colin.king@canonical.com>

       This manual page was written by Colin King <colin.king@canonical.com>, for the Ubuntu project (but may be
       used by others).

COPYRIGHT

       Copyright © 2014-2015 Canonical Ltd.
       This is free software; see the source for copying  conditions.   There  is  NO  warranty;  not  even  for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

                                                  18 May, 2015                                       FORKSTAT(8)