File: execsnoop.bt

package info (click to toggle)
bpftrace 0.24.1-1.1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 10,496 kB
  • sloc: cpp: 60,982; ansic: 10,952; python: 953; yacc: 665; sh: 536; lex: 295; makefile: 22
file content (63 lines) | stat: -rwxr-xr-x 2,387 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
#!/usr/bin/env bpftrace
/*
 * execsnoop.bt   Trace new processes via exec() syscalls.
 *                For Linux, uses bpftrace and eBPF.
 *
 * This traces when processes call exec(). It is handy for identifying new
 * processes created via the usual fork()->exec() sequence. Note that the
 * return value is not currently traced, so the exec() may have failed.
 *
 * TODO: switch to tracepoints args. Support more args. Include retval.
 * 
 * Example of usage:
 * 
 * # ./execsnoop.bt
 * Attaching 3 probes...
 * TIME            PID     PPID    ARGS
 * 08:57:52.430193 3187374 1971701 ls --color --color=auto -lh execsnoop.bt execsnoop.bt.0 execsnoop.bt.1
 * 08:57:52.441868 3187378 3187375 man ls
 * 08:57:52.473565 3187384 3187378 preconv -e UTF-8
 * 08:57:52.473620 3187384 3187378 preconv -e UTF-8
 * 08:57:52.473658 3187384 3187378 preconv -e UTF-8
 * 08:57:52.473839 3187385 3187378 tbl
 * 08:57:52.473897 3187385 3187378 tbl
 * 08:57:52.473944 3187385 3187378 tbl
 * 08:57:52.474055 3187386 3187378 nroff -mandoc -Tutf8
 * 08:57:52.474107 3187386 3187378 nroff -mandoc -Tutf8
 * 08:57:52.474145 3187386 3187378 nroff -mandoc -Tutf8
 * 08:57:52.474684 3187388 3187378 less
 * 08:57:52.474739 3187388 3187378 less
 * 08:57:52.474780 3187388 3187378 less
 * 08:57:52.475502 3187389 3187386 groff -Tutf8 -mtty-char -mandoc
 * 08:57:52.476717 3187390 3187389 troff -mtty-char -mandoc -Tutf8
 * 08:57:52.476811 3187391 3187389 grotty
 * 
 * The output begins by showing an "ls" command, and then the process execution
 * to serve "man ls". The same exec arguments appear multiple times: in this case
 * they are failing as the $PATH variable is walked, until one finally succeeds.
 * 
 * This tool can be used to discover unwanted short-lived processes that may be
 * causing performance issues such as latency perturbations.
 * 
 * This is a bpftrace version of the bcc tool of the same name.
 * The bcc version provides more fields and command line options.
 * 
 * 15-Nov-2017	Brendan Gregg	Created this.
 * 11-Sep-2018	   "     "	Switched to use join().
 */

#ifndef BPFTRACE_HAVE_BTF
#include <linux/sched.h>
#endif

BEGIN
{
	printf("%-15s %-7s %-7s %s\n", "TIME", "PID", "PPID", "ARGS");
}

tracepoint:syscalls:sys_enter_exec*
{
	$task = (struct task_struct *)curtask;
	printf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);
	join(args.argv);
}