1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH FORKSTAT 8 "16 April 2025"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.nr TW 0
.SH NAME
forkstat \- a tool to show process fork/exec/exit activity
.br
.SH SYNOPSIS
.B forkstat
.RI [ options ]
.br
.SH DESCRIPTION
Forkstat is a program that logs process fork(), exec(), exit(), coredump and
process name change activity.
It is useful for monitoring system behaviour and to track down rogue processes
that are spawning off processes and potentially abusing the system.
.sp
Note that forkstat uses the Linux netlink connector to gather process activity
and this may miss events if the system is overly busy. Netlink connector also requires
root privilege.
.sp
Forkstat will display several columns of process related information:
.sp
.TS
lB lB
l lx.
Title Description
Time When the fork/exec/exit event occurred.
Event Type of event.
PID Process or thread ID.
Info Parent or child if a fork, or process exit(2) value.
Duration T{
On exit, the duration the command ran for in seconds.
T}
Process T{
The process name. The name will be in [ ] brackets if it is a kernel thread.
T}
.TE
.SH OPTIONS
forkstat options are as follow:
.TP
.B \-c
use the process 16 character comm field for the process name rather than command
line information.
.TP
.B \-d
strip off the directory path from the process name.
.TP
.B \-D seconds
specify duration in seconds to run forkstat.
.TP
.B \-e
specify events to trace as a comma separated list. By default the fork, exec and exit
events are traced. Available events are:
.sp
.TS
lB lB
l lx.
Event Description
fork forks
exec execs
exit exits
exitnonzero non-zero exits
core core dumps
comm process name changes in comm field
clone clone (normally on thread creation)
ptrce ptrace attach or detach
uid uid/gid events
sid sid events
all all the events above
.TE
.TP
.B \-E
enable all events, equivalent to \-e all
.TP
.B \-g
show glyph annotations of events, useful for easier identification of
different events.
.TP
.B \-h
show brief help summary.
.TP
.B \-l
set stdout to line-buffered mode.
.TP
.B \-p pgrpid
only show processes that match the process group id pgrpid
.TP
.B \-r
run with real time FIFO scheduling with maximum priority to keep up with high volumes
of process events.
.TP
.B \-s
show short process name information.
.TP
.B \-S
show event statistics.
.TP
.B \-q
run quietly and enable the \-S option.
.TP
.B \-x
show extra process related information: user ID and TTY of the process.
.TP
.B \-X
equivalent to options \-E \-g \-r \-S \-x, all events, glyphs, real time FIFO
scheduling, statistics and extra process information.
.SH EXAMPLES
.LP
Show process activity with short process names and directory base path stripped off:
.RS 8
forkstat \-s \-d
.RE
.LP
Trace forks and core dumps only:
.RS 8
forkstat \-e fork,core
.RE
.LP
Trace all events and print statistics at end:
.RS 8
forkstat \-e all \-S
.RE
.LP
Trace all events for 10 minutes:
.RS 8
forkstat \-E \-D 600
.RE
.LP
Trace clones for 1 minute:
.RS 8
forkstat \-e clone \-D 60
.RE
.SH SEE ALSO
.BR vmstat (8)
.SH AUTHOR
forkstat was written by Colin Ian King <colin.i.king@gmail.com>. Thanks also
for contributions from Philipp Gesang.
.PP
This manual page was written by Colin Ian King <colin.i.king@gmail.com>,
for the Ubuntu project (but may be used by others).
.SH COPYRIGHT
Copyright \(co 2014-2021 Canonical Ltd, Copyright \(co 2021-2025 Colin Ian King.
.br
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
