execsnoop(1m) USER COMMANDS execsnoop(1m)
NAME
execsnoop - snoop new process execution. Uses DTrace.
SYNOPSIS
execsnoop [-a|-A|-ejhsvZ] [-c command]
DESCRIPTION
execsnoop prints details of new processes as they are executed. Details such as UID, PID and argu-ment argument
ment listing are printed out.
This program is very useful to examine short lived processes that would not normally appear in a
prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in
their normal startup cycle, a behaviour that is easily monitored with execsnoop.
Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this
command.
OPTIONS
-a print all data
-A dump all data, space delimited
-e safe output, parseable. This prevents the ARGS field containing "\n"s, to assist postprocess-ing. postprocessing.
ing.
-j print project ID
-s print start time, us
-v print start time, string
-Z print zonename
-c command
command name to snoop
EXAMPLES
Default output, print processes as they are executed,
# execsnoop
Print human readable timestamps,
# execsnoop -v
Print zonename,
# execsnoop -Z
Snoop this command only,
# execsnoop -f ls
FIELDS
UID User ID
PID Process ID
PPID Parent Process ID
COMM command name for the process
ARGS argument listing for the process
ZONE zonename
PROJ project ID
TIME timestamp for the exec event, us
STRTIME
timestamp for the exec event, string
DOCUMENTATION
See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may
include full worked examples with verbose descriptions explaining the output.
EXIT
execsnoop will run forever until Ctrl-C is hit.
AUTHOR
Brendan Gregg [Sydney, Australia]
SEE ALSO
dtrace(1M), truss(1)
version 1.20 Jul 02, 2005 execsnoop(1m)
|