forked from bpftrace/bpftrace
-
Notifications
You must be signed in to change notification settings - Fork 0
/
execsnoop.bt
executable file
·27 lines (25 loc) · 775 Bytes
/
execsnoop.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env bpftrace
/*
* execsnoop.bt Trace new processes via exec() syscalls.
* For Linux, uses bpftrace and eBPF.
*
* This traces when processes call exec(). It is handy for identifying new
* processes created via the usual fork()->exec() sequence. Note that the
* return value is not currently traced, so the exec() may have failed.
*
* TODO: switch to tracepoints args. Support more args. Include retval.
*
* This is a bpftrace version of the bcc tool of the same name.
*
* 15-Nov-2017 Brendan Gregg Created this.
* 11-Sep-2018 " " Switched to use join().
*/
BEGIN
{
printf("%-10s %-5s %s\n", "TIME(ms)", "PID", "ARGS");
}
tracepoint:syscalls:sys_enter_exec*
{
printf("%-10u %-5d ", elapsed / 1e6, pid);
join(args->argv);
}