NAME

execsnoop - snoop new process execution. Uses DTrace.

SYNOPSIS

execsnoop [-a|-A|-ejhsvZ] [-c command]

DESCRIPTION

execsnoop prints details of new processes as they are executed. Details such as UID, PID and argument listing are printed out.

This program is very useful to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop.

Since this uses DTrace, only users with root privileges can run this command.

OPTIONS

-a

print all data

-A

dump all data, space delimited

-e

safe output, parseable. This prevents the ARGS field containing "\n"s, to assist postprocessing.

-j

print project ID

-s

print start time, us

-v

print start time, string

-Z

print zonename

-c command

command name to snoop

EXAMPLES

Default output, print processes as they are executed,

# execsnoop

Print human readable timestamps,

# execsnoop -v

Print zonename,

# execsnoop -Z

Snoop this command only,

# execsnoop -c ls

FIELDS

UID

User ID

PID

Process ID

PPID

Parent Process ID

COMM

command name for the process

ARGS

argument listing for the process

ZONE

zonename

PROJ

project ID

TIME

timestamp for the exec event, us

STRTIME

timestamp for the exec event, string

DOCUMENTATION

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

EXIT

execsnoop will run forever until Ctrl-C is hit.

AUTHOR

Brendan Gregg [Sydney, Australia]

SEE ALSO

dtrace(1M), truss(1)