execsnoop(1m) USER COMMANDS execsnoop(1m)

execsnoop - snoop new process execution. Uses DTrace.

execsnoop [-a|-A|-ejhsvZ] [-c command]

execsnoop prints details of new processes as they are executed. Details such as UID, PID and argument listing are printed out.

This program is very useful to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop.

Since this uses DTrace, only users with root privileges can run this command.

print all data
dump all data, space delimited
safe output, parseable. This prevents the ARGS field containing "\n"s, to assist postprocessing.
print project ID
print start time, us
print start time, string
print zonename
command name to snoop

# execsnoop
# execsnoop -v
# execsnoop -Z
# execsnoop -c ls

User ID
Process ID
Parent Process ID
command name for the process
argument listing for the process
project ID
timestamp for the exec event, us
timestamp for the exec event, string

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

execsnoop will run forever until Ctrl-C is hit.

Brendan Gregg [Sydney, Australia]

dtrace(1M), truss(1)

July 2, 2005 version 1.20