forkstat(8) a tool to show process fork/exec/exit activity

SYNOPSIS

forkstat [-d] [-D] [-e] [-h] [-s] [-S] [-q]

DESCRIPTION

Forkstat is a program that logs process fork(), exec(), exit(), coredump and process name change activity. It is useful for monitoring system behaviour and to track down rogue processes that are spawning off processes and potentially abusing the system.

Note that forkstat uses the Linux netlink connector to gather process activity and this may miss events if the system is overly busy. Netlink connector also requires root privilege.

Forkstat will display several columns of process related information:

TitleDescription
TimeWhen the fork/exec/exit event occurred.
EventType of event.
PIDProcess or thread ID.
InfoParent or child if a fork, or exit value.
DurationOn exit, the duration the command ran for in seconds.
ProcessThe process name. The name will be in [ ] brackets if it is a kernel thread.

OPTIONS

forkstat options are as follow:
-d
strip off the directory path from the process name.
-D seconds
specify duration in seconds to run forkstat.
-e
specify events to trace as a comma seperated list. By default the fork, exec and exit events are traced. Available events are:
EventDescription
forkforks
execexecs
exitexits
corecore dumps
commprocess name changes in comm field
cloneclone (normally on thread creation)
allall the events above
-h
show brief help summary.
-s
show short process name information.
-S
show event statistics.
-q
run quietly and enable the -S option.

EXAMPLES

Show process activity with short process names and directory base path stripped off:

forkstat -s -d

Trace forks and core dumps only:

forkstat -e fork,core

Trace all events and print statistics at end:

forkstat -e all -S

Trace all events for 10 minutes:

forkstat -e all -D 600

Trace clones for 1 minute:

forkstat -e clone -D 60

AUTHOR

forkstat was written by Colin King <[email protected]>

This manual page was written by Colin King <[email protected]>, for the Ubuntu project (but may be used by others).

COPYRIGHT

Copyright © 2014-2015 Canonical Ltd.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.