execsnoop(8) trace process exec() with arguments. Uses Linux ftrace.


execsnoop [-hrt] [-a argc] [-d secs] [name]


execsnoop traces process execution, showing PID, PPID, and argument details if possible.

This traces exec() from the fork()->exec() sequence, which means it won't catch new processes that only fork(). With the -r option, it will also catch processes that re-exec. It makes a best-effort attempt to retrieve the program arguments and PPID; if these are unavailable, 0 and "[?]" are printed respectively. There is also a limit to the number of arguments printed (by default, 8), which can be increased using -a.

This implementation is designed to work on older kernel versions, and without kernel debuginfo. It works by dynamic tracing an execve kernel function to read the arguments from the %si register. The stub_execve() function is tried first, and then the do_execve() function. The sched:sched_process_fork tracepoint, is used for the PPID. Tracing registers and kernel functions is an unstable technique, and this tool may not work for some kernels or platforms.

This program is a workaround that should be improved in the future when other kernel capabilities are made available. If you need a more reliable tool now, then consider other tracing alternatives (eg, SystemTap). This tool is really a proof of concept to see what ftrace can currently do.

Since this uses ftrace, only the root user can use this tool.


FTRACE and KPROBE CONFIG, sched:sched_process_fork tracepoint, and either the stub_execve() or do_execve() kernel function. You may already have these on recent kernels. And awk.


-a argc
Maximum number of arguments to show. The default is 8, and the maximum allowed is 16. If execsnoop thinks it has truncated the argument list, an ellipsis "[...]" will be shown.
-d seconds
Duration to trace, in seconds. This also uses in-kernel buffering.
Print usage message.
Include re-exec()s.
Include timestamps in units of seconds.
Only show processes that match this name. Partials and regular expressions are allowed, as this is filtered in user space by awk.


Trace all new processes and arguments (if possible):
# execsnoop
Trace all new process names containing the text "http":
# execsnoop http


Time of the exec(), in seconds.
Process ID.
Parent process ID, if this was able to be read. If it wasn't, 0 is printed.
Command line arguments, if these were able to be read. If they aren't able to be read, "[?]" is printed (which would be due to a limitation in this tools implementation, since this is workaround for older kernels; if you need reliable argument tracing, use a different tracer). They will be truncated to the argc limit, and an ellipsis "[...]" may be printed if execsnoop is aware of the truncation.


This reads and processes exec() events in user space as they occur. Since the rate of exec() is expected to be low (< 500/s), the overhead is expected to be small or negligible.


This is from the perf-tools collection.

Also look under the examples directory for a text file containing example usage, output, and commentary for this tool.




Unstable - in development.


Brendan Gregg