execsnoop - Trace new processes via exec() syscalls. Uses Linux eBPF/bcc.
execsnoop [-h] [-t] [-x] [-n NAME]
execsnoop traces new processes, showing the filename executed and argument list.
It works by traces the execve() system call (commonly used exec() variant). This
catches new processes that follow the fork->exec sequence, as well as
processes that re-exec() themselves. Some applications fork() but do not
exec(), eg, for worker processes, which won't be included in the execsnoop
This works by tracing the kernel sys_execve() function using dynamic tracing,
and will need updating to match any changes to this function.
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Print usage message.
- Include a timestamp column.
- Include failed exec()s
- -n NAME
- Only print command lines matching this name (regex),
- Trace all exec() syscalls:
- # execsnoop
- Trace all exec() syscalls, and include timestamps:
- # execsnoop -t
- Include failed exec()s:
- # execsnoop -x
- Only trace exec()s where the filename or arguments contain
- # opensnoop -n mount
- Time of exec() return, in seconds.
- Parent process/command name.
- Process ID
- Return value of exec(). 0 == successs. Failures are only
shown when using the -x option.
- Filename for the exec(), followed be up to 19 arguments. An
ellipsis "..." is shown if the argument list is known to be
This traces the kernel execve function and prints output for each event. As the
rate of this is generally expected to be low (< 1000/s), the overhead is
also expected to be negligible. If you have an application that is calling a
high rate of exec()s, then test and understand overhead before use.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.