forkstat - a tool to show process fork/exec/exit activity
Forkstat is a program that logs process fork(), exec(), exit(), coredump and
process name change activity. It is useful for monitoring system behaviour and
to track down rogue processes that are spawning off processes and potentially
abusing the system.
Note that forkstat uses the Linux netlink connector to gather process activity
and this may miss events if the system is overly busy. Netlink connector also
requires root privilege.
Forkstat will display several columns of process related information:
||When the fork/exec/exit event occurred.
||Type of event.
||Process or thread ID.
||Parent or child if a fork, or process exit(2) value.
||On exit, the duration the command ran for in seconds. Process The
process name. The name will be in [ ] brackets if it is a kernel
forkstat options are as follow:
- strip off the directory path from the process name.
- -D seconds
- specify duration in seconds to run forkstat.
- specify events to trace as a comma seperated list. By
default the fork, exec and exit events are traced. Available events are:
||process name changes in comm field
||clone (normally on thread creation)
||ptrace attach or detach
||all the events above
- show brief help summary.
- set stdout to line-buffered mode.
- run with real time FIFO scheduling with maximum priority to
keep up with high volumes of process events.
- show short process name information.
- show event statistics.
- run quietly and enable the -S option.
- show extra process related information: user ID and TTY of
Show process activity with short process names and directory base path stripped
forkstat -s -d
Trace forks and core dumps only:
forkstat -e fork,core
Trace all events and print statistics at end:
forkstat -e all -S
Trace all events for 10 minutes:
forkstat -e all -D 600
Trace clones for 1 minute:
forkstat -e clone -D 60
forkstat was written by Colin King <email@example.com>. Thanks also
for contributions from Philipp Gesang.
This manual page was written by Colin King <firstname.lastname@example.org>, for
the Ubuntu project (but may be used by others).
Copyright © 2014-2017 Canonical Ltd.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR