d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b06b2013c
freebsd-dev/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt
George V. Neville-Neil f2f9999d8b Import dtracetoolkit into cddl/contrib
2012-05-12 21:25:48 +00:00

79 lines
2.5 KiB
Plaintext
Raw Blame History

The following is an example of execsnoop. As processes are executed their
details are printed out. Another user was logged in running a few commands
which can be viewed below,
# ./execsnoop
UID PID PPID ARGS
100 3008 2656 ls
100 3009 2656 ls -l
100 3010 2656 cat /etc/passwd
100 3011 2656 vi /etc/hosts
100 3012 2656 date
100 3013 2656 ls -l
100 3014 2656 ls
100 3015 2656 finger
[...]
In this example the command "man gzip" was executed. The output lets us
see what the man command is actually doing,
# ./execsnoop
UID PID PPID ARGS
100 3064 2656 man gzip
100 3065 3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man -
100 3067 3066 tbl /usr/share/man/man1/gzip.1
100 3068 3066 nroff -u0 -Tlp -man -
100 3066 3065 col -x
100 3069 3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2>
100 3070 3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
100 3071 3064 sh -c more -s /tmp/mpoMaa_f
100 3072 3071 more -s /tmp/mpoMaa_f
^C
Execsnoop has other options,
# ./execsnoop -h
USAGE: execsnoop [-a|-A|-sv] [-c command]
execsnoop # default output
-a # print all data
-A # dump all data, space delimited
-s # include start time, us
-v # include start time, string
-c command # command name to snoop
In particular the verbose option for human readable timestamps is
very useful,
# ./execsnoop -v
STRTIME UID PID PPID ARGS
2005 Jan 22 00:07:22 0 23053 20933 date
2005 Jan 22 00:07:24 0 23054 20933 uname -a
2005 Jan 22 00:07:25 0 23055 20933 ls -latr
2005 Jan 22 00:07:27 0 23056 20933 df -k
2005 Jan 22 00:07:29 0 23057 20933 ps -ef
2005 Jan 22 00:07:29 0 23057 20933 ps -ef
2005 Jan 22 00:07:34 0 23058 20933 uptime
2005 Jan 22 00:07:34 0 23058 20933 uptime
[...]
It is also possible to match particular commands. Here we watch
anyone using the vi command only,
# ./execsnoop -vc vi
STRTIME UID PID PPID ARGS
2005 Jan 22 00:10:33 0 23063 20933 vi /etc/passwd
2005 Jan 22 00:10:40 0 23064 20933 vi /etc/shadow
2005 Jan 22 00:10:51 0 23065 20933 vi /etc/group
2005 Jan 22 00:10:57 0 23066 20933 vi /.rhosts
[...]
Reference in New Issue View Git Blame Copy Permalink