109 lines
1.9 KiB
Plaintext
109 lines
1.9 KiB
Plaintext
.TH execsnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
|
|
.SH NAME
|
|
execsnoop \- snoop new process execution. Uses DTrace.
|
|
.SH SYNOPSIS
|
|
.B execsnoop
|
|
[\-a|\-A|\-ejhsvZ] [\-c command]
|
|
.SH DESCRIPTION
|
|
execsnoop prints details of new processes as they are executed.
|
|
Details such as UID, PID and argument listing are printed out.
|
|
|
|
This program is very useful to examine short lived processes that would
|
|
not normally appear in a prstat or "ps -ef" listing. Sometimes
|
|
applications will run hundreds of short lived processes in their
|
|
normal startup cycle, a behaviour that is easily monitored with execsnoop.
|
|
|
|
Since this uses DTrace, only the root user or users with the
|
|
dtrace_kernel privilege can run this command.
|
|
.SH OS
|
|
Solaris
|
|
.SH STABILITY
|
|
stable - needs the syscall provider.
|
|
.SH OPTIONS
|
|
.TP
|
|
\-a
|
|
print all data
|
|
.TP
|
|
\-A
|
|
dump all data, space delimited
|
|
.TP
|
|
\-e
|
|
safe output, parseable. This prevents the ARGS field containing "\\n"s,
|
|
to assist postprocessing.
|
|
.TP
|
|
\-j
|
|
print project ID
|
|
.TP
|
|
\-s
|
|
print start time, us
|
|
.TP
|
|
\-v
|
|
print start time, string
|
|
.TP
|
|
\-Z
|
|
print zonename
|
|
.TP
|
|
\-c command
|
|
command name to snoop
|
|
.SH EXAMPLES
|
|
.TP
|
|
Default output, print processes as they are executed,
|
|
#
|
|
.B execsnoop
|
|
.TP
|
|
Print human readable timestamps,
|
|
#
|
|
.B execsnoop
|
|
\-v
|
|
.TP
|
|
Print zonename,
|
|
#
|
|
.B execsnoop
|
|
\-Z
|
|
.TP
|
|
Snoop this command only,
|
|
#
|
|
.B execsnoop
|
|
\-f ls
|
|
.PP
|
|
.SH FIELDS
|
|
.TP
|
|
UID
|
|
User ID
|
|
.TP
|
|
PID
|
|
Process ID
|
|
.TP
|
|
PPID
|
|
Parent Process ID
|
|
.TP
|
|
COMM
|
|
command name for the process
|
|
.TP
|
|
ARGS
|
|
argument listing for the process
|
|
.TP
|
|
ZONE
|
|
zonename
|
|
.TP
|
|
PROJ
|
|
project ID
|
|
.TP
|
|
TIME
|
|
timestamp for the exec event, us
|
|
.TP
|
|
STRTIME
|
|
timestamp for the exec event, string
|
|
.SH DOCUMENTATION
|
|
See the DTraceToolkit for further documentation under the
|
|
Docs directory. The DTraceToolkit docs may include full worked
|
|
examples with verbose descriptions explaining the output.
|
|
.SH EXIT
|
|
execsnoop will run forever until Ctrl\-C is hit.
|
|
.SH AUTHOR
|
|
Brendan Gregg
|
|
[Sydney, Australia]
|
|
.SH SEE ALSO
|
|
dtrace(1M), truss(1)
|
|
|