82 lines
4.4 KiB
Plaintext

The following is a demonstration of the lastwords command,
Here we run lastwords to catch syscalls from processes named "bash" as they
exit,
# ./lastwords bash
Tracing... Waiting for bash to exit...
1091567219163679 1861 bash sigaction 0 0
1091567219177487 1861 bash sigaction 0 0
1091567219189692 1861 bash sigaction 0 0
1091567219202085 1861 bash sigaction 0 0
1091567219214553 1861 bash sigaction 0 0
1091567219226690 1861 bash sigaction 0 0
1091567219238786 1861 bash sigaction 0 0
1091567219251697 1861 bash sigaction 0 0
1091567219265770 1861 bash sigaction 0 0
1091567219294110 1861 bash gtime 42a7c194 0
1091567219428305 1861 bash write 5 0
1091567219451138 1861 bash setcontext 0 0
1091567219473911 1861 bash sigaction 0 0
1091567219516487 1861 bash stat64 0 0
1091567219547973 1861 bash open64 4 0
1091567219638345 1861 bash write 5 0
1091567219658886 1861 bash close 0 0
1091567219689094 1861 bash open64 4 0
1091567219704301 1861 bash fstat64 0 0
1091567219731796 1861 bash read 2fe 0
1091567219745541 1861 bash close 0 0
1091567219768536 1861 bash lwp_sigmask ffbffeff 0
1091567219787494 1861 bash ioctl 0 0
1091567219801338 1861 bash setpgrp 6a3 0
1091567219814067 1861 bash ioctl 0 0
1091567219825791 1861 bash lwp_sigmask ffbffeff 0
1091567219847778 1861 bash setpgrp 0 0
TIME PID EXEC SYSCALL RETURN ERR
In another window, a bash shell was executed and then exited normally. The
last few system calls that the bash shell made can be seen above.
In the following example we moniter the exit of bash shells again, but this
time the bash shell sends itself a "kill -8",
# ./lastwords bash
Tracing... Waiting for bash to exit...
1091650185555391 1865 bash sigaction 0 0
1091650185567963 1865 bash sigaction 0 0
1091650185580316 1865 bash sigaction 0 0
1091650185592381 1865 bash sigaction 0 0
1091650185605046 1865 bash sigaction 0 0
1091650185618451 1865 bash sigaction 0 0
1091650185647663 1865 bash gtime 42a7c1e7 0
1091650185794626 1865 bash kill 0 0
1091650185836941 1865 bash lwp_sigmask ffbffeff 0
1091650185884145 1865 bash stat64 0 0
1091650185916135 1865 bash open64 4 0
1091650186005673 1865 bash write b 0
1091650186025782 1865 bash close 0 0
1091650186052002 1865 bash open64 4 0
1091650186067538 1865 bash fstat64 0 0
1091650186094289 1865 bash read 309 0
1091650186108086 1865 bash close 0 0
1091650186129965 1865 bash lwp_sigmask ffbffeff 0
1091650186149092 1865 bash ioctl 0 0
1091650186162614 1865 bash setpgrp 6a3 0
1091650186175457 1865 bash ioctl 0 0
1091650186187206 1865 bash lwp_sigmask ffbffeff 0
1091650186209514 1865 bash setpgrp 0 0
1091650186225307 1865 bash sigaction 0 0
1091650186238832 1865 bash getpid 749 0
1091650186260149 1865 bash kill 0 0
1091650186277925 1865 bash setcontext 0 0
TIME PID EXEC SYSCALL RETURN ERR
The last few system calls are different, we can see the kill system call
before bash exits.