Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
B
bcc
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
bcc
Commits
9fd2bcf3
Commit
9fd2bcf3
authored
Jan 28, 2016
by
Brenden Blanco
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #325 from brendangregg/master
bashreadline
parents
90a56d14
aa87997d
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
113 additions
and
0 deletions
+113
-0
README.md
README.md
+1
-0
man/man8/bashreadline.8
man/man8/bashreadline.8
+48
-0
tools/bashreadline.py
tools/bashreadline.py
+43
-0
tools/bashreadline_example.txt
tools/bashreadline_example.txt
+21
-0
No files found.
README.md
View file @
9fd2bcf3
...
...
@@ -65,6 +65,7 @@ Examples:
Tools:
-
tools/
[
bashreadline
](
tools/bashreadline.py
)
: Print entered bash commands system wide.
[
Examples
](
tools/bashreadline_example.txt
)
.
-
tools/
[
biolatency
](
tools/biolatency.py
)
: Summarize block device I/O latency as a histogram.
[
Examples
](
tools/biolatency_example.txt
)
.
-
tools/
[
biosnoop
](
tools/biosnoop.py
)
: Trace block device I/O with PID and latency.
[
Examples
](
tools/biosnoop_example.txt
)
.
-
tools/
[
funccount
](
tools/funccount.py
)
: Count kernel function calls.
[
Examples
](
tools/funccount_example.txt
)
.
...
...
man/man8/bashreadline.8
0 → 100644
View file @
9fd2bcf3
.TH bashreadline 8 "2016-01-28" "USER COMMANDS"
.SH NAME
bashreadline \- Print entered bash commands system wide. Uses Linux eBPF/bcc.
.SH SYNOPSIS
.B bashreadline
.SH DESCRIPTION
bashreadline traces the return of the readline() function using uprobes, to
show the bash commands that were entered interactively, system wide. The
entered command may fail: this is just showing what was entered.
This program is also a basic example of eBPF/bcc and uprobes.
Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF and bcc.
.SH EXAMPLES
.TP
Trace bash commands system wide:
#
.B bashreadline
.SH FIELDS
.TP
TIME
Time of the command (HH:MM:SS).
.TP
PID
Process ID of the bash shell.
.TP
COMMAND
Entered command.
.SH OVERHEAD
As the rate of interactive bash commands is expected to be very low (<<100/s),
the overhead of this program is expected to be negligible.
.SH SOURCE
This is from bcc.
.IP
https://github.com/iovisor/bcc
.PP
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg
.SH SEE ALSO
opensnoop(8)
tools/bashreadline.py
0 → 100755
View file @
9fd2bcf3
#!/usr/bin/python
#
# bashreadline Print entered bash commands from all running shells.
# For Linux, uses BCC, eBPF. Embedded C.
#
# This works by tracing the readline() function using a uretprobe (uprobes).
#
# Copyright 2016 Netflix, Inc.
# Licensed under the Apache License, Version 2.0 (the "License")
#
# 28-Jan-2016 Brendan Gregg Created this.
from
__future__
import
print_function
from
bcc
import
BPF
from
time
import
strftime
# load BPF program
bpf_text
=
"""
#include <uapi/linux/ptrace.h>
int printret(struct pt_regs *ctx) {
if (!ctx->ax)
return 0;
char str[80] = {};
bpf_probe_read(&str, sizeof(str), (void *)ctx->ax);
bpf_trace_printk("%s
\
\
n", &str);
return 0;
};
"""
b
=
BPF
(
text
=
bpf_text
)
b
.
attach_uretprobe
(
name
=
"/bin/bash"
,
sym
=
"readline"
,
fn_name
=
"printret"
)
# header
print
(
"%-9s %-6s %s"
%
(
"TIME"
,
"PID"
,
"COMMAND"
))
# format output
while
1
:
try
:
(
task
,
pid
,
cpu
,
flags
,
ts
,
msg
)
=
b
.
trace_fields
()
except
ValueError
:
continue
print
(
"%-9s %-6d %s"
%
(
strftime
(
"%H:%M:%S"
),
pid
,
msg
))
tools/bashreadline_example.txt
0 → 100644
View file @
9fd2bcf3
Demonstrations of bashreadline, the Linux eBPF/bcc version.
This prints bash commands from all running bash shells on the system. For
example:
# ./bashreadline
TIME PID COMMAND
05:28:25 21176 ls -l
05:28:28 21176 date
05:28:35 21176 echo hello world
05:28:43 21176 foo this command failed
05:28:45 21176 df -h
05:29:04 3059 echo another shell
05:29:13 21176 echo first shell again
The entered command may fail. This is just showing what command lines were
entered interactively for bash to process.
It works by tracing the return of the readline() function using uprobes
(specifically a uretprobe).
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment