add execsnoop tool

ac436bba · Brendan Gregg · Alastair Robertson · 1da09dbc · ac436bba · ac436bba
Commit ac436bba authored Mar 20, 2018 by Brendan Gregg Committed by Alastair Robertson Mar 24, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 82 additions and 0 deletions

tools/execsnoop.bt tools/execsnoop.bt +42 -0

tools/execsnoop_example.txt tools/execsnoop_example.txt +40 -0

No files found.
--- a/tools/execsnoop.bt
+++ b/tools/execsnoop.bt
+//
+// execsnoop.bt - basic process exec tracing tool.
+//                For Linux, uses bpftrace, eBPF.
+//
+// This traces when processes call exec(). It is handy for identifying new
+// processes created via the usual fork()->exec() sequence. Note that the
+// return value is not currently traced, so the exec() may have failed.
+// Also, only the first five arguments are currently printed.
+//
+// TODO: switch to proc tracepoints. Support more args. Include retval.
+//
+// 15-Nov-2017	Brendan Gregg	Created this.
+//
+BEGIN
+{
+	printf("%-10s %-5s %s\n", "TIME(ms)", "PID", "ARGS");
+	@epoch = nsecs;
+}
+kprobe:sys_execve
+{
+	$step = 8;	// sizeof (char *)
+	$ptr = arg1;
+	$now = nsecs;
+	printf("%-10u %-5d %s",
+	    ($now - @epoch) / 1000000, pid,
+	    str(*$ptr));
+	// unrolled loop for now:
+	$ptr = $ptr + $step; printf(" %s", str(*$ptr));
+	$ptr = $ptr + $step; printf(" %s", str(*$ptr));
+	$ptr = $ptr + $step; printf(" %s", str(*$ptr));
+	$ptr = $ptr + $step; printf(" %s", str(*$ptr));
+	$ptr = $ptr + $step; printf(" %s", str(*$ptr));
+	printf("\n");
+}
+END
+{
+	@epoch = delete();
+}
--- a/tools/execsnoop_example.txt
+++ b/tools/execsnoop_example.txt
+Demonstrations of execsnoop, the Linux BPF/bpftrace version.
+Tracing all new process execution (via exec()):
+# bpftrace execsnoop.bt
+Attaching 3 probes...
+TIME(ms)   PID   ARGS
+2460       3466  ls --color=auto -lh execsnoop.bt execsnoop.bt.0 execsnoop.bt.1
+3996       3467  man ls
+4005       3473  preconv -e UTF-8
+4005       3473  preconv -e UTF-8
+4005       3473  preconv -e UTF-8
+4005       3473  preconv -e UTF-8
+4005       3473  preconv -e UTF-8
+4005       3474  tbl
+4005       3474  tbl
+4005       3474  tbl
+4005       3474  tbl
+4005       3474  tbl
+4005       3476  nroff -mandoc -rLL=193n -rLT=193n -Tutf8
+4005       3476  nroff -mandoc -rLL=193n -rLT=193n -Tutf8
+4005       3476  nroff -mandoc -rLL=193n -rLT=193n -Tutf8
+4005       3476  nroff -mandoc -rLL=193n -rLT=193n -Tutf8
+4005       3476  nroff -mandoc -rLL=193n -rLT=193n -Tutf8
+4006       3479  pager  -rLL=193n
+4006       3479  pager  -rLL=193n
+4006       3479  pager  -rLL=193n
+4006       3479  pager  -rLL=193n
+4006       3479  pager  -rLL=193n
+4007       3481  locale charmap
+4008       3482  groff -mtty-char -Tutf8 -mandoc -rLL=193n -rLT=193n
+4009       3483  troff -mtty-char -mandoc -rLL=193n -rLT=193n -Tutf8
+The output begins by showing an "ls" command, and then the process execution
+to serve "man ls". The same exec arguments appear multiple times: in this case
+they are failing as the $PATH variable is walked, until one finally succeeds.
+This tool can be used to discover unwanted short-lived processes that may be
+causing performance issues such as latency perturbations.