execsnoop(1m) USER COMMANDS execsnoop(1m)
execsnoop - snoop new process execution. Uses DTrace.
execsnoop [-a|-A|-ejhsvZ] [-c command]
execsnoop prints details of new processes as they are executed. Details
such as UID, PID and argument listing are printed out.
This program is very useful to examine short lived processes that would
not normally appear in a prstat or "ps -ef" listing. Sometimes
applications will run hundreds of short lived processes in their normal
startup cycle, a behaviour that is easily monitored with execsnoop.
Since this uses DTrace, only users with root privileges can run this
-a print all data
-A dump all data, space delimited
-e safe output, parseable. This prevents the ARGS field containing
"\n"s, to assist postprocessing.
-j print project ID
-s print start time, us
-v print start time, string
-Z print zonename
command name to snoop
Default output, print processes as they are executed,
Print human readable timestamps,
# execsnoop -v
# execsnoop -Z
Snoop this command only,
# execsnoop -c ls
UID User ID
PID Process ID
PPID Parent Process ID
COMM command name for the process
ARGS argument listing for the process
PROJ project ID
TIME timestamp for the exec event, us
timestamp for the exec event, string
See the DTraceToolkit for further documentation under the Docs directory.
The DTraceToolkit docs may include full worked examples with verbose
descriptions explaining the output.
execsnoop will run forever until Ctrl-C is hit.
Brendan Gregg [Sydney, Australia]
version 1.20 July 2, 2005 execsnoop(1m)