Lines Matching full:execsnoop
1 Demonstrations of execsnoop, the Linux eBPF/bcc version.
4 execsnoop traces new processes. For example, tracing the commands invoked when
7 # ./execsnoop
26 processes, which won't be included in the execsnoop output.
31 # ./execsnoop -x
59 # ./execsnoop -Ttn mount
68 # ./execsnoop.py -l testpkg
84 # ./execsnoop --cgroupmap /sys/fs/bpf/test01
90 # ./execsnoop -U
99 # ./execsnoop -Uu 1000
111 # ./execsnoop -h
112 usage: execsnoop.py [-h] [-T] [-t] [-x] [--cgroupmap CGROUPMAP]
138 ./execsnoop # trace all exec() syscalls
139 ./execsnoop -x # include failed exec()s
140 ./execsnoop -T # include time (HH:MM:SS)
141 ./execsnoop -P 181 # only trace new processes whose parent PID is 181
142 ./execsnoop -U # include UID
143 ./execsnoop -u 1000 # only trace UID 1000
144 ./execsnoop -u user # get user UID and trace only them
145 ./execsnoop -t # include timestamps
146 ./execsnoop -q # add "quotemarks" around arguments
147 ./execsnoop -n main # only print command lines containing "main"
148 ./execsnoop -l tpkg # only print command where arguments contains "tpkg"
149 ./execsnoop --cgroupmap mappath # only trace cgroups in this BPF map
150 ./execsnoop --mntnsmap mappath # only trace mount namespaces in the map