xref: /aosp_15_r20/external/bcc/tools/killsnoop_example.txt (revision 387f9dfdfa2baef462e92476d413c7bc2470293e) 
1Demonstrations of killsnoop, the Linux eBPF/bcc version.
2
3
4This traces signals sent via the kill() syscall. For example:
5
6# ./killsnoop
7TIME      PID    COMM             SIG  TPID   RESULT
812:10:51  13967  bash             9    13885  0
912:11:34  13967  bash             9    1024   -3
1012:11:41  815    systemd-udevd    15   14076  0
11
12The first line showed a SIGKILL (9) sent from PID 13967 (a bash shell) to
13PID 13885. The result, 0, means success.
14
15The second line showed the same signal sent, this time resulting in a -3
16(ESRCH: no such process).
17
18
19USAGE message:
20
21# ./killsnoop -h
22usage: killsnoop [-h] [-x] [-p PID] [-T PID] [-s SIGNAL]
23
24Trace signals issued by the kill() syscall
25
26optional arguments:
27  -h, --help            show this help message and exit
28  -x, --failed          only show failed kill syscalls
29  -p PID, --pid PID     trace this PID only which is the sender of signal
30  -T TPID, --tpid TPID  trace this target PID only which is the receiver of
31                        signal
32  -s SIGNAL, --signal SIGNAL
33                        trace this signal only
34
35examples:
36    ./killsnoop           # trace all kill() signals
37    ./killsnoop -x        # only show failed kills
38    ./killsnoop -p 181    # only trace PID 181
39    ./killsnoop -T 189    # only trace target PID 189
40    ./killsnoop -s 9      # only trace signal 9
41