1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of killsnoop, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis traces signals sent via the kill() syscall. For example: 5*387f9dfdSAndroid Build Coastguard Worker 6*387f9dfdSAndroid Build Coastguard Worker# ./killsnoop 7*387f9dfdSAndroid Build Coastguard WorkerTIME PID COMM SIG TPID RESULT 8*387f9dfdSAndroid Build Coastguard Worker12:10:51 13967 bash 9 13885 0 9*387f9dfdSAndroid Build Coastguard Worker12:11:34 13967 bash 9 1024 -3 10*387f9dfdSAndroid Build Coastguard Worker12:11:41 815 systemd-udevd 15 14076 0 11*387f9dfdSAndroid Build Coastguard Worker 12*387f9dfdSAndroid Build Coastguard WorkerThe first line showed a SIGKILL (9) sent from PID 13967 (a bash shell) to 13*387f9dfdSAndroid Build Coastguard WorkerPID 13885. The result, 0, means success. 14*387f9dfdSAndroid Build Coastguard Worker 15*387f9dfdSAndroid Build Coastguard WorkerThe second line showed the same signal sent, this time resulting in a -3 16*387f9dfdSAndroid Build Coastguard Worker(ESRCH: no such process). 17*387f9dfdSAndroid Build Coastguard Worker 18*387f9dfdSAndroid Build Coastguard Worker 19*387f9dfdSAndroid Build Coastguard WorkerUSAGE message: 20*387f9dfdSAndroid Build Coastguard Worker 21*387f9dfdSAndroid Build Coastguard Worker# ./killsnoop -h 22*387f9dfdSAndroid Build Coastguard Workerusage: killsnoop [-h] [-x] [-p PID] [-T PID] [-s SIGNAL] 23*387f9dfdSAndroid Build Coastguard Worker 24*387f9dfdSAndroid Build Coastguard WorkerTrace signals issued by the kill() syscall 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 27*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 28*387f9dfdSAndroid Build Coastguard Worker -x, --failed only show failed kill syscalls 29*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only which is the sender of signal 30*387f9dfdSAndroid Build Coastguard Worker -T TPID, --tpid TPID trace this target PID only which is the receiver of 31*387f9dfdSAndroid Build Coastguard Worker signal 32*387f9dfdSAndroid Build Coastguard Worker -s SIGNAL, --signal SIGNAL 33*387f9dfdSAndroid Build Coastguard Worker trace this signal only 34*387f9dfdSAndroid Build Coastguard Worker 35*387f9dfdSAndroid Build Coastguard Workerexamples: 36*387f9dfdSAndroid Build Coastguard Worker ./killsnoop # trace all kill() signals 37*387f9dfdSAndroid Build Coastguard Worker ./killsnoop -x # only show failed kills 38*387f9dfdSAndroid Build Coastguard Worker ./killsnoop -p 181 # only trace PID 181 39*387f9dfdSAndroid Build Coastguard Worker ./killsnoop -T 189 # only trace target PID 189 40*387f9dfdSAndroid Build Coastguard Worker ./killsnoop -s 9 # only trace signal 9 41