Man page - exitsnoop-bpfcc(8)
Packages contas this manual
- tcpcong-bpfcc(8)
- bindsnoop-bpfcc(8)
- runqlen-bpfcc(8)
- cachestat-bpfcc(8)
- mdflush-bpfcc(8)
- ucalls(8)
- tcprtt-bpfcc(8)
- ksnoop-bpfcc(8)
- javaflow-bpfcc(8)
- phpstat-bpfcc(8)
- wqlat-bpfcc(8)
- vfscount-bpfcc(8)
- funclatency-bpfcc(8)
- rubystat-bpfcc(8)
- nodegc-bpfcc(8)
- btrfsdist-bpfcc(8)
- swapin-bpfcc(8)
- wakeuptime-bpfcc(8)
- btrfsslower-bpfcc(8)
- pythongc-bpfcc(8)
- tcplife-bpfcc(8)
- cpudist-bpfcc(8)
- trace-bpfcc(8)
- capable-bpfcc(8)
- rubyobjnew-bpfcc(8)
- nodestat-bpfcc(8)
- rubyflow-bpfcc(8)
- offcputime-bpfcc(8)
- gethostlatency-bpfcc(8)
- tcpretrans-bpfcc(8)
- zfsdist-bpfcc(8)
- dbstat-bpfcc(8)
- tcpconnect-bpfcc(8)
- cobjnew-bpfcc(8)
- criticalstat-bpfcc(8)
- deadlock-bpfcc(8)
- dirtop-bpfcc(8)
- biosnoop-bpfcc(8)
- drsnoop-bpfcc(8)
- ext4dist-bpfcc(8)
- biolatency-bpfcc(8)
- argdist-bpfcc(8)
- funccount-bpfcc(8)
- pythonstat-bpfcc(8)
- klockstat-bpfcc(8)
- execsnoop-bpfcc(8)
- mountsnoop-bpfcc(8)
- tclobjnew-bpfcc(8)
- virtiostat-bpfcc(8)
- javastat-bpfcc(8)
- threadsnoop-bpfcc(8)
- profile-bpfcc(8)
- bpflist-bpfcc(8)
- statsnoop-bpfcc(8)
- inject-bpfcc(8)
- stackcount-bpfcc(8)
- pythonflow-bpfcc(8)
- perlstat-bpfcc(8)
- spfdsnoop-bpfcc(8)
- rubycalls-bpfcc(8)
- opensnoop-bpfcc(8)
- pidpersec-bpfcc(8)
- tcpstates-bpfcc(8)
- filegone-bpfcc(8)
- kvmexit-bpfcc(8)
- javathreads-bpfcc(8)
- phpflow-bpfcc(8)
- nfsdist-bpfcc(8)
- oomkill-bpfcc(8)
- tclflow-bpfcc(8)
- dcstat-bpfcc(8)
- rubygc-bpfcc(8)
- runqslower-bpfcc(8)
- rdmaucma-bpfcc(8)
- reset-trace-bpfcc(8)
- dbslower-bpfcc(8)
- ustat(8)
- shmsnoop-bpfcc(8)
- vfsstat-bpfcc(8)
- biopattern-bpfcc(8)
- llcstat-bpfcc(8)
- netqtop-bpfcc(8)
- javagc-bpfcc(8)
- syscount-bpfcc(8)
- cthreads-bpfcc(8)
- filelife-bpfcc(8)
- biolatpcts-bpfcc(8)
- bitesize-bpfcc(8)
- javaobjnew-bpfcc(8)
- ttysnoop-bpfcc(8)
- slabratetop-bpfcc(8)
- tcpsubnet-bpfcc(8)
- zfsslower-bpfcc(8)
- xfsdist-bpfcc(8)
- dcsnoop-bpfcc(8)
- tcpaccept-bpfcc(8)
- syncsnoop-bpfcc(8)
- tcptracer-bpfcc(8)
- tclstat-bpfcc(8)
- cpuunclaimed-bpfcc(8)
- mysqld_qslower-bpfcc(8)
- filetop-bpfcc(8)
- funcinterval-bpfcc(8)
- tcpconnlat-bpfcc(8)
- uobjnew(8)
- uthreads(8)
- runqlat-bpfcc(8)
- sofdsnoop-bpfcc(8)
- readahead-bpfcc(8)
- memleak-bpfcc(8)
- tcpsynbl-bpfcc(8)
- biotop-bpfcc(8)
- fileslower-bpfcc(8)
- uflow(8)
- tcpdrop-bpfcc(8)
- phpcalls-bpfcc(8)
- killsnoop-bpfcc(8)
- cachetop-bpfcc(8)
- ugc(8)
- f2fsslower-bpfcc(8)
- softirqs-bpfcc(8)
- bashreadline-bpfcc(8)
- pythoncalls-bpfcc(8)
- tclcalls-bpfcc(8)
- perlflow-bpfcc(8)
- compactsnoop-bpfcc(8)
- ppchcalls-bpfcc(8)
- tplist-bpfcc(8)
- solisten-bpfcc(8)
- exitsnoop-bpfcc(8)
- funcslower-bpfcc(8)
- sslsniff-bpfcc(8)
- offwaketime-bpfcc(8)
- perlcalls-bpfcc(8)
- nfsslower-bpfcc(8)
- xfsslower-bpfcc(8)
- javacalls-bpfcc(8)
- tcptop-bpfcc(8)
- hardirqs-bpfcc(8)
- ext4slower-bpfcc(8)
apt-get install bpfcc-tools
Manual
| exitsnoop(8) | System Manager's Manual | exitsnoop(8) |
NAME
exitsnoop - Trace all process termination (exit, fatal signal). Uses Linux eBPF/bcc.
SYNOPSIS
exitsnoop [-h] [-t] [--utc] [-x] [-p PID] [--label LABEL] [--per-thread]
DESCRIPTION
exitsnoop traces process termination, showing the command name and reason for termination, either an exit or a fatal signal.
It catches processes of all users, processes in containers, as well as processes that become zombie.
This works by tracing the kernel sched_process_exit() function using dynamic tracing, and will need updating to match any changes to this function.
Since this uses BPF, only the root user can use this tool.
REQUIREMENTS
CONFIG_BPF and bcc.
OPTIONS
- -h
- Print usage message.
- -t
- Include a timestamp column.
- --utc
- Include a timestamp column, use UTC timezone.
- -x
- Exclude successful exits, exit( 0 )
- -p PID
- Trace this process ID only (filtered in-kernel).
- --label LABEL
- Label each line with LABEL (default 'exit') in first column (2nd if timestamp is present).
- --per-thread
- Trace per thread termination
EXAMPLES
- Trace all process termination
- # exitsnoop
- Trace all process termination, and include timestamps:
- # exitsnoop -t
- Exclude successful exits, only include non-zero exit codes and fatal signals:
- # exitsnoop -x
- Trace PID 181 only:
- # exitsnoop -p 181
- Label each output line with 'EXIT':
- # exitsnoop --label EXIT
- Trace per thread termination
- # exitsnoop --per-thread
FIELDS
- TIME-TZ
- Time of process termination HH:MM:SS.sss with milliseconds, where TZ is the local time zone, 'UTC' with --utc option.
- LABEL
- The optional label if --label option is used. This is useful with the -t option for timestamps when the output of several tracing tools is sorted into one combined output.
- PCOMM
- Process/command name.
- PID
- Process ID
- PPID
- The process ID of the process that will be notified of PID termination.
- TID
- Thread ID.
- EXIT_CODE
- The exit code for exit() or the signal number for a fatal signal.
OVERHEAD
This traces the kernel sched_process_exit() function and prints output for each event. As the rate of this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible. If you have an application that has a high rate of process termination, then test and understand overhead before use.
SOURCE
This is from bcc.
- https://github.com/iovisor/bcc
Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
OS
Linux
STABILITY
Unstable - in development.
AUTHOR
Arturo Martin-de-Nicolas
SEE ALSO
execsnoop(8)
| 2019-05-28 | USER COMMANDS |