Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

execsnoop(1m) [osx man page]

execsnoop(1m)							   USER COMMANDS						     execsnoop(1m)

NAME

       execsnoop - snoop new process execution. Uses DTrace.

SYNOPSIS

       execsnoop [-a|-A|-ejhsvZ] [-c command]

DESCRIPTION

       execsnoop prints details of new processes as they are executed.	Details such as UID, PID and argument listing are printed out.

       This  program  is  very	useful	to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes
       applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop.

       Since this uses DTrace, only users with root privileges can run this command.

OPTIONS

       -a     print all data

       -A     dump all data, space delimited

       -e     safe output, parseable. This prevents the ARGS field containing "
"s, to assist postprocessing.

       -j     print project ID

       -s     print start time, us

       -v     print start time, string

       -Z     print zonename

       -c command
	      command name to snoop

EXAMPLES

       Default output, print processes as they are executed,
	      # execsnoop

       Print human readable timestamps,
	      # execsnoop -v

       Print zonename,
	      # execsnoop -Z

       Snoop this command only,
	      # execsnoop -c ls

FIELDS

       UID    User ID

       PID    Process ID

       PPID   Parent Process ID

       COMM   command name for the process

       ARGS   argument listing for the process

       ZONE   zonename

       PROJ   project ID

       TIME   timestamp for the exec event, us

       STRTIME
	      timestamp for the exec event, string

DOCUMENTATION

       See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with ver-
       bose descriptions explaining the output.

EXIT

       execsnoop will run forever until Ctrl-C is hit.

AUTHOR

       Brendan Gregg [Sydney, Australia]

SEE ALSO

       dtrace(1M), truss(1)

version 1.20							   Jul 02, 2005 						     execsnoop(1m)

Check Out this Related Man Page

iosnoop(1m)							   USER COMMANDS						       iosnoop(1m)

NAME

       iosnoop - snoop I/O events as they occur. Uses DTrace.

SYNOPSIS

       iosnoop [-a|-A|-Deghinostv] [-d device] [-f filename] [-m mount_point] [-n name] [-p PID]

DESCRIPTION

       iosnoop prints I/O events as they happen, with useful details such as UID, PID, block number, size, filename, etc.

       This is useful to determine the process responsible for using the disks, as well as details on what activity the process is requesting. Be-
       haviour such as random or sequential I/O can be observed by reading the block numbers.

       Since this uses DTrace, only users with root privileges can run this command.

OPTIONS

       -a     print all data

       -A     dump all data, space delimited

       -D     print time delta, us (elapsed)

       -e     print device name

       -i     print device instance

       -N     print major and minor numbers

       -o     print disk delta time, us

       -s     print start time, us

       -t     print completion time, us

       -v     print completion time, string

       -d device
	      instance name to snoop (eg, dad0)

       -f filename
	      full pathname of file to snoop

       -m mount_point
	      mountpoint for filesystem to snoop

       -n name
	      process name

       -p PID process ID

EXAMPLES

       Default output, print I/O activity as it occurs,
	      # iosnoop

       Print human readable timestamps,
	      # iosnoop -v

       Print major and minor numbers,
	      # iosnoop -N

       Snoop events on the root filesystem only,
	      # iosnoop -m /

FIELDS

       UID    User ID

       PID    Process ID

       PPID   Parent Process ID

       COMM   command name for the process

       ARGS   argument listing for the process

       SIZE   size of the operation, bytes

       BLOCK  disk block for the operation (location. relative to this filesystem.  more useful with the -N option to print major and  minor  num-
	      bers)

       STIME  timestamp for the disk request, us

       TIME   timestamp for the disk completion, us

       DELTA  elapsed  time  from  request  to	completion,  us  (this is the elapsed time from the disk request (strategy) to the disk completion
	      (iodone))

       DTIME  time for disk to complete request, us (this is the time for the disk to complete that event since  it's  last  event  (time  between
	      iodones), or, the time to the strategy if the disk had been idle)

       STRTIME
	      timestamp for the disk completion, string

       DEVICE device name

       INS    device instance number

       D      direction, Read or Write

       MOUNT  mount point

       FILE   filename (basename) for I/O operation

NOTES

       When  filtering	on PID or process name, be aware that poor disk event times may be due to events that have been filtered away, for example
       another process that may be seeking the disk heads elsewhere.

DOCUMENTATION

       See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with ver-
       bose descriptions explaining the output.

EXIT

       iosnoop will run forever until Ctrl-C is hit.

AUTHOR

       Brendan Gregg [Sydney, Australia]

SEE ALSO

       iotop(1M), dtrace(1M)

version 1.50							   Jul 25, 2005 						       iosnoop(1m)
Man Page

Featured Tech Videos