execsnoop(1m) [osx man page]
execsnoop(1m) USER COMMANDS execsnoop(1m) NAME
execsnoop - snoop new process execution. Uses DTrace. SYNOPSIS
execsnoop [-a|-A|-ejhsvZ] [-c command] DESCRIPTION
execsnoop prints details of new processes as they are executed. Details such as UID, PID and argument listing are printed out. This program is very useful to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop. Since this uses DTrace, only users with root privileges can run this command. OPTIONS
-a print all data -A dump all data, space delimited -e safe output, parseable. This prevents the ARGS field containing " "s, to assist postprocessing. -j print project ID -s print start time, us -v print start time, string -Z print zonename -c command command name to snoop EXAMPLES
Default output, print processes as they are executed, # execsnoop Print human readable timestamps, # execsnoop -v Print zonename, # execsnoop -Z Snoop this command only, # execsnoop -c ls FIELDS
UID User ID PID Process ID PPID Parent Process ID COMM command name for the process ARGS argument listing for the process ZONE zonename PROJ project ID TIME timestamp for the exec event, us STRTIME timestamp for the exec event, string DOCUMENTATION
See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with ver- bose descriptions explaining the output. EXIT
execsnoop will run forever until Ctrl-C is hit. AUTHOR
Brendan Gregg [Sydney, Australia] SEE ALSO
dtrace(1M), truss(1) version 1.20 Jul 02, 2005 execsnoop(1m)
Check Out this Related Man Page
iosnoop(1m) USER COMMANDS iosnoop(1m) NAME
iosnoop - snoop I/O events as they occur. Uses DTrace. SYNOPSIS
iosnoop [-a|-A|-Deghinostv] [-d device] [-f filename] [-m mount_point] [-n name] [-p PID] DESCRIPTION
iosnoop prints I/O events as they happen, with useful details such as UID, PID, block number, size, filename, etc. This is useful to determine the process responsible for using the disks, as well as details on what activity the process is requesting. Be- haviour such as random or sequential I/O can be observed by reading the block numbers. Since this uses DTrace, only users with root privileges can run this command. OPTIONS
-a print all data -A dump all data, space delimited -D print time delta, us (elapsed) -e print device name -i print device instance -N print major and minor numbers -o print disk delta time, us -s print start time, us -t print completion time, us -v print completion time, string -d device instance name to snoop (eg, dad0) -f filename full pathname of file to snoop -m mount_point mountpoint for filesystem to snoop -n name process name -p PID process ID EXAMPLES
Default output, print I/O activity as it occurs, # iosnoop Print human readable timestamps, # iosnoop -v Print major and minor numbers, # iosnoop -N Snoop events on the root filesystem only, # iosnoop -m / FIELDS
UID User ID PID Process ID PPID Parent Process ID COMM command name for the process ARGS argument listing for the process SIZE size of the operation, bytes BLOCK disk block for the operation (location. relative to this filesystem. more useful with the -N option to print major and minor num- bers) STIME timestamp for the disk request, us TIME timestamp for the disk completion, us DELTA elapsed time from request to completion, us (this is the elapsed time from the disk request (strategy) to the disk completion (iodone)) DTIME time for disk to complete request, us (this is the time for the disk to complete that event since it's last event (time between iodones), or, the time to the strategy if the disk had been idle) STRTIME timestamp for the disk completion, string DEVICE device name INS device instance number D direction, Read or Write MOUNT mount point FILE filename (basename) for I/O operation NOTES
When filtering on PID or process name, be aware that poor disk event times may be due to events that have been filtered away, for example another process that may be seeking the disk heads elsewhere. DOCUMENTATION
See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with ver- bose descriptions explaining the output. EXIT
iosnoop will run forever until Ctrl-C is hit. AUTHOR
Brendan Gregg [Sydney, Australia] SEE ALSO
iotop(1M), dtrace(1M) version 1.50 Jul 25, 2005 iosnoop(1m)