Query: execsnoop
OS: osx
Section: 1m
Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar
execsnoop(1m) USER COMMANDS execsnoop(1m)NAMEexecsnoop - snoop new process execution. Uses DTrace.SYNOPSISexecsnoop [-a|-A|-ejhsvZ] [-c command]DESCRIPTIONexecsnoop prints details of new processes as they are executed. Details such as UID, PID and argument listing are printed out. This program is very useful to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop. Since this uses DTrace, only users with root privileges can run this command.OPTIONS-a print all data -A dump all data, space delimited -e safe output, parseable. This prevents the ARGS field containing " "s, to assist postprocessing. -j print project ID -s print start time, us -v print start time, string -Z print zonename -c command command name to snoopEXAMPLESDefault output, print processes as they are executed, # execsnoop Print human readable timestamps, # execsnoop -v Print zonename, # execsnoop -Z Snoop this command only, # execsnoop -c lsFIELDSUID User ID PID Process ID PPID Parent Process ID COMM command name for the process ARGS argument listing for the process ZONE zonename PROJ project ID TIME timestamp for the exec event, us STRTIME timestamp for the exec event, stringDOCUMENTATIONSee the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with ver- bose descriptions explaining the output.EXITexecsnoop will run forever until Ctrl-C is hit.AUTHORBrendan Gregg [Sydney, Australia]SEE ALSOdtrace(1M), truss(1) version 1.20 Jul 02, 2005 execsnoop(1m)