Manual Pages for UNIX Darwin command on man execsnoop

execsnoop(1m) USER COMMANDS execsnoop(1m)

NAME

execsnoop - snoop new process execution. Uses DTrace.

SYNOPSIS

eexxeeccssnnoooopp [-a|-A|-ejhsvZ] [-c command]

DESCRIPTION

execsnoop prints details of new processes as they are executed.

Details such as UID, PID and argument listing are printed out. This program is very useful to examine short lived processes that would

not normally appear in a prstat or "ps -ef" listing. Sometimes applica-

tions will run hundreds of short lived processes in their normal

startup cycle, a behaviour that is easily monitored with execsnoop.

Since this uses DTrace, only the root user or users with the dtracekernel privilege can run this command. OOPPTTIIOONNSS

-a print all data

-A dump all data, space delimited

-e safe output, parseable. This prevents the ARGS field containing

"\n"s, to assist postprocessing.

-j print project ID

-s print start time, us

-v print start time, string

-Z print zonename

-c command

command name to snoop EEXXAAMMPPLLEESS Default output, print processes as they are executed,

# eexxeeccssnnoooopp

Print human readable timestamps,

# eexxeeccssnnoooopp -v

Print zonename,

# eexxeeccssnnoooopp -Z

Snoop this command only,

# eexxeeccssnnoooopp -f ls

FFIIEELLDDSS UID User ID PID Process ID PPID Parent Process ID COMM command name for the process ARGS argument listing for the process ZONE zonename PROJ project ID TIME timestamp for the exec event, us STRTIME timestamp for the exec event, string DDOOCCUUMMEENNTTAATTIIOONN

See the DTraceToolkit for further documentation under the Docs direc-

tory. The DTraceToolkit docs may include full worked examples with ver-

bose descriptions explaining the output. EEXXIITT

execsnoop will run forever until Ctrl-C is hit.

AUTHOR Brendan Gregg [Sydney, Australia]