1 .TH execsnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
3 execsnoop \- snoop new process execution. Uses DTrace.
6 [\-a|\-A|\-ejhsvZ] [\-c command]
8 execsnoop prints details of new processes as they are executed.
9 Details such as UID, PID and argument listing are printed out.
11 This program is very useful to examine short lived processes that would
12 not normally appear in a prstat or "ps -ef" listing. Sometimes
13 applications will run hundreds of short lived processes in their
14 normal startup cycle, a behaviour that is easily monitored with execsnoop.
16 Since this uses DTrace, only the root user or users with the
17 dtrace_kernel privilege can run this command.
21 stable - needs the syscall provider.
28 dump all data, space delimited
31 safe output, parseable. This prevents the ARGS field containing "\\n"s,
32 to assist postprocessing.
41 print start time, string
50 Default output, print processes as they are executed,
54 Print human readable timestamps,
64 Snoop this command only,
81 command name for the process
84 argument listing for the process
93 timestamp for the exec event, us
96 timestamp for the exec event, string
98 See the DTraceToolkit for further documentation under the
99 Docs directory. The DTraceToolkit docs may include full worked
100 examples with verbose descriptions explaining the output.
102 execsnoop will run forever until Ctrl\-C is hit.