You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35 lines
994 B
35 lines
994 B
7 months ago
|
Demonstrations of killsnoop, the Linux eBPF/bcc version.
|
||
|
|
|
||
|
|
|
||
|
|
This traces signals sent via the kill() syscall. For example:
|
||
|
|
|
||
|
|
# ./killsnoop
|
||
|
|
TIME PID COMM SIG TPID RESULT
|
||
|
|
12:10:51 13967 bash 9 13885 0
|
||
|
|
12:11:34 13967 bash 9 1024 -3
|
||
|
|
12:11:41 815 systemd-udevd 15 14076 0
|
||
|
|
|
||
|
|
The first line showed a SIGKILL (9) sent from PID 13967 (a bash shell) to
|
||
|
|
PID 13885. The result, 0, means success.
|
||
|
|
|
||
|
|
The second line showed the same signal sent, this time resulting in a -3
|
||
|
|
(ESRCH: no such process).
|
||
|
|
|
||
|
|
|
||
|
|
USAGE message:
|
||
|
|
|
||
|
|
# ./killsnoop -h
|
||
|
|
usage: killsnoop [-h] [-x] [-p PID]
|
||
|
|
|
||
|
|
Trace signals issued by the kill() syscall
|
||
|
|
|
||
|
|
optional arguments:
|
||
|
|
-h, --help show this help message and exit
|
||
|
|
-x, --failed only show failed kill syscalls
|
||
|
|
-p PID, --pid PID trace this PID only
|
||
|
|
|
||
|
|
examples:
|
||
|
|
./killsnoop # trace all kill() signals
|
||
|
|
./killsnoop -x # only show failed kills
|
||
|
|
./killsnoop -p 181 # only trace PID 181
|