mirror of
https://github.com/brendangregg/perf-tools.git
synced 2025-11-30 23:16:03 +07:00
293 lines
8.5 KiB
Bash
Executable File
293 lines
8.5 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# execsnoop - trace process exec() with arguments.
|
|
# Written using Linux ftrace.
|
|
#
|
|
# This shows the execution of new processes, especially short-lived ones that
|
|
# can be missed by sampling tools such as top(1).
|
|
#
|
|
# USAGE: ./execsnoop [-hrt] [-n name]
|
|
#
|
|
# REQUIREMENTS: FTRACE and KPROBE CONFIG, sched:sched_process_fork tracepoint,
|
|
# and either the sys_execve, stub_execve or do_execve kernel function. You may
|
|
# already have these on recent kernels. And awk.
|
|
#
|
|
# This traces exec() from the fork()->exec() sequence, which means it won't
|
|
# catch new processes that only fork(). With the -r option, it will also catch
|
|
# processes that re-exec. It makes a best-effort attempt to retrieve the program
|
|
# arguments and PPID; if these are unavailable, 0 and "[?]" are printed
|
|
# respectively. There is also a limit to the number of arguments printed (by
|
|
# default, 8), which can be increased using -a.
|
|
#
|
|
# This implementation is designed to work on older kernel versions, and without
|
|
# kernel debuginfo. It works by dynamic tracing an execve kernel function to
|
|
# read the arguments from the %si register. The sys_execve function is tried
|
|
# first, then stub_execve and do_execve. The sched:sched_process_fork
|
|
# tracepoint is used to get the PPID. This program is a workaround that should be
|
|
# improved in the future when other kernel capabilities are made available. If
|
|
# you need a more reliable tool now, then consider other tracing alternatives
|
|
# (eg, SystemTap). This tool is really a proof of concept to see what ftrace can
|
|
# currently do.
|
|
#
|
|
# From perf-tools: https://github.com/brendangregg/perf-tools
|
|
#
|
|
# See the execsnoop(8) man page (in perf-tools) for more info.
|
|
#
|
|
# COPYRIGHT: Copyright (c) 2014 Brendan Gregg.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License
|
|
# as published by the Free Software Foundation; either version 2
|
|
# of the License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software Foundation,
|
|
# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
#
|
|
# (http://www.gnu.org/copyleft/gpl.html)
|
|
#
|
|
# 07-Jul-2014 Brendan Gregg Created this.
|
|
|
|
### default variables
|
|
tracing=/sys/kernel/debug/tracing
|
|
flock=/var/tmp/.ftrace-lock; wroteflock=0
|
|
opt_duration=0; duration=; opt_name=0; name=; opt_time=0; opt_reexec=0
|
|
opt_argc=0; argc=8; max_argc=16; ftext=
|
|
trap ':' INT QUIT TERM PIPE HUP # sends execution to end tracing section
|
|
|
|
function usage {
|
|
cat <<-END >&2
|
|
USAGE: execsnoop [-hrt] [-a argc] [-d secs] [name]
|
|
-d seconds # trace duration, and use buffers
|
|
-a argc # max args to show (default 8)
|
|
-r # include re-execs
|
|
-t # include time (seconds)
|
|
-h # this usage message
|
|
name # process name to match (REs allowed)
|
|
eg,
|
|
execsnoop # watch exec()s live (unbuffered)
|
|
execsnoop -d 1 # trace 1 sec (buffered)
|
|
execsnoop grep # trace process names containing grep
|
|
execsnoop 'udevd$' # process names ending in "udevd"
|
|
|
|
See the man page and example file for more info.
|
|
END
|
|
exit
|
|
}
|
|
|
|
function warn {
|
|
if ! eval "$@"; then
|
|
echo >&2 "WARNING: command failed \"$@\""
|
|
fi
|
|
}
|
|
|
|
function end {
|
|
# disable tracing
|
|
echo 2>/dev/null
|
|
echo "Ending tracing..." 2>/dev/null
|
|
cd $tracing
|
|
warn "echo 0 > events/kprobes/$kname/enable"
|
|
warn "echo 0 > events/sched/sched_process_fork/enable"
|
|
warn "echo -:$kname >> kprobe_events"
|
|
warn "echo > trace"
|
|
(( wroteflock )) && warn "rm $flock"
|
|
}
|
|
|
|
function die {
|
|
echo >&2 "$@"
|
|
exit 1
|
|
}
|
|
|
|
function edie {
|
|
# die with a quiet end()
|
|
echo >&2 "$@"
|
|
exec >/dev/null 2>&1
|
|
end
|
|
exit 1
|
|
}
|
|
|
|
### process options
|
|
while getopts a:d:hrt opt
|
|
do
|
|
case $opt in
|
|
a) opt_argc=1; argc=$OPTARG ;;
|
|
d) opt_duration=1; duration=$OPTARG ;;
|
|
r) opt_reexec=1 ;;
|
|
t) opt_time=1 ;;
|
|
h|?) usage ;;
|
|
esac
|
|
done
|
|
shift $(( $OPTIND - 1 ))
|
|
if (( $# )); then
|
|
opt_name=1
|
|
name=$1
|
|
shift
|
|
fi
|
|
(( $# )) && usage
|
|
|
|
### option logic
|
|
(( opt_pid && opt_name )) && die "ERROR: use either -p or -n."
|
|
(( opt_pid )) && ftext=" issued by PID $pid"
|
|
(( opt_name )) && ftext=" issued by process name \"$name\""
|
|
(( opt_file )) && ftext="$ftext for filenames containing \"$file\""
|
|
(( opt_argc && argc > max_argc )) && die "ERROR: max -a argc is $max_argc."
|
|
if (( opt_duration )); then
|
|
echo "Tracing exec()s$ftext for $duration seconds (buffered)..."
|
|
else
|
|
echo "Tracing exec()s$ftext. Ctrl-C to end."
|
|
fi
|
|
|
|
### select awk
|
|
if (( opt_duration )); then
|
|
[[ -x /usr/bin/mawk ]] && awk=mawk || awk=awk
|
|
else
|
|
# workarounds for mawk/gawk fflush behavior
|
|
if [[ -x /usr/bin/gawk ]]; then
|
|
awk=gawk
|
|
elif [[ -x /usr/bin/mawk ]]; then
|
|
awk="mawk -W interactive"
|
|
else
|
|
awk=awk
|
|
fi
|
|
fi
|
|
|
|
### check permissions
|
|
cd $tracing || die "ERROR: accessing tracing. Root user? Kernel has FTRACE?
|
|
debugfs mounted? (mount -t debugfs debugfs /sys/kernel/debug)"
|
|
|
|
### ftrace lock
|
|
[[ -e $flock ]] && die "ERROR: ftrace may be in use by PID $(cat $flock) $flock"
|
|
echo $$ > $flock || die "ERROR: unable to write $flock."
|
|
wroteflock=1
|
|
|
|
### build probe
|
|
if [[ -x /usr/bin/getconf ]]; then
|
|
bits=$(getconf LONG_BIT)
|
|
else
|
|
bits=64
|
|
[[ $(uname -m) == i* ]] && bits=32
|
|
fi
|
|
(( offset = bits / 8 ))
|
|
function makeprobe {
|
|
func=$1
|
|
kname=execsnoop_$func
|
|
kprobe="p:$kname $func"
|
|
i=0
|
|
while (( i < argc + 1 )); do
|
|
# p:kname do_execve +0(+0(%si)):string +0(+8(%si)):string ...
|
|
kprobe="$kprobe +0(+$(( i * offset ))(%si)):string"
|
|
(( i++ ))
|
|
done
|
|
}
|
|
# try in this order: sys_execve, stub_execve, do_execve
|
|
makeprobe sys_execve
|
|
|
|
### setup and begin tracing
|
|
echo nop > current_tracer
|
|
if ! echo $kprobe >> kprobe_events 2>/dev/null; then
|
|
makeprobe stub_execve
|
|
if ! echo $kprobe >> kprobe_events 2>/dev/null; then
|
|
makeprobe do_execve
|
|
if ! echo $kprobe >> kprobe_events 2>/dev/null; then
|
|
edie "ERROR: adding a kprobe for execve. Exiting."
|
|
fi
|
|
fi
|
|
fi
|
|
if ! echo 1 > events/kprobes/$kname/enable; then
|
|
edie "ERROR: enabling kprobe for execve. Exiting."
|
|
fi
|
|
if ! echo 1 > events/sched/sched_process_fork/enable; then
|
|
edie "ERROR: enabling sched:sched_process_fork tracepoint. Exiting."
|
|
fi
|
|
echo "Instrumenting $func"
|
|
(( opt_time )) && printf "%-16s " "TIMEs"
|
|
printf "%6s %6s %s\n" "PID" "PPID" "ARGS"
|
|
|
|
#
|
|
# Determine output format. It may be one of the following (newest first):
|
|
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
|
|
# TASK-PID CPU# TIMESTAMP FUNCTION
|
|
# To differentiate between them, the number of header fields is counted,
|
|
# and an offset set, to skip the extra column when needed.
|
|
#
|
|
offset=$($awk 'BEGIN { o = 0; }
|
|
$1 == "#" && $2 ~ /TASK/ && NF == 6 { o = 1; }
|
|
$2 ~ /TASK/ { print o; exit }' trace)
|
|
|
|
### print trace buffer
|
|
warn "echo > trace"
|
|
( if (( opt_duration )); then
|
|
# wait then dump buffer
|
|
sleep $duration
|
|
cat -v trace
|
|
else
|
|
# print buffer live
|
|
cat -v trace_pipe
|
|
fi ) | $awk -v o=$offset -v opt_name=$opt_name -v name=$name \
|
|
-v opt_duration=$opt_duration -v opt_time=$opt_time -v kname=$kname \
|
|
-v opt_reexec=$opt_reexec '
|
|
# common fields
|
|
$1 != "#" {
|
|
# task name can contain dashes
|
|
comm = pid = $1
|
|
sub(/-[0-9][0-9]*/, "", comm)
|
|
sub(/.*-/, "", pid)
|
|
}
|
|
|
|
$1 != "#" && $(4+o) ~ /sched_process_fork/ {
|
|
cpid=$0
|
|
sub(/.* child_pid=/, "", cpid)
|
|
sub(/ .*/, "", cpid)
|
|
getppid[cpid] = pid
|
|
delete seen[pid]
|
|
}
|
|
|
|
$1 != "#" && $(4+o) ~ kname {
|
|
if (seen[pid])
|
|
next
|
|
if (opt_name && comm !~ name)
|
|
next
|
|
|
|
#
|
|
# examples:
|
|
# ... arg1="/bin/echo" arg2="1" arg3="2" arg4="3" ...
|
|
# ... arg1="sleep" arg2="2" arg3=(fault) arg4="" ...
|
|
# ... arg1="" arg2=(fault) arg3="" arg4="" ...
|
|
# the last example is uncommon, and may be a race.
|
|
#
|
|
if ($0 ~ /arg1=""/) {
|
|
args = comm " [?]"
|
|
} else {
|
|
args=$0
|
|
sub(/ arg[0-9]*=\(fault\).*/, "", args)
|
|
sub(/.*arg1="/, "", args)
|
|
gsub(/" arg[0-9]*="/, " ", args)
|
|
sub(/"$/, "", args)
|
|
if ($0 !~ /\(fault\)/)
|
|
args = args " [...]"
|
|
}
|
|
|
|
if (opt_time) {
|
|
time = $(3+o); sub(":", "", time)
|
|
printf "%-16s ", time
|
|
}
|
|
printf "%6s %6d %s\n", pid, getppid[pid], args
|
|
if (!opt_duration)
|
|
fflush()
|
|
if (!opt_reexec) {
|
|
seen[pid] = 1
|
|
delete getppid[pid]
|
|
}
|
|
}
|
|
|
|
$0 ~ /LOST.*EVENT[S]/ { print "WARNING: " $0 > "/dev/stderr" }
|
|
'
|
|
|
|
### end tracing
|
|
end
|