How to track newly created processes in Linux?
up vote
19
down vote
favorite
I know that with ps I can see the list or tree of the current processes running in the system. But what I want to achieve is to "follow" the new processes that are created when using the computer.
As analogy, when you use tail -f to follow the new contents appended to a file or to any input, then I want to keep a follow list of the process that are currently being created.
Is this even posible?
linux process
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
add a comment |
up vote
19
down vote
favorite
I know that with ps I can see the list or tree of the current processes running in the system. But what I want to achieve is to "follow" the new processes that are created when using the computer.
As analogy, when you use tail -f to follow the new contents appended to a file or to any input, then I want to keep a follow list of the process that are currently being created.
Is this even posible?
linux process
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
add a comment |
up vote
19
down vote
favorite
up vote
19
down vote
favorite
I know that with ps I can see the list or tree of the current processes running in the system. But what I want to achieve is to "follow" the new processes that are created when using the computer.
As analogy, when you use tail -f to follow the new contents appended to a file or to any input, then I want to keep a follow list of the process that are currently being created.
Is this even posible?
linux process
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
I know that with ps I can see the list or tree of the current processes running in the system. But what I want to achieve is to "follow" the new processes that are created when using the computer.
As analogy, when you use tail -f to follow the new contents appended to a file or to any input, then I want to keep a follow list of the process that are currently being created.
Is this even posible?
linux process
linux process
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
edited Apr 16 at 12:39
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
4,84324039
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
asked Feb 5 '16 at 15:58
Pablo Matias Gomez
19816
19816
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
up vote
17
down vote
accepted
If kprobes are enabled in the kernel you can use execsnoop from perf-tools:
In first terminal:
% while true; do uptime; sleep 1; done
In another terminal:
% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
83939 83937 cat -v trace_pipe
83938 83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
83940 76640 uptime
83941 76640 sleep 1
83942 76640 uptime
83943 76640 sleep 1
83944 76640 uptime
83945 76640 sleep 1
^C
Ending tracing...
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
add a comment |
up vote
5
down vote
The easiest way is to enable system call auditing
See the following link for details,
Does anyone know a simple way to monitor root process spawn | Server Fault
If you're monitoring all processes, just remove the -F uid=0 part
Logs are written to /var/log/audit/audit.log
edited Apr 16 at 15:58
Drakonoved
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
add a comment |
up vote
2
down vote
CONFIG_PROC_EVENTS=y
Sample session:
$ su
# ./proc_events &
# /proc_events.out &
set mcast listen ok
# sleep 2 & sleep 1 &
fork: parent tid=48 pid=48 -> child tid=56 pid=56
fork: parent tid=48 pid=48 -> child tid=57 pid=57
exec: tid=57 pid=57
exec: tid=56 pid=56
exit: tid=57 pid=57 exit_code=0
exit: tid=56 pid=56 exit_code=0
CONFIG_PROC_EVENTS exposes the events to userland via a netlink socket.
proc_events.c adapted from: https://bewareofgeek.livejournal.com/2945.html
#define _XOPEN_SOURCE 700
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
static volatile bool need_exit = false;
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen okn");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%dn",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc eventn");
break;
}
}
return 0;
}
static void on_sigint(__attribute__ ((unused)) int unused)
{
need_exit = true;
}
int main()
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
GitHub upsatream.
I don't think however that you can you get process data such as UID and process arguments because exec_proc_event contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from /proc, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
Tested on Ubuntu 17.10, which has CONFIG_PROC_EVENTS=y enabled by default.
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
add a comment |
up vote
1
down vote
You can apparently follow a process using strace. If you know the PID of the process then you can do:
strace -o strace-<pid>.out -f -p <pid>
Notice the -f switch. It will help you to follow newly created processes that are descendants of the process whose PID was used in the command, above. For information on strace see this question.
edited May 23 '17 at 12:39
Community♦
1
answered Feb 6 '16 at 9:33
tejus
744
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f260162%2fhow-to-track-newly-created-processes-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
17
down vote
accepted
If kprobes are enabled in the kernel you can use execsnoop from perf-tools:
In first terminal:
% while true; do uptime; sleep 1; done
In another terminal:
% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
83939 83937 cat -v trace_pipe
83938 83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
83940 76640 uptime
83941 76640 sleep 1
83942 76640 uptime
83943 76640 sleep 1
83944 76640 uptime
83945 76640 sleep 1
^C
Ending tracing...
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
add a comment |
up vote
17
down vote
accepted
If kprobes are enabled in the kernel you can use execsnoop from perf-tools:
In first terminal:
% while true; do uptime; sleep 1; done
In another terminal:
% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
83939 83937 cat -v trace_pipe
83938 83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
83940 76640 uptime
83941 76640 sleep 1
83942 76640 uptime
83943 76640 sleep 1
83944 76640 uptime
83945 76640 sleep 1
^C
Ending tracing...
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
add a comment |
up vote
17
down vote
accepted
up vote
17
down vote
accepted
If kprobes are enabled in the kernel you can use execsnoop from perf-tools:
In first terminal:
% while true; do uptime; sleep 1; done
In another terminal:
% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
83939 83937 cat -v trace_pipe
83938 83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
83940 76640 uptime
83941 76640 sleep 1
83942 76640 uptime
83943 76640 sleep 1
83944 76640 uptime
83945 76640 sleep 1
^C
Ending tracing...
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
If kprobes are enabled in the kernel you can use execsnoop from perf-tools:
In first terminal:
% while true; do uptime; sleep 1; done
In another terminal:
% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
83939 83937 cat -v trace_pipe
83938 83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
83940 76640 uptime
83941 76640 sleep 1
83942 76640 uptime
83943 76640 sleep 1
83944 76640 uptime
83945 76640 sleep 1
^C
Ending tracing...
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
answered Feb 14 '17 at 20:21
Kirill Spitsyn
18613
18613
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
add a comment |
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
this is what I was looking for at that time. Clearly see what are the new processes being created.
– Pablo Matias Gomez
Feb 14 '17 at 21:12
add a comment |
up vote
5
down vote
The easiest way is to enable system call auditing
See the following link for details,
Does anyone know a simple way to monitor root process spawn | Server Fault
If you're monitoring all processes, just remove the -F uid=0 part
Logs are written to /var/log/audit/audit.log
edited Apr 16 at 15:58
Drakonoved
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
add a comment |
up vote
5
down vote
The easiest way is to enable system call auditing
See the following link for details,
Does anyone know a simple way to monitor root process spawn | Server Fault
If you're monitoring all processes, just remove the -F uid=0 part
Logs are written to /var/log/audit/audit.log
edited Apr 16 at 15:58
Drakonoved
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
add a comment |
up vote
5
down vote
up vote
5
down vote
The easiest way is to enable system call auditing
See the following link for details,
Does anyone know a simple way to monitor root process spawn | Server Fault
If you're monitoring all processes, just remove the -F uid=0 part
Logs are written to /var/log/audit/audit.log
edited Apr 16 at 15:58
Drakonoved
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
The easiest way is to enable system call auditing
See the following link for details,
Does anyone know a simple way to monitor root process spawn | Server Fault
If you're monitoring all processes, just remove the -F uid=0 part
Logs are written to /var/log/audit/audit.log
edited Apr 16 at 15:58
Drakonoved
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
edited Apr 16 at 15:58
Drakonoved
6991519
edited Apr 16 at 15:58
Drakonoved
6991519
edited Apr 16 at 15:58
Drakonoved
6991519
6991519
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
answered Feb 5 '16 at 16:35
daisy
28.3k48167299
28.3k48167299
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
add a comment |
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
None of those 3 links answers my question. The first two are about coding something to resolve this and the last one does not answer neither. What I am asking is about some command and not writing some piece of code
– Pablo Matias Gomez
Feb 5 '16 at 16:46
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
@PabloMatíasGomez updated
– daisy
Feb 5 '16 at 16:48
add a comment |
up vote
2
down vote
CONFIG_PROC_EVENTS=y
Sample session:
$ su
# ./proc_events &
# /proc_events.out &
set mcast listen ok
# sleep 2 & sleep 1 &
fork: parent tid=48 pid=48 -> child tid=56 pid=56
fork: parent tid=48 pid=48 -> child tid=57 pid=57
exec: tid=57 pid=57
exec: tid=56 pid=56
exit: tid=57 pid=57 exit_code=0
exit: tid=56 pid=56 exit_code=0
CONFIG_PROC_EVENTS exposes the events to userland via a netlink socket.
proc_events.c adapted from: https://bewareofgeek.livejournal.com/2945.html
#define _XOPEN_SOURCE 700
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
static volatile bool need_exit = false;
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen okn");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%dn",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc eventn");
break;
}
}
return 0;
}
static void on_sigint(__attribute__ ((unused)) int unused)
{
need_exit = true;
}
int main()
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
GitHub upsatream.
I don't think however that you can you get process data such as UID and process arguments because exec_proc_event contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from /proc, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
Tested on Ubuntu 17.10, which has CONFIG_PROC_EVENTS=y enabled by default.
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
add a comment |
up vote
2
down vote
CONFIG_PROC_EVENTS=y
Sample session:
$ su
# ./proc_events &
# /proc_events.out &
set mcast listen ok
# sleep 2 & sleep 1 &
fork: parent tid=48 pid=48 -> child tid=56 pid=56
fork: parent tid=48 pid=48 -> child tid=57 pid=57
exec: tid=57 pid=57
exec: tid=56 pid=56
exit: tid=57 pid=57 exit_code=0
exit: tid=56 pid=56 exit_code=0
CONFIG_PROC_EVENTS exposes the events to userland via a netlink socket.
proc_events.c adapted from: https://bewareofgeek.livejournal.com/2945.html
#define _XOPEN_SOURCE 700
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
static volatile bool need_exit = false;
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen okn");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%dn",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc eventn");
break;
}
}
return 0;
}
static void on_sigint(__attribute__ ((unused)) int unused)
{
need_exit = true;
}
int main()
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
GitHub upsatream.
I don't think however that you can you get process data such as UID and process arguments because exec_proc_event contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from /proc, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
Tested on Ubuntu 17.10, which has CONFIG_PROC_EVENTS=y enabled by default.
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
add a comment |
up vote
2
down vote
up vote
2
down vote
CONFIG_PROC_EVENTS=y
Sample session:
$ su
# ./proc_events &
# /proc_events.out &
set mcast listen ok
# sleep 2 & sleep 1 &
fork: parent tid=48 pid=48 -> child tid=56 pid=56
fork: parent tid=48 pid=48 -> child tid=57 pid=57
exec: tid=57 pid=57
exec: tid=56 pid=56
exit: tid=57 pid=57 exit_code=0
exit: tid=56 pid=56 exit_code=0
CONFIG_PROC_EVENTS exposes the events to userland via a netlink socket.
proc_events.c adapted from: https://bewareofgeek.livejournal.com/2945.html
#define _XOPEN_SOURCE 700
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
static volatile bool need_exit = false;
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen okn");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%dn",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc eventn");
break;
}
}
return 0;
}
static void on_sigint(__attribute__ ((unused)) int unused)
{
need_exit = true;
}
int main()
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
GitHub upsatream.
I don't think however that you can you get process data such as UID and process arguments because exec_proc_event contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from /proc, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
Tested on Ubuntu 17.10, which has CONFIG_PROC_EVENTS=y enabled by default.
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
CONFIG_PROC_EVENTS=y
Sample session:
$ su
# ./proc_events &
# /proc_events.out &
set mcast listen ok
# sleep 2 & sleep 1 &
fork: parent tid=48 pid=48 -> child tid=56 pid=56
fork: parent tid=48 pid=48 -> child tid=57 pid=57
exec: tid=57 pid=57
exec: tid=56 pid=56
exit: tid=57 pid=57 exit_code=0
exit: tid=56 pid=56 exit_code=0
CONFIG_PROC_EVENTS exposes the events to userland via a netlink socket.
proc_events.c adapted from: https://bewareofgeek.livejournal.com/2945.html
#define _XOPEN_SOURCE 700
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
static volatile bool need_exit = false;
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen okn");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%dn",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %dn",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%dn",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc eventn");
break;
}
}
return 0;
}
static void on_sigint(__attribute__ ((unused)) int unused)
{
need_exit = true;
}
int main()
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
GitHub upsatream.
I don't think however that you can you get process data such as UID and process arguments because exec_proc_event contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from /proc, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
Tested on Ubuntu 17.10, which has CONFIG_PROC_EVENTS=y enabled by default.
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
edited Dec 5 at 12:18
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
answered Apr 16 at 12:30
Ciro Santilli 新疆改造中心 六四事件 法轮功
4,84324039
4,84324039
add a comment |
add a comment |
up vote
1
down vote
You can apparently follow a process using strace. If you know the PID of the process then you can do:
strace -o strace-<pid>.out -f -p <pid>
Notice the -f switch. It will help you to follow newly created processes that are descendants of the process whose PID was used in the command, above. For information on strace see this question.
edited May 23 '17 at 12:39
Community♦
1
answered Feb 6 '16 at 9:33
tejus
744
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
add a comment |
up vote
1
down vote
You can apparently follow a process using strace. If you know the PID of the process then you can do:
strace -o strace-<pid>.out -f -p <pid>
Notice the -f switch. It will help you to follow newly created processes that are descendants of the process whose PID was used in the command, above. For information on strace see this question.
edited May 23 '17 at 12:39
Community♦
1
answered Feb 6 '16 at 9:33
tejus
744
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
add a comment |
up vote
1
down vote
up vote
1
down vote
You can apparently follow a process using strace. If you know the PID of the process then you can do:
strace -o strace-<pid>.out -f -p <pid>
Notice the -f switch. It will help you to follow newly created processes that are descendants of the process whose PID was used in the command, above. For information on strace see this question.
edited May 23 '17 at 12:39
Community♦
1
answered Feb 6 '16 at 9:33
tejus
744
You can apparently follow a process using strace. If you know the PID of the process then you can do:
strace -o strace-<pid>.out -f -p <pid>
Notice the -f switch. It will help you to follow newly created processes that are descendants of the process whose PID was used in the command, above. For information on strace see this question.
edited May 23 '17 at 12:39
Community♦
1
answered Feb 6 '16 at 9:33
tejus
744
edited May 23 '17 at 12:39
Community♦
1
edited May 23 '17 at 12:39
Community♦
1
edited May 23 '17 at 12:39
Community♦
1
1
answered Feb 6 '16 at 9:33
tejus
744
answered Feb 6 '16 at 9:33
tejus
744
answered Feb 6 '16 at 9:33
tejus
744
744
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
add a comment |
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
Apparently you were meaning to attach to the init process, with pid=1, right? Unfortunately it doesn't work, I don't see in the output any creation of new processes, and the number of lines is a few dozens, whilst the current pid for new processes went through a few hundreds.
– Hi-Angel
Oct 30 '17 at 8:33
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f260162%2fhow-to-track-newly-created-processes-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
