execsnoop - snoop new process execution. Uses DTrace. execsnoop [-a|-A|-ejhsvZ] [-c command] execsnoop prints details of new processes as they are executed. Details such as UID, PID and argument listing are printed out. This program is very useful to examine short lived processes that would not normally appear in a prstat or "ps -ef" listing. Sometimes applications will run hundreds of short lived processes in their normal startup cycle, a behaviour that is easily monitored with execsnoop. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. Solaris stable - needs the syscall provider.

-a print all data

-A dump all data, space delimited

-e safe output, parseable. This prevents the ARGS field containing "\\n"s, to assist postprocessing.

-j print project ID

-s print start time, us

-v print start time, string

-Z print zonename

-c command command name to snoop

Default output, print processes as they are executed, # execsnoop

Print human readable timestamps, # execsnoop -v

Print zonename, # execsnoop -Z

Snoop this command only, # execsnoop -f ls

UID User ID

PID Process ID

PPID Parent Process ID

COMM command name for the process

ARGS argument listing for the process

ZONE zonename

PROJ project ID

TIME timestamp for the exec event, us

STRTIME timestamp for the exec event, string

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. execsnoop will run forever until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] dtrace(1M), truss(1)