Created
May 14, 2019 21:23
-
-
Save scanterog/8f171ecf850298d61800b09804998ede to your computer and use it in GitHub Desktop.
killsnoop.bt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bpftrace | |
/* | |
* killsnoop Trace signals issued by the kill() syscall. | |
* For Linux, uses bpftrace and eBPF. | |
* | |
* USAGE: killsnoop.bt | |
* | |
* Also a basic example of bpftrace. | |
* | |
* This is a bpftrace version of the bcc tool of the same name. | |
* | |
* Copyright 2018 Netflix, Inc. | |
* Licensed under the Apache License, Version 2.0 (the "License") | |
* | |
* 07-Sep-2018 Brendan Gregg Created this. | |
*/ | |
BEGIN | |
{ | |
printf("Tracing kill() signals... Hit Ctrl-C to end.\n"); | |
printf("%-9s %-6s %-16s %-4s %-6s %s\n", "TIME", "PID", "COMM", "SIG", | |
"TPID", "RESULT"); | |
} | |
tracepoint:syscalls:sys_enter_kill | |
{ | |
@tpid[tid] = args->pid; | |
@tsig[tid] = args->sig; | |
} | |
tracepoint:syscalls:sys_exit_kill | |
/@tpid[tid]/ | |
{ | |
if (@tsig[tid] != 0) { | |
time("%H:%M:%S "); | |
printf("%-6d %-16s %-4d %-6d %d\n", pid, comm, @tsig[tid], @tpid[tid], | |
args->ret); | |
delete(@tpid[tid]); | |
delete(@tsig[tid]); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment