# killsnoop Trace signals issued by the kill() syscall.
# For Linux, uses BCC, eBPF. Embedded C.
#
-# USAGE: killsnoop [-h] [-t] [-x] [-p PID]
+# USAGE: killsnoop [-h] [-x] [-p PID]
#
# Copyright (c) 2015 Brendan Gregg.
# Licensed under the Apache License, Version 2.0 (the "License")
from __future__ import print_function
from bcc import BPF
import argparse
+from time import strftime
import ctypes as ct
# arguments
examples = """examples:
./killsnoop # trace all kill() signals
- ./killsnoop -t # include timestamps
./killsnoop -x # only show failed kills
./killsnoop -p 181 # only trace PID 181
"""
description="Trace signals issued by the kill() syscall",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
-parser.add_argument("-t", "--timestamp", action="store_true",
- help="include timestamp on output")
parser.add_argument("-x", "--failed", action="store_true",
help="only show failed kill syscalls")
parser.add_argument("-p", "--pid",
struct val_t {
u64 pid;
- u64 ts;
int sig;
int tpid;
char comm[TASK_COMM_LEN];
u64 tpid;
int sig;
int ret;
- u64 ts;
- u64 delta;
char comm[TASK_COMM_LEN];
};
FILTER
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
val.pid = bpf_get_current_pid_tgid();
- val.ts = bpf_ktime_get_ns();
val.tpid = tpid;
val.sig = sig;
infotmp.update(&pid, &val);
struct data_t data = {};
struct val_t *valp;
u32 pid = bpf_get_current_pid_tgid();
- u64 tsp = bpf_ktime_get_ns();
valp = infotmp.lookup(&pid);
if (valp == 0) {
bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
data.pid = pid;
- data.delta = tsp - valp->ts;
- data.ts = tsp / 1000;
data.tpid = valp->tpid;
data.ret = PT_REGS_RC(ctx);
data.sig = valp->sig;
("tpid", ct.c_ulonglong),
("sig", ct.c_int),
("ret", ct.c_int),
- ("ts", ct.c_ulonglong),
- ("delta", ct.c_ulonglong),
("comm", ct.c_char * TASK_COMM_LEN)
]
-start_ts = 0
-prev_ts = 0
-delta = 0
-
# header
-if args.timestamp:
- print("%-14s" % ("TIME(s)"), end="")
-print("%-6s %-16s %-4s %-6s %s" % ("PID", "COMM", "SIG", "TPID", "RESULT"))
+print("%-9s %-6s %-16s %-4s %-6s %s" % (
+ "TIME", "PID", "COMM", "SIG", "TPID", "RESULT"))
# process event
def print_event(cpu, data, size):
event = ct.cast(data, ct.POINTER(Data)).contents
- global start_ts
- global prev_ts
- global delta
-
- if start_ts == 0:
- prev_ts = start_ts
-
- if start_ts == 1:
- delta = float(delta) + (event.ts - prev_ts)
-
- if (args.failed and (event.ret >= 0)):
- start_ts = 1
- prev_ts = event.ts
- return
-
- # print columns
- if args.timestamp:
- print("%-14.9f" % (delta / 1000000), end="")
- print("%-6d %-16s %-4d %-6d %d" % (event.pid, event.comm, event.sig,
- event.tpid, event.ret))
+ if (args.failed and (event.ret >= 0)): return
- prev_ts = event.ts
- start_ts = 1
+ print("%-9s %-6d %-16s %-4d %-6d %d" % (strftime("%H:%M:%S"),
+ event.pid, event.comm, event.sig, event.tpid, event.ret))
# loop with callback to print_event
b["events"].open_perf_buffer(print_event)
This traces signals sent via the kill() syscall. For example:
# ./killsnoop
-PID COMM SIG TPID RESULT
-17064 bash 9 27682 0
-17064 bash 9 27682 -3
-17064 bash 0 17064 0
+TIME PID COMM SIG TPID RESULT
+12:10:51 13967 bash 9 13885 0
+12:11:34 13967 bash 9 1024 -3
+12:11:41 815 systemd-udevd 15 14076 0
-The first line showed a SIGKILL (9) sent from PID 17064 (a bash shell) to
-PID 27682. The result, 0, means success.
+The first line showed a SIGKILL (9) sent from PID 13967 (a bash shell) to
+PID 13885. The result, 0, means success.
The second line showed the same signal sent, this time resulting in a -3
(ESRCH: no such process).
USAGE message:
# ./killsnoop -h
-usage: killsnoop [-h] [-t] [-x] [-p PID]
+usage: killsnoop [-h] [-x] [-p PID]
Trace signals issued by the kill() syscall
optional arguments:
-h, --help show this help message and exit
- -t, --timestamp include timestamp on output
-x, --failed only show failed kill syscalls
-p PID, --pid PID trace this PID only
examples:
./killsnoop # trace all kill() signals
- ./killsnoop -t # include timestamps
./killsnoop -x # only show failed kills
./killsnoop -p 181 # only trace PID 181