Thanks Quillian. I considered tracing sys_execve since execsnoop already
provides sample code for that. I also need to trace process exits to remove
the pid to command line mapping. This is a very busy build server and
spawning processes like crazy, so keeping a live mapping of all the
processes and command lines may be too resource intensive. I'll give it a
shot and see how it goes.
Ganesan
On Fri, Jan 3, 2020 at 1:58 AM Quillian Rutherford <
quillian.rutherf...@gmail.com> wrote:
> If you are running while the process is created, you can set an entry
> probe on sys_execve and it has the cmdline in the arguments. probe like:
>
> int enter_sys_execve(struct pt_regs *ctx,
> const char __user *filename,
> const char __user *const __user *__argv,
> const char __user *const __user *__envp){
>
>
> Then you can submit back the contents of argv.
>
> On Wed, Jan 1, 2020 at 7:56 AM <rganesan+iovi...@gmail.com> wrote:
>
>> Hi all,
>>
>> bcc monitoring tools which print a process being traced print only the
>> command (and pid, ppid) without the full args. In many cases the monitored
>> command is a script, so the command is just printed as (for example)
>> "python" which isn't very useful. I couldn't find a bpf API to get the
>> command line args.
>>
>> Ganesan
>>
>>
>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1798): https://lists.iovisor.org/g/iovisor-dev/message/1798
Mute This Topic: https://lists.iovisor.org/mt/69365771/21656
Group Owner: iovisor-dev+ow...@lists.iovisor.org
Unsubscribe: https://lists.iovisor.org/g/iovisor-dev/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
