Thanks Quillian. I considered tracing sys_execve since execsnoop already provides sample code for that. I also need to trace process exits to remove the pid to command line mapping. This is a very busy build server and spawning processes like crazy, so keeping a live mapping of all the processes and command lines may be too resource intensive. I'll give it a shot and see how it goes.
Ganesan On Fri, Jan 3, 2020 at 1:58 AM Quillian Rutherford < quillian.rutherf...@gmail.com> wrote: > If you are running while the process is created, you can set an entry > probe on sys_execve and it has the cmdline in the arguments. probe like: > > int enter_sys_execve(struct pt_regs *ctx, > const char __user *filename, > const char __user *const __user *__argv, > const char __user *const __user *__envp){ > > > Then you can submit back the contents of argv. > > On Wed, Jan 1, 2020 at 7:56 AM <rganesan+iovi...@gmail.com> wrote: > >> Hi all, >> >> bcc monitoring tools which print a process being traced print only the >> command (and pid, ppid) without the full args. In many cases the monitored >> command is a script, so the command is just printed as (for example) >> "python" which isn't very useful. I couldn't find a bpf API to get the >> command line args. >> >> Ganesan >> >> >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1798): https://lists.iovisor.org/g/iovisor-dev/message/1798 Mute This Topic: https://lists.iovisor.org/mt/69365771/21656 Group Owner: iovisor-dev+ow...@lists.iovisor.org Unsubscribe: https://lists.iovisor.org/g/iovisor-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-