search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.36k stars 3.86k forks source link

tools/execsnoop: Add -M,--print-pcomm argument #5037

Closed Rtoax closed 3 months ago

Rtoax commented 3 months ago

Sometimes the parent process is executed instantly, and only tracking PPID does not know who executed the command. Adding PCOMM is a good choice. At the same time, rename the original PCOMM to COMM, and use PCOMM as the parent command.

Before:

$ sudo ./execsnoop.py
COMM             PID     PPID    RET ARGS
sh               44789   44682     0 /bin/sh -c cd /home/...
gcc              44788   44682     0 /usr/bin/gcc -DCAPST...

After:

$ sudo ./execsnoop.py -M
COMM             PID     PCOMM            PPID    RET ARGS
sh               44789   make             44682     0 /bin/sh -c cd /home/...
gcc              44788   make             44682     0 /usr/bin/gcc -DCAPST...
                         ^^^^^^^^^^^^^^^^