This manual page is for Mac OS X version 10.6.3

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • For more information about the manual page format, see the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Reference Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.


execsnoop(1m)                                   USER COMMANDS                                  execsnoop(1m)



NAME
       execsnoop - snoop new process execution. Uses DTrace.

SYNOPSIS
       execsnoop [-a|-A|-ejhsvZ] [-c command]

DESCRIPTION
       execsnoop  prints  details of new processes as they are executed.  Details such as UID, PID and argu-ment argument
       ment listing are printed out.

       This program is very useful to examine short lived processes that would  not  normally  appear  in  a
       prstat  or  "ps  -ef"  listing.  Sometimes applications will run hundreds of short lived processes in
       their normal startup cycle, a behaviour that is easily monitored with execsnoop.

       Since this uses DTrace, only users with root privileges can run this command.

OPTIONS
       -a     print all data

       -A     dump all data, space delimited

       -e     safe output, parseable. This prevents the ARGS field containing "\n"s, to assist  postprocess-ing. postprocessing.
              ing.

       -j     print project ID

       -s     print start time, us

       -v     print start time, string

       -Z     print zonename

       -c command
              command name to snoop

EXAMPLES
       Default output, print processes as they are executed,
              # execsnoop

       Print human readable timestamps,
              # execsnoop -v

       Print zonename,
              # execsnoop -Z

       Snoop this command only,
              # execsnoop -f ls


FIELDS
       UID    User ID

       PID    Process ID

       PPID   Parent Process ID

       COMM   command name for the process

       ARGS   argument listing for the process

       ZONE   zonename

       PROJ   project ID

       TIME   timestamp for the exec event, us

       STRTIME
              timestamp for the exec event, string

DOCUMENTATION
       See  the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may
       include full worked examples with verbose descriptions explaining the output.

EXIT
       execsnoop will run forever until Ctrl-C is hit.

AUTHOR
       Brendan Gregg [Sydney, Australia]

SEE ALSO
       dtrace(1M), truss(1)




version 1.20                                    Jul 02, 2005                                   execsnoop(1m)

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.

Did this document help you? Yes It's good, but... Not helpful...