NAME¶

extrace — trace exec() calls system-wide

SYNOPSIS¶

DESCRIPTION¶

extrace traces all program executions occurring on a system.

The options are as follows:

-d

Print the current working directory of the new process.

-e

Print environment of process, or ‘-’ if unreadable.

-f

Generate flat output without indentation. By default, the line indentation reflects the process hierarchy.

-l

Resolve full path of the executable. By default, argv[0] is shown.

-q

Suppress printing of exec(3) arguments.

-t

Also display process exit status and duration.

-u

Also display the user running the process.

-o file

Redirect trace output to file.

-p pid

Only trace exec(3) calls descendant of pid.

cmd ...

Run cmd ... and only trace descendants of this command.

By default, all exec(3) calls are traced globally.

EXIT STATUS¶

The extrace utility exits 0 on success, and >0 if an error occurs.

ERRORS¶

Check these prerequisites if you see this error:

binding sk_nl error: Operation not permitted

extrace requires special permissions to run, either root or the Linux CAP_NET_ADMIN capability.

extrace only works on Linux kernels with the kernel options

CONFIG_CONNECTOR=y
CONFIG_PROC_EVENTS=y

SEE ALSO¶

fatrace(1), ps(1), pwait(1), strace(1)

AUTHORS¶

Leah Neukirchen <leah@vuxu.org>

May contain traces of code from Guillaume Thouvenin, Matt Helsley, and Sebastian Krahmer.

BUGS¶

While process tracing is exact, looking up all information is inherently sensitive to race conditions. In doubt, you can only trust the PID was written correctly.

LICENSE¶

extrace is licensed under the terms of the GPLv2.