Re: Is there an API to get the process command line?

Ganesan Rajagopal

Thanks Quillian. I considered tracing sys_execve since execsnoop already provides sample code for that. I also need to trace process exits to remove the pid to command line mapping. This is a very busy build server and spawning processes like crazy, so keeping a live mapping of all the processes and command lines may be too resource intensive. I'll give it a shot and see how it goes.


On Fri, Jan 3, 2020 at 1:58 AM Quillian Rutherford <quillian.rutherford@...> wrote:
If you are running while the process is created, you can set an entry probe on sys_execve and it has the cmdline in the arguments.  probe like:

int enter_sys_execve(struct pt_regs *ctx,
  const char __user *filename,
  const char __user *const __user *__argv,
  const char __user *const __user *__envp){

Then you can submit back the contents of argv.

On Wed, Jan 1, 2020 at 7:56 AM <rganesan+iovisor@...> wrote:
Hi all,

bcc monitoring tools which print a process being traced print only the command (and pid, ppid) without the full args. In many cases the monitored command is a script, so the command is just printed as (for example) "python" which isn't very useful. I couldn't find a bpf API to get the command line args.


Join to automatically receive all group messages.