iovisor-dev@lists.iovisor.org | Is there an API to get the process command line?

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

Date Date 1 - 3 of 3

Is there an API to get the process command line?

Ganesan Rajagopal #1796 Hi all, bcc monitoring tools which print a process being traced print only the command (and pid, ppid) without the full args. In many cases the monitored command is a script, so the command is just printed as (for example) "python" which isn't very useful. I couldn't find a bpf API to get the command line args. Ganesan
Matheus Marchini <mat@...> #1797 There's no API to access command line args. BPF_FUNC_get_current_comm will give you the task name. If it's not enough, you can try to get it via task_struct. Look for get_task_cmdline fs/proc/base.c in the Kernel source code as a starting point to get the cmdline from a task_struct. toggle quoted message Show quoted text On Wed, Jan 1, 2020 at 7:56 AM <rganesan+iovisor@...> wrote: Hi all, bcc monitoring tools which print a process being traced print only the command (and pid, ppid) without the full args. In many cases the monitored command is a script, so the command is just printed as (for example) "python" which isn't very useful. I couldn't find a bpf API to get the command line args. Ganesan
Ganesan Rajagopal #1798 Thanks Quillian. I considered tracing sys_execve since execsnoop already provides sample code for that. I also need to trace process exits to remove the pid to command line mapping. This is a very busy build server and spawning processes like crazy, so keeping a live mapping of all the processes and command lines may be too resource intensive. I'll give it a shot and see how it goes. Ganesan toggle quoted message Show quoted text On Fri, Jan 3, 2020 at 1:58 AM Quillian Rutherford <quillian.rutherford@...> wrote: If you are running while the process is created, you can set an entry probe on sys_execve and it has the cmdline in the arguments. probe like: int enter_sys_execve(struct pt_regs ctx, const char __user filename, const char __user const __user __argv, const char __user const __user __envp){ Then you can submit back the contents of argv. On Wed, Jan 1, 2020 at 7:56 AM <rganesan+iovisor@...> wrote: Hi all, bcc monitoring tools which print a process being traced print only the command (and pid, ppid) without the full args. In many cases the monitored command is a script, so the command is just printed as (for example) "python" which isn't very useful. I couldn't find a bpf API to get the command line args. Ganesan

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms