Forkstat – A tool to show process fork/exec/exit activity

Sponsored Link
Forkstat uses the kernel proc connector interface to detect process activity. Proc connector allows forkstat to receive notifications of process events such as fork, exec, exit, core dump and changing the process name in the comm field over a socket connection.

By default, forkstat will just log fork, exec and exit events, but the -e option allows one to specify one or more of the fork, exec, exit, core dump or comm events. When a fork event occurs, forkstat will log the PID and process name of the parent and child, allowing one to easily identify where processes are originating. Where possible, forkstat attempts to track the life time of a process and will log the duration of a processes when it exits (note: this is not an estimate of the CPU used).

Install Forkstat on Ubuntu

Open the terminal and run the following command

sudo apt-get install forkstat

Using Forkstat

Syntax

forkstat [-d] [-D] [-e] [-h] [-s] [-S] [-q]

Options

-d -- strip off the directory path from the process name.

-D seconds -- specify duration in seconds to run forkstat.

-e -- specify events to trace as a comma seperated list. By default the fork, exec and exit events are traced. Available events are:

Event Description
fork forks (or clones)
exec execs
exit exits
core core dumps
comm process name changes in comm field
all all the events above

-h -- show brief help summary.

-s -- show short process name information.

-S -- show event statistics.

-q -- run quietly and enable the -S option.

Forkstat Examples

sudo forkstat -s -d

Output

Time Event PID Info Duration Process
16:00:01 fork 4426 parent postgres
16:00:01 fork 4404 child postgres:
16:00:01 exit 4404 0 0.012 postgres:
16:00:01 fork 543 parent cron
16:00:01 fork 4405 child CRON
16:00:01 fork 4405 parent CRON
16:00:01 fork 4406 child CRON

sudo forkstat -e all -S

Output

Time Event PID Info Duration Process
16:01:26 fork 343 parent /usr/local/nagios/bin/nagios --worker /usr/local/nagios/var/rw/nagios.qh
16:01:26 fork 4467 child /usr/local/nagios/libexec/check_swap -w 20 -c 10
16:01:26 exec 4467 /usr/local/nagios/libexec/check_swap -w 20 -c 10
16:01:26 exit 4467 0 0.000 /usr/local/nagios/libexec/check_swap -w 20 -c 10

Sponsored Link

Related posts

Leave a comment

Your email address will not be published. Required fields are marked *