forked from bpftrace/bpftrace
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbashreadline.bt
More file actions
44 lines (41 loc) · 1.12 KB
/
bashreadline.bt
File metadata and controls
44 lines (41 loc) · 1.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env bpftrace
// bashreadline Print entered bash commands from all running shells.
// For Linux, uses bpftrace and eBPF.
//
// This works by tracing the readline() function using a uretprobe (uprobes).
//
// Example of usage:
//
// # ./bashreadline.bt
// Attaching 2 probes...
// Tracing bash commands... Hit Ctrl-C to end.
// TIME PID COMMAND
// 06:40:06 5526 df -h
// 06:40:09 5526 ls -l
// 06:40:18 5526 echo hello bpftrace
// 06:40:42 5526 echooo this is a failed command, but we can see it anyway
// ^C
//
// The entered command may fail. This is just showing what command lines were
// entered interactively for bash to process.
//
// This is a bpftrace version of the bcc tool of the same name.
//
// Copyright 2018 Netflix, Inc.
//
// 06-Sep-2018 Brendan Gregg Created this.
config = {
missing_probes = ignore;
}
BEGIN
{
printf("Tracing bash commands... Hit Ctrl-C to end.\n");
printf("%-9s %-6s %s\n", "TIME", "PID", "COMMAND");
}
uretprobe:/bin/bash:readline,
uretprobe:libreadline:readline
/comm == "bash"/
{
time("%H:%M:%S ");
printf("%-6d %s\n", pid, str(retval));
}