Demonstrations of killsnoop, the Linux eBPF/bcc version.


This traces signals sent via the kill() syscall. For example:

# ./killsnoop
PID    COMM             SIG  TPID   RESULT
17064  bash             9    27682  0
17064  bash             9    27682  -3
17064  bash             0    17064  0

The first line showed a SIGKILL (9) sent from PID 17064 (a bash shell) to
PID 27682. The result, 0, means success.

The second line showed the same signal sent, this time resulting in a -3
(ESRCH: no such process).


USAGE message:

# ./killsnoop -h
usage: killsnoop [-h] [-t] [-x] [-p PID]

Trace signals issued by the kill() syscall

optional arguments:
  -h, --help         show this help message and exit
  -t, --timestamp    include timestamp on output
  -x, --failed       only show failed opens
  -p PID, --pid PID  trace this PID only

examples:
    ./killsnoop           # trace all kill() signals
    ./killsnoop -t        # include timestamps
    ./killsnoop -x        # only show failed kills
    ./killsnoop -p 181    # only trace PID 181