Linux Processes – How to Track Newly Created Processes

linuxprocess

I know that with ps I can see the list or tree of the current processes running in the system. But what I want to achieve is to "follow" the new processes that are created when using the computer.

As analogy, when you use tail -f to follow the new contents appended to a file or to any input, then I want to keep a follow list of the process that are currently being created.

Is this even posible?

Best Answer

If kprobes are enabled in the kernel you can use execsnoop from perf-tools:

In first terminal:

% while true; do uptime; sleep 1; done

In another terminal:

% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
   PID   PPID ARGS
 83939  83937 cat -v trace_pipe
 83938  83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
 83940  76640 uptime
 83941  76640 sleep 1
 83942  76640 uptime
 83943  76640 sleep 1
 83944  76640 uptime
 83945  76640 sleep 1
^C
Ending tracing...

Related Solutions

Linux – Internal organization (with regard to family relations) of processes in Linux

Your confusion stems from mixing two things: (1) keeping the process descriptors organized, and (2) the parent/child relationship.

You don't need the parent/child relationship to decide which process to run next, or (in general) which process to deliver a signal to. So, the Linux task_struct (which I found in linux/sched.h for the 3.11.5 kernel source) has:

struct task_struct __rcu *real_parent; /* real parent process */
struct task_struct __rcu *parent; /* recipient of SIGCHLD, wait4() reports */
/*
 * children/sibling forms the list of my natural children
 */

struct list_head children;  /* list of my children */
struct list_head sibling;   /* linkage in my parent's children list */

You're correct, a tree struct exists for the child/parent relationship, but it seems to be concealed in another list, and a pointer to the parent.

The famed doubly-linked list isn't obvious in the 3.11.5 struct task_struct structure definition. If I read the code correctly, the uncommented struct element struct list_head tasks; is the "organizing" doubly-linked list, but I could be wrong.

Process Monitoring – Print PIDs and Names of Processes as They Are Created

Linux-specific answer:

perf-tools contains an execsnoop that does exactly this. It uses various Linux-specific features such as ftrace. On Debian, its in the perf-tools-unstable package.

Example of me running man cat in another terminal:

root@Zia:~# execsnoop 
TIME        PID   PPID ARGS
17:24:26  14189  12878 man cat 
17:24:26  14196  14189 tbl 
17:24:26  14195  14189 preconv -e UTF-8 
17:24:26  14199  14189 /bin/sh /usr/bin/nroff -mandoc -Tutf8 
17:24:26  14200  14189 less 
17:24:26  14201  14199 locale charmap 
17:24:26  14202  14199 groff -mtty-char -Tutf8 -mandoc 
17:24:26  14203  14202 troff -mtty-char -mandoc -Tutf8 
17:24:26  14204  14202 grotty

I doubt there is a portable way to do this.

Best Answer

Related Solutions

Linux – Internal organization (with regard to family relations) of processes in Linux

Process Monitoring – Print PIDs and Names of Processes as They Are Created

Related Question