FORKSTAT(8) | System Manager's Manual | FORKSTAT(8) |
forkstat - a tool to show process fork/exec/exit activity
forkstat [-c] [-d] [-D] [-e] [-E] [-g] [-h] [-l] [-r] [-s] [-S] [-q] [-x] [-X]
Forkstat is a program that logs process fork(), exec(), exit(), coredump and process name change activity. It is useful for monitoring system behaviour and to track down rogue processes that are spawning off processes and potentially abusing the system.
Note that forkstat uses the Linux netlink connector to gather process activity and this may miss events if the system is overly busy. Netlink connector also requires root privilege.
Forkstat will display several columns of process related information:
Title | Description |
Time | When the fork/exec/exit event occurred. |
Event | Type of event. |
PID | Process or thread ID. |
Info | Parent or child if a fork, or process exit(2) value. |
Duration | On exit, the duration the command ran for in seconds. |
Process | The process name. The name will be in [ ] brackets if it is a kernel thread. |
forkstat options are as follow:
Event | Description |
fork | forks |
exec | execs |
exit | exits |
core | core dumps |
comm | process name changes in comm field |
clone | clone (normally on thread creation) |
ptrce | ptrace attach or detach |
uid | uid/gid events |
sid | sid events |
all | all the events above |
Show process activity with short process names and directory base path stripped off:
Trace forks and core dumps only:
Trace all events and print statistics at end:
Trace all events for 10 minutes:
Trace clones for 1 minute:
forkstat was written by Colin King <colin.king@canonical.com>. Thanks also for contributions from Philipp Gesang.
This manual page was written by Colin King <colin.king@canonical.com>, for the Ubuntu project (but may be used by others).
Copyright © 2014-2018 Canonical Ltd.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
4 December, 2018 |