killsnoop traces the kill() syscall, to show signals sent via this method. This may be useful to troubleshoot failing applications, where an unknown mechanism is sending signals.
This works by tracing the kill() syscall tracepoints.
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bpftrace.
- Trace all kill() syscalls:
Time of the kill call.
Source process ID
Source process name
Signal number. See signal(7).
Target process ID
Result. 0 == success, a negative value (of the error code) for failure.
This traces the kernel kill function and prints output for each event. As the rate of this is generally expected to be low (< 100/s), the overhead is also expected to be negligible. If you have an application that is calling a very high rate of kill()s for some reason, then test and understand overhead before use.
This is from bpftrace.
Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
This is a bpftrace version of the bcc tool of the same name. The bcc tool may provide more options and customizations.
Unstable - in development.