Analyzer syscall-execve
Name
syscall-execve - fork and execute commands
This analyzer monitors execve system calls that create new processes by executing programs. It captures stack traces and command-line arguments when processes fork and execute new binaries, generating flame graphs that visualize the call paths leading to process creation. The analyzer helps track process spawning behavior and identify unexpected or excessive process creation that may impact system performance.
Resource Category
Miscellaneous.
Application Type & Technical Stack
- All
Command Line Syntax
The analyzer can be invoked directly on the command-line via the orxray
utility from the openresty-xray-cli software package.
Alternatively, the analyzer can also be invoked manually or automatically on the web console UI of OpenResty XRay (like on the Advanced web page).
# PID is the target process PID.
orxray analyzer run syscall-execve -p PID
# trace a shell command directly
orxray analyzer run syscall-execve -c SHELL_CMD
# PGID is the process group ID or any process's PID within the target process
# group.
orxray analyzer run syscall-execve -p -PGID
# trace any processes started from the specified executable path.
orxray analyzer run syscall-execve --exe /path/to/exe/file
Tracing Multiple Processes
Supported.
Output Formats
- Flame Graphs
Author
The OpenResty Inc. Team.
Copyright
Copyright (C) by OpenResty Inc. All rights reserved.