forkstat - a tool to show process fork/exec/exit activity

       forkstat  was  written  by  Colin  Ian  King <colin.i.king@gmail.com>. Thanks also for contributions from
       Philipp Gesang.

       This manual page was written by Colin Ian King <colin.i.king@gmail.com>, for the Ubuntu project (but  may
       be used by others).

       Copyright © 2014-2021 Canonical Ltd, Copyright © 2021-2025 Colin Ian King.
       This  is  free  software;  see  the  source  for  copying conditions.  There is NO warranty; not even for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

                                                  16 April 2025                                      FORKSTAT(8)

       Forkstat  is  a  program  that  logs  process  fork(),  exec(),  exit(), coredump and process name change
       activity.  It is useful for monitoring system behaviour and  to  track  down  rogue  processes  that  are
       spawning off processes and potentially abusing the system.

       Note  that  forkstat uses the Linux netlink connector to gather process activity and this may miss events
       if the system is overly busy. Netlink connector also requires root privilege.

       Forkstat will display several columns of process related information:

       TitleDescription
       Time       When the fork/exec/exit event occurred.
       Event      Type of event.
       PID        Process or thread ID.
       Info       Parent or child if a fork, or process exit(2) value.
       Duration   On exit, the duration the command ran for in seconds.
       Process    The process name. The name will be in [ ] brackets if it is a kernel thread.

       Show process activity with short process names and directory base path stripped off:
               forkstat -s -d

       Trace forks and core dumps only:
               forkstat -e fork,core

       Trace all events and print statistics at end:
               forkstat -e all -S

       Trace all events for 10 minutes:
               forkstat -E -D 600

       Trace clones for 1 minute:
               forkstat -e clone -D 60

       forkstat - a tool to show process fork/exec/exit activity

       forkstat options are as follow:

       -c     use the process 16 character comm field for the process name rather than command line information.

       -d     strip off the directory path from the process name.

       -Dseconds
              specify duration in seconds to run forkstat.

       -e     specify events to trace as a comma separated list. By default the fork, exec and exit  events  are
              traced. Available events are:

              EventDescription
              fork          forks
              exec          execs
              exit          exits
              exitnonzero   non-zero exits
              core          core dumps
              comm          process name changes in comm field
              clone         clone (normally on thread creation)
              ptrce         ptrace attach or detach
              uid           uid/gid events
              sid           sid events
              all           all the events above

       -E     enable all events, equivalent to -e all

       -g     show glyph annotations of events, useful for easier identification of different events.

       -h     show brief help summary.

       -l     set stdout to line-buffered mode.

       -ppgrpid
              only show processes that match the process group id pgrpid

       -r     run  with  real time FIFO scheduling with maximum priority to keep up with high volumes of process
              events.

       -s     show short process name information.

       -S     show event statistics.

       -q     run quietly and enable the -S option.

       -x     show extra process related information: user ID and TTY of the process.

       -X     equivalent to options -E -g -r -S -x, all events, glyphs, real time  FIFO  scheduling,  statistics
              and extra process information.

vmstat(8)

forkstat [options]