extrace — trace exec() calls system-wide

       Leah Neukirchen <leah@vuxu.org>

       May contain traces of code from Guillaume Thouvenin, Matt Helsley, and Sebastian Krahmer.

       While process tracing is exact, looking up all information is inherently sensitive  to  race  conditions.
       In doubt, you can only trust the PID was written correctly.

extrace traces all program executions occurring on a system.

       The options are as follows:

       -d      Print the current working directory of the new process.

       -e      Print environment of process, or ‘-’ if unreadable.

       -f      Generate  flat output without indentation.  By default, the line indentation reflects the process
               hierarchy.

       -l      Resolve full path of the executable.  By default, argv[0] is shown.

       -q      Suppress printing of exec(3) arguments.

       -t      Also display process exit status and duration.

       -u      Also display the user running the process.

       -ofile
               Redirect trace output to file.

       -ppid  Only trace exec(3) calls descendant of pid.

       cmd...
               Run cmd... and only trace descendants of this command.

               By default, all exec(3) calls are traced globally.

       Check these prerequisites if you see this error:

             binding sk_nl error: Operation not permitted

       extrace requires special permissions to run, either root or the Linux CAP_NET_ADMIN capability.

       extrace only works on Linux kernels with the kernel options

             CONFIG_CONNECTOR=y
             CONFIG_PROC_EVENTS=y

       The extrace utility exits 0 on success, and >0 if an error occurs.

extrace is licensed under the terms of the GPLv2.

Debian                                            June 19, 2018                                       EXTRACE(1)

       extrace — trace exec() calls system-wide

fatrace(1), ps(1), pwait(1), strace(1)

extrace [-deflqtu] [-ofile] [-ppid | cmd...]