how to get the program and parent program of do_fork()
Clash Royale CLAN TAG#URR8PPP
I'm trying to make a kernel module that would gather statistics about which process forks what subprocess. Kprobe seems like it might work, but I'm struggling to understand the structs that I get.
I can make kprobe give me these two structs: Struct kprobe and struct kp_regs whenever do_fork is called. Fork seems to be involved whenever I start a subprocess. Is it possible to get a pointer or identifier that would identify which program launches what subprogram (for example: google-chrome launched acrobat reader, nautilus launched eog, ...)? Should I be looking at some different system call and its arguments?
kernel fork
asked Feb 23 at 9:47
Al HooAl Hoo
6
|
show 1 more comment
I'm trying to make a kernel module that would gather statistics about which process forks what subprocess. Kprobe seems like it might work, but I'm struggling to understand the structs that I get.
I can make kprobe give me these two structs: Struct kprobe and struct kp_regs whenever do_fork is called. Fork seems to be involved whenever I start a subprocess. Is it possible to get a pointer or identifier that would identify which program launches what subprogram (for example: google-chrome launched acrobat reader, nautilus launched eog, ...)? Should I be looking at some different system call and its arguments?
kernel fork
asked Feb 23 at 9:47
Al HooAl Hoo
6
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
1
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.strace,ppids
– ctrl-alt-delor
Feb 23 at 12:23
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]
– Al Hoo
Feb 23 at 13:18
|
show 1 more comment
I'm trying to make a kernel module that would gather statistics about which process forks what subprocess. Kprobe seems like it might work, but I'm struggling to understand the structs that I get.
I can make kprobe give me these two structs: Struct kprobe and struct kp_regs whenever do_fork is called. Fork seems to be involved whenever I start a subprocess. Is it possible to get a pointer or identifier that would identify which program launches what subprogram (for example: google-chrome launched acrobat reader, nautilus launched eog, ...)? Should I be looking at some different system call and its arguments?
kernel fork
asked Feb 23 at 9:47
Al HooAl Hoo
6
I'm trying to make a kernel module that would gather statistics about which process forks what subprocess. Kprobe seems like it might work, but I'm struggling to understand the structs that I get.
I can make kprobe give me these two structs: Struct kprobe and struct kp_regs whenever do_fork is called. Fork seems to be involved whenever I start a subprocess. Is it possible to get a pointer or identifier that would identify which program launches what subprogram (for example: google-chrome launched acrobat reader, nautilus launched eog, ...)? Should I be looking at some different system call and its arguments?
kernel fork
kernel fork
asked Feb 23 at 9:47
Al HooAl Hoo
6
asked Feb 23 at 9:47
Al HooAl Hoo
6
asked Feb 23 at 9:47
Al HooAl Hoo
6
asked Feb 23 at 9:47
Al HooAl Hoo
6
asked Feb 23 at 9:47
Al HooAl Hoo
6
6
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
1
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.strace,ppids
– ctrl-alt-delor
Feb 23 at 12:23
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]
– Al Hoo
Feb 23 at 13:18
|
show 1 more comment
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
1
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.strace,ppids
– ctrl-alt-delor
Feb 23 at 12:23
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]
– Al Hoo
Feb 23 at 13:18
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
1
1
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.
strace, ppids– ctrl-alt-delor
Feb 23 at 12:23
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.
strace, ppids– ctrl-alt-delor
Feb 23 at 12:23
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:
<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]– Al Hoo
Feb 23 at 13:18
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:
<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]– Al Hoo
Feb 23 at 13:18
|
show 1 more comment
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502491%2fhow-to-get-the-program-and-parent-program-of-do-fork%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502491%2fhow-to-get-the-program-and-parent-program-of-do-fork%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Welcome to Unix & Linux. No idea to help, but I wonder why your question was downvoted without a comment explaining what is wrong…
– user2233709
Feb 23 at 10:02
1
@user2233709 Probably related to the close vote "unclear what you are asking". Somebody didn't understand the question, and therefore nobody can understand it. An example of the Dunning-Kruger effect.
– Johan Myréen
Feb 23 at 10:10
@JohanMyréen You may be right (I don’t see the close vote, I don’t have enough reputation), but I think it would me more respectful to tell Al Hoo what is wrong with her/his question, especially since (s)he is a newcomer…
– user2233709
Feb 23 at 11:17
Can you explain more what data you are trying to get. I suspect that there are already tool to do this. e.g.
strace,ppids– ctrl-alt-delor
Feb 23 at 12:23
So I'm want to write a line in my syslog when ever a process spawns a subprocess and I need an identifier that I can use to identify the processes. A sample log-line would be:
<timestamp> "google-chome" (<ppid>) launched "acrobat reader" (<pid>) with params ["download.pdf"]– Al Hoo
Feb 23 at 13:18