tools/bashreadline_example.txt - platform/external/bcc - Git at Google

 Demonstrations of bashreadline, the Linux eBPF/bcc version.


 This prints bash commands from all running bash shells on the system. For
 example:

 # ./bashreadline
 TIME      PID    COMMAND
 05:28:25  21176  ls -l
 05:28:28  21176  date
 05:28:35  21176  echo hello world
 05:28:43  21176  foo this command failed
 05:28:45  21176  df -h
 05:29:04  3059   echo another shell
 05:29:13  21176  echo first shell again

 When running the script on Arch Linux, you may need to specify the location
 of libreadline.so library:

 # ./bashreadline -s /lib/libreadline.so
 TIME      PID    COMMAND
 11:17:34  28796  whoami
 11:17:41  28796  ps -ef
 11:17:51  28796  echo "Hello eBPF!"


 The entered command may fail. This is just showing what command lines were
 entered interactively for bash to process.

 It works by tracing the return of the readline() function using uprobes
 (specifically a uretprobe).
	Demonstrations of bashreadline, the Linux eBPF/bcc version.


	This prints bash commands from all running bash shells on the system. For
	example:

	# ./bashreadline
	TIME PID COMMAND
	05:28:25 21176 ls -l
	05:28:28 21176 date
	05:28:35 21176 echo hello world
	05:28:43 21176 foo this command failed
	05:28:45 21176 df -h
	05:29:04 3059 echo another shell
	05:29:13 21176 echo first shell again

	When running the script on Arch Linux, you may need to specify the location
	of libreadline.so library:

	# ./bashreadline -s /lib/libreadline.so
	TIME PID COMMAND
	11:17:34 28796 whoami
	11:17:41 28796 ps -ef
	11:17:51 28796 echo "Hello eBPF!"


	The entered command may fail. This is just showing what command lines were
	entered interactively for bash to process.

	It works by tracing the return of the readline() function using uprobes
	(specifically a uretprobe).