| Demonstrations of bashreadline, the Linux eBPF/bcc version. |
| |
| |
| This prints bash commands from all running bash shells on the system. For |
| example: |
| |
| # ./bashreadline |
| TIME PID COMMAND |
| 05:28:25 21176 ls -l |
| 05:28:28 21176 date |
| 05:28:35 21176 echo hello world |
| 05:28:43 21176 foo this command failed |
| 05:28:45 21176 df -h |
| 05:29:04 3059 echo another shell |
| 05:29:13 21176 echo first shell again |
| |
| When running the script on Arch Linux, you may need to specify the location |
| of libreadline.so library: |
| |
| # ./bashreadline -s /lib/libreadline.so |
| TIME PID COMMAND |
| 11:17:34 28796 whoami |
| 11:17:41 28796 ps -ef |
| 11:17:51 28796 echo "Hello eBPF!" |
| |
| |
| The entered command may fail. This is just showing what command lines were |
| entered interactively for bash to process. |
| |
| It works by tracing the return of the readline() function using uprobes |
| (specifically a uretprobe). |