man/man8/bashreadline.8

.TH bashreadline 8  "2016-01-28" "USER COMMANDS"
.SH NAME
bashreadline \- Print entered bash commands system wide. Uses Linux eBPF/bcc.
.SH SYNOPSIS
.B bashreadline [\-h] [\-s SHARED]
.SH DESCRIPTION
bashreadline traces the return of the readline() function using uprobes, to
show the bash commands that were entered interactively, system wide. The
entered command may fail: this is just showing what was entered.

This program is also a basic example of eBPF/bcc and uprobes.

This makes use of a Linux 4.4 feature (bpf_perf_event_output());
for kernels older than 4.4, see the version under tools/old,
which uses an older mechanism

Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF and bcc.
.SH OPTIONS
.TP
\-h
Print usage message.
.TP
\-s
Specify the location of libreadline.so shared library when you failed to run the
script directly with error: "Exception: could not determine address of symbol 
\'readline\'". Default value is /lib/libreadline.so.
.SH EXAMPLES
.TP
Trace bash commands system wide:
#
.B bashreadline
.SH FIELDS
.TP
TIME
Time of the command (HH:MM:SS).
.TP
PID
Process ID of the bash shell.
.TP
COMMAND
Entered command.
.SH OVERHEAD
As the rate of interactive bash commands is expected to be very low (<<100/s),
the overhead of this program is expected to be negligible.
.SH SOURCE
This is from bcc.
.IP
https://github.com/iovisor/bcc
.PP
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg
.SH SEE ALSO
opensnoop(8)