How to Get a Process Tree Trace/Log of a Process in Linux

How to get a process tree trace/log of a process in linux?

You may try to analyse the output of strace command.
Particularly, you'll be interested in something like

strace -f -tt -e trace=execve ./abc.sh

I need to trace all child processes created by given process in Linux (or POSIX system)

If you mean get that info at a certain moment of time it's not that simple, you may want to check my answers to these questions for additional things to consider:

• Linux: the most reliable way to terminate a family of processes
• Python script to monitor process and sub-processes

IMHO the easiest way to obtain various process information at a certain moment is from files under the /proc/<pid> directory, see http://man7.org/linux/man-pages/man5/proc.5.html

If you want the (historical) info for the entire lifespan of a process strace may capture some of it (but it can be performance impacting, donno if that works for you): https://superuser.com/questions/79869/will-strace-watch-system-calls-recursively-on-child-processes-of-the-main-proces

How to track child process using strace?

strace -f to trace child process that's fork()ed.

How to track all descendant processes in Linux

Given the constraints from my original post, I used the following approach:

1. putenv("PID_DIR", <some tempdir>)
2. For the current process, override fork and clone with versions which will trace the process start time to $PID_DIR/<pid>. The override is done using plthook and applies to all loaded shared objects. dlopen should also be overridden to override the functions on any other dynamically loaded libraries.
3. Set a library with implementations of __libc_start_main, fork, and clone as LD_PRELOAD.

An initial implementation is available here used like:

import process_tracker; process_tracker.install()

import os

pid1 = os.fork()
pid2 = os.fork()
pid3 = os.fork()

if pid1 and pid2 and pid3:
    print(process_tracker.children())

How to find out where the process comes from in Linux?

You could use $ pstree to display a tree of running processes. And pipe through to grep if there's too many of them: $ pstree | grep <proc_name> -B 10 (for 10 preceding lines, just increase the number to see more lines above).

Create a process tree like pstree command with python in linux

How about this:

def printTree(parent, tree, indent=''):
  print parent
  if parent not in tree:
    return
  for child in tree[parent][:-1]:
    sys.stdout.write(indent + '|-')
    printTree(child, tree, indent + '| ')
  child = tree[parent][-1]
  sys.stdout.write(indent + '`-')
  printTree(child, tree, indent + '  ')

tree = {
  0       : [0, 4],
  4       : [360],
  272     : [3460],
  368     : [4184],
  472     : [504, 576, 7016],
  568     : [584, 640],
  576     : [664, 672],
  640     : [1048],
  664     : [368, 372, 512, 788],
  788     : [2120, 2720, 2976, 2996, 3956, 3980]
}

printTree(472, tree)

printTree(472, tree)
472
|-504
|-576
| |-664
| | |-368
| | | `-4184
| | |-372
| | |-512
| | `-788
| |   |-2120
| |   |-2720
| |   |-2976
| |   |-2996
| |   |-3956
| |   `-3980
| `-672
`-7016

Maybe that's how you like it, I don't know.

It does not have any checks built in for recursions, so if you try it on 0, it will run into an endless recursion (and abort eventually due to a stack overflow). You could check for recursions yourself by passing a trace of the already processed nodes.

This also does not find the list of tree roots in your forest, so you will have to do that as well. (But that sounds like another question.)

---

Related Topics