Terminal and application tracking
We have previously covered trace, dynamic trace scripting, in Terminal and the higher powered logging and tracking it provided with the iosnoop command. Dtrace though offers realtime IO tracking of everything from read and write functions of the HD, system calls and application launch and exit.
Do you want to see what processes and applications are opening and closing in real time? execsnoop is the terminal command that logs all applications and routines as the launch. execsnoop tracks the applications by User ID, UID, that opened the application; PID or process ID of routine or application as it launches sequentially, and the audit PPID, Parent process ID, what application/routine spawned the new process and finally the ARGS or name of the process or application.
UID PID PPID ARGS
0 53624 1 ocspd
501 53625 181 AddressBookManag
501 53626 53625 AddressBookSync
501 53627 27 SFLSharedPrefsTo
0 53628 1 newsyslog
501 53629 181 Safari
501 53630 27 SFLIconTool
In the above example, UID, 0 or 501, root or the User ID of the Admin account on the machine is the UID making the request for the opening of the new process. As each new routine or application launches, it spawns a process ID, 53624, etc.; The PPID reflects the Parent PID or the new PID; finally the application or process name.
Why is this important? Using this Terminal command you can see applications that may be causing issues for your system. If an application or routine regularly launches and fails, reoccurs frequently, this may indicate that the particular application is misbehaving and causing your system problems.