simple bpftrace one-liner to get process that execve some binary, in this case ping

1 files changed, 1 insertions, 0 deletions

diff --git a/bpftrace-checkping b/bpftrace-checkping
new file mode 100755
index 0000000..2b99c7b
--- /dev/null
+++ b/bpftrace-checkping
@@ -0,0 +1 @@
+sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { $f = str(args->filename); if ($f == "/usr/bin/ping" || $f == "/bin/ping") { printf("PID %d (%s) executed ping\n", pid, comm); } }'