From 221e6f10eb345caa079014c48340d713ad05d9d7 Mon Sep 17 00:00:00 2001
From: grothedev <grothedev@gmail.com>
Date: Thu, 20 Mar 2025 22:01:06 -0500
Subject: simple bpftrace one-liner to get process that execve some binary, in
 this case ping

---
 bpftrace-checkping | 1 +
 1 file changed, 1 insertion(+)
 create mode 100755 bpftrace-checkping

diff --git a/bpftrace-checkping b/bpftrace-checkping
new file mode 100755
index 0000000..2b99c7b
--- /dev/null
+++ b/bpftrace-checkping
@@ -0,0 +1 @@
+sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { $f = str(args->filename); if ($f == "/usr/bin/ping" || $f == "/bin/ping") { printf("PID %d (%s) executed ping\n", pid, comm); } }'
-- 
cgit v1.2.3