1 files changed, 78 insertions, 0 deletions

diff --git a/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt b/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt
new file mode 100644
index 0000000..e55682a
--- /dev/null
+++ b/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt
@@ -0,0 +1,78 @@
+The following is an example of execsnoop. As processes are executed their
+details are printed out. Another user was logged in running a few commands
+which can be viewed below,
+
+  # ./execsnoop
+    UID   PID  PPID ARGS
+    100  3008  2656 ls
+    100  3009  2656 ls -l
+    100  3010  2656 cat /etc/passwd
+    100  3011  2656 vi /etc/hosts
+    100  3012  2656 date
+    100  3013  2656 ls -l
+    100  3014  2656 ls
+    100  3015  2656 finger
+  [...]
+
+
+
+In this example the command "man gzip" was executed. The output lets us
+see what the man command is actually doing,
+
+  # ./execsnoop
+    UID   PID  PPID ARGS
+    100  3064  2656 man gzip
+    100  3065  3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - 
+    100  3067  3066 tbl /usr/share/man/man1/gzip.1
+    100  3068  3066 nroff -u0 -Tlp -man -
+    100  3066  3065 col -x
+    100  3069  3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> 
+    100  3070  3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
+    100  3071  3064 sh -c more -s /tmp/mpoMaa_f
+    100  3072  3071 more -s /tmp/mpoMaa_f
+  ^C
+  
+
+
+Execsnoop has other options,
+
+  # ./execsnoop -h
+  USAGE: execsnoop [-a|-A|-sv] [-c command]
+         execsnoop                # default output
+                  -a              # print all data
+                  -A              # dump all data, space delimited
+                  -s              # include start time, us
+                  -v              # include start time, string
+                  -c command      # command name to snoop
+
+
+
+In particular the verbose option for human readable timestamps is 
+very useful,
+
+  # ./execsnoop -v
+  STRTIME                UID   PID  PPID ARGS
+  2005 Jan 22 00:07:22     0 23053 20933 date
+  2005 Jan 22 00:07:24     0 23054 20933 uname -a
+  2005 Jan 22 00:07:25     0 23055 20933 ls -latr
+  2005 Jan 22 00:07:27     0 23056 20933 df -k
+  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
+  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
+  2005 Jan 22 00:07:34     0 23058 20933 uptime
+  2005 Jan 22 00:07:34     0 23058 20933 uptime
+  [...]
+
+
+
+It is also possible to match particular commands. Here we watch
+anyone using the vi command only,
+
+  # ./execsnoop -vc vi 
+  STRTIME                UID   PID  PPID ARGS
+  2005 Jan 22 00:10:33     0 23063 20933 vi /etc/passwd
+  2005 Jan 22 00:10:40     0 23064 20933 vi /etc/shadow
+  2005 Jan 22 00:10:51     0 23065 20933 vi /etc/group
+  2005 Jan 22 00:10:57     0 23066 20933 vi /.rhosts
+  [...]
+
+