How to trace signals issued by the kill() syscall?

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 7.6+
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
bcc-tools
killsnoop

Issue

How to trace signals issued by the kill() syscall using eBPF/BCC script?
How to determine which application is sending signal 9/15?

Resolution

The eBPF/BCC killsnoop script traces signals issued by the kill() syscall. It works by tracing the kernel sys_kill() function using dynamic tracing.

RHEL7.6+ and RHEL8:

The bcc-tools is available from RHEL 7.6.
Install bcc, bcc-tools, and kernel-devel packages to use eBPF killsnoop script.

# yum install bcc bcc-tools kernel-devel-`uname -r` -y

RHEL9:

Install bcc and bcc-tools packages to use eBPF killsnoop script on RHEL9.

# dnf install bcc bcc-tools -y

Example of the killsnoop script tracing signal 15.

Terminal:1

# /usr/share/bcc/tools/killsnoop 
TIME      PID    COMM             SIG  TPID   RESULT
17:43:00  2480   bash             15   9      0
17:43:00  2480   bash             15   5133   0

Terminal:2

# sleep 1000000 &
[3] 5133
# kill 9 5133

Please refer man 8 killsnoop for more information.

SBR

Kernel

Product(s)

Red Hat Enterprise Linux

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.