Ubuntu
bpfcc package

execsnoop-bpfcc field pcomm reports comm, instead

Bug #1914710 reported by Seth Arnold
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bpfcc (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hello, the execsnoop-bpfcc field PCOMM is supposed to report the parent process's COMM field, but I haven't seen it do that on Ubuntu systems. Here's some outputs of running 'sleep 10' in a shell with a very fancy PS1 prompt:

20.04 LTS:

$ sudo execsnoop-bpfcc
PCOMM PID PPID RET ARGS
sleep 2367606 127550 0 /usr/bin/sleep 10
tmux 2367716 2367715 0 /usr/bin/tmux list-sessions
grep 2367717 2367715 0 /usr/bin/grep -cv attached
wc 2367720 2367718 0 /usr/bin/wc -l
wc 2367723 2367721 0 /usr/bin/wc -l
acpi 2367732 2367731 0 /usr/bin/acpi --battery
git 2367738 2367737 0 /usr/bin/git rev-parse --is-inside-work-tree
git 2367739 2367737 0 /usr/bin/git symbolic-ref -q HEAD
git 2367742 2367741 0 /usr/bin/git rev-parse --git-dir
git 2367743 2367736 0 /usr/bin/git status --porcelain
grep 2367744 2367736 0 /usr/bin/grep -Eq ^\?\?
git 2367766 2367765 0 /usr/bin/git stash list -n 1
git 2367767 2367766 0 /usr/lib/git-core/git config --bool stash.usebuiltin
git 2367769 2367768 0 /usr/bin/git config --get branch.master.remote
git 2367770 2367736 0 /usr/bin/git config --get branch.master.merge
git 2367772 2367771 0 /usr/bin/git rev-list --count refs/remotes/origin/master..HEAD
git 2367774 2367773 0 /usr/bin/git rev-list --count HEAD..refs/remotes/origin/master
git 2367776 2367775 0 /usr/bin/git diff --shortstat HEAD
$ uname -a
Linux millbarge 5.4.0-59-generic #65-Ubuntu SMP Thu Dec 10 12:01:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

18.04 LTS:

$ sudo execsnoop-bpfcc
PCOMM PID PPID RET ARGS
sleep 12535 30858 0 /bin/sleep 10
grep 12810 12808 0 /bin/grep -c [Dd]etach[^)]*)$
screen 12809 12808 0 /usr/bin/screen -ls
grep 12813 12811 0 /bin/grep -cv attached
tmux 12812 12811 0 /usr/bin/tmux list-sessions
wc 12816 12814 0 /usr/bin/wc -l
wc 12819 12817 0 /usr/bin/wc -l
sensors 12823 12822 0 /usr/bin/sensors -u
sed 12824 12822 0 /bin/sed -n s/^ temp[0-9][0-9]*_input: \([0-9]*\)\..*$/\1/p
$ uname -a
Linux wopr 4.15.0-130-generic #134-Ubuntu SMP Tue Jan 5 20:46:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

You can see the example output has the parent comm in the PCOMM field: https://github.com/iovisor/bcc/blob/master/tools/execsnoop_example.txt

I didn't spot any blame output that looked related, didn't spot any issues that looked related, but I did see a comment from 2017 with the same incorrect output: https://github.com/iovisor/bcc/issues/1276#issuecomment-320751768 .

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: bpfcc-tools 0.12.0-2
ProcVersionSignature: Ubuntu 5.4.0-59.65-generic 5.4.78
Uname: Linux 5.4.0-59-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
Date: Fri Feb 5 03:26:41 2021
PackageArchitecture: all
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: bpfcc
UpgradeStatus: Upgraded to focal on 2020-01-24 (377 days ago)

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bpfcc (Ubuntu):
status: New → Confirmed
Yogaraj (yoga30696)
tags: added: jammy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.