{"id":19512355,"url":"https://github.com/colinianking/forkstat","last_synced_at":"2025-04-05T23:11:43.744Z","repository":{"id":86195062,"uuid":"38060289","full_name":"ColinIanKing/forkstat","owner":"ColinIanKing","description":"Forkstat is a program that logs process fork(), exec() and exit() activity. It is useful for monitoring system behaviour and to track down rogue processes that are spawning off processes and potentially abusing the system. ","archived":false,"fork":false,"pushed_at":"2025-01-01T22:41:20.000Z","size":467,"stargazers_count":100,"open_issues_count":0,"forks_count":18,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-29T22:09:51.544Z","etag":null,"topics":["exec","fork","linux","process-monitor"],"latest_commit_sha":null,"homepage":"https://github.com/ColinIanKing/forkstat","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ColinIanKing.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-06-25T16:19:39.000Z","updated_at":"2025-03-24T20:52:30.000Z","dependencies_parsed_at":"2024-01-12T13:19:06.619Z","dependency_job_id":"1b9ce1d3-c332-4354-af16-1711a6072c06","html_url":"https://github.com/ColinIanKing/forkstat","commit_stats":null,"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ColinIanKing%2Fforkstat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ColinIanKing%2Fforkstat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ColinIanKing%2Fforkstat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ColinIanKing%2Fforkstat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ColinIanKing","download_url":"https://codeload.github.com/ColinIanKing/forkstat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247411239,"owners_count":20934653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exec","fork","linux","process-monitor"],"created_at":"2024-11-10T23:25:38.570Z","updated_at":"2025-04-05T23:11:43.715Z","avatar_url":"https://github.com/ColinIanKing.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Forkstat\n\n\u003ca href=\"https://repology.org/project/forkstat/versions\"\u003e\n \u003cimg src=\"https://repology.org/badge/vertical-allrepos/forkstat.svg\" alt=\"Packaging status\" align=\"right\"\u003e\n\u003c/a\u003e\n\nForkstat is a program that logs process fork(), exec() and exit() activity. It is useful for monitoring system behaviour and to track down rogue processes that are spawning off processes and potentially abusing the system.\n\nNote that forkstat uses the Linux netlink connector to gather process activity and this may miss events if the system is overly busy. Netlink connector also requires root privilege.\n\nforkstat command line options:\n\n* -d strip off the directory path from the process name\n* -D specify run duration in seconds.\n* -e select which events to monitor.\n* -h show brief help summary\n* -l set stdout to line-buffered mode\n* -r run with real time FIFO scheduler.\n* -s show short process name information\n* -S show event statistics at end of the run.\n* -q run quietly and enable -S option.\n* -x show extra process related information. \n\n## Example Output:\n\n```\nsudo forkstat -S -e all\nTime Event PID Info Duration Process\n09:42:49 fork 3525 parent compiz\n09:42:49 fork 19257 child compiz\n09:42:49 fork 19257 parent compiz\n09:42:49 fork 19258 child compiz\n09:42:49 exit 19257 0 0.008 compiz\n09:42:49 exec 19258 gnome-terminal\n09:42:49 fork 3258 parent gnome-session --session=ubuntu\n09:42:49 fork 19259 child compiz\n09:42:49 comm 19259 compiz -\u003e pool\n09:42:49 fork 3258 parent gnome-session --session=ubuntu\n09:42:49 fork 19260 child compiz\n09:42:49 comm 19260 compiz -\u003e pool\n09:42:49 fork 2990 parent init --user --state-fd 29 --restart\n09:42:49 fork 19261 child gnome-terminal\n09:42:49 comm 19261 gnome-terminal -\u003e dconf worker\n09:42:49 fork 2990 parent init --user --state-fd 29 --restart\n09:42:49 fork 19262 child gnome-terminal\n09:42:49 comm 19262 gnome-terminal -\u003e gdbus\n09:42:49 fork 2990 parent init --user --state-fd 29 --restart\n09:42:49 fork 19263 child gnome-terminal\n09:42:49 comm 19263 gnome-terminal -\u003e pool\n09:42:49 exit 19261 0 0.063 gnome-terminal\n09:42:49 exit 19263 0 0.036 gnome-terminal\n09:42:49 exit 19258 0 0.092 gnome-terminal\n09:42:49 exit 19262 0 0.060 gnome-terminal\nTime Event PID Info Duration Process\n09:42:49 fork 4394 parent gnome-terminal\n09:42:49 fork 19264 child gnome-terminal\n09:42:49 exec 19264 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19265 child bash\n09:42:49 fork 19265 parent bash\n09:42:49 fork 19266 child bash\n09:42:49 exec 19266 groups\n09:42:49 exit 19266 0 0.002 groups\n09:42:49 exit 19265 0 0.003 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19267 child bash\n09:42:49 fork 19267 parent bash\n09:42:49 fork 19268 child bash\n09:42:49 exec 19268 /bin/sh /usr/bin/lesspipe\n09:42:49 fork 19268 parent /bin/sh /usr/bin/lesspipe\n09:42:49 fork 19269 child /bin/sh /usr/bin/lesspipe\n09:42:49 exec 19269 basename /usr/bin/lesspipe\n09:42:49 exit 19269 0 0.004 basename /usr/bin/lesspipe\n09:42:49 fork 19268 parent /bin/sh /usr/bin/lesspipe\n09:42:49 fork 19270 child /bin/sh /usr/bin/lesspipe\n09:42:49 fork 19270 parent /bin/sh /usr/bin/lesspipe\n09:42:49 fork 19271 child /bin/sh /usr/bin/lesspipe\n09:42:49 exec 19271 dirname /usr/bin/lesspipe\nTime Event PID Info Duration Process\n09:42:49 exit 19271 0 0.001 dirname /usr/bin/lesspipe\n09:42:49 exit 19270 0 0.001 /bin/sh /usr/bin/lesspipe\n09:42:49 exit 19268 0 0.014 /bin/sh /usr/bin/lesspipe\n09:42:49 exit 19267 0 0.015 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19272 child bash\n09:42:49 fork 19272 parent bash\n09:42:49 fork 19273 child bash\n09:42:49 exec 19273 dircolors -b\n09:42:49 exit 19273 0 0.004 dircolors -b\n09:42:49 exit 19272 0 0.007 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19274 child bash\n09:42:49 fork 19274 parent bash\n09:42:49 fork 19275 child bash\n09:42:49 exec 19275 ls /etc/bash_completion.d\n09:42:49 exit 19275 0 0.002 ls /etc/bash_completion.d\n09:42:49 exit 19274 0 0.004 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19276 child bash\n09:42:49 fork 19276 parent bash\n09:42:49 fork 19277 child bash\n09:42:49 fork 19277 parent bash\n09:42:49 fork 19278 child bash\nTime Event PID Info Duration Process\n09:42:49 exec 19278 ubuntu-distro-info --all\n09:42:49 exit 19278 0 0.001 ubuntu-distro-info --all\n09:42:49 fork 19277 parent bash\n09:42:49 fork 19279 child bash\n09:42:49 exec 19279 debian-distro-info --all\n09:42:49 exit 19279 0 0.001 debian-distro-info --all\n09:42:49 exit 19277 0 0.003 bash\n09:42:49 exit 19276 0 0.009 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19280 child bash\n09:42:49 fork 19280 parent bash\n09:42:49 exit 19280 0 0.002 bash\n09:42:49 fork 19264 parent bash\n09:42:49 fork 19282 child bash\n09:42:49 exec 19282 /usr/bin/python /usr/bin/bzr whoami Colin King \n09:42:49 exit 19282 0 0.102 /usr/bin/python /usr/bin/bzr whoami Colin King \n09:42:49 exit 19259 0 0.501 compiz\n09:42:50 fork 2990 parent init --user --state-fd 29 --restart\n09:42:50 fork 19283 child /usr/lib/x86_64-linux-gnu/indicator-session/indicator-session-service\n09:42:50 comm 19283 /usr/lib/x86_64-linux-gnu/indicator-session/indicator-session-service -\u003e pool\n09:42:50 fork 1247 parent /usr/lib/accountsservice/accounts-daemon\nTime Event PID Info Duration Process\n09:42:50 fork 19284 child /usr/lib/accountsservice/accounts-daemon\n09:42:50 exec 19284 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19284 parent /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19285 child /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 exec 19285 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19285 parent /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19286 child /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exec 19286 sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19286 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19287 child sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19286 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19288 child sh -c locale -a | grep -F .utf8 \n09:42:50 exec 19288 grep -F .utf8\n09:42:50 exec 19287 locale -a\n09:42:50 exit 19287 0 0.002 locale -a\n09:42:50 exit 19288 0 0.003 grep -F .utf8\n09:42:50 exit 19286 0 0.004 sh -c locale -a | grep -F .utf8 \n09:42:50 exit 19285 0 0.012 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exit 19284 0 0.015 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 1247 parent /usr/lib/accountsservice/accounts-daemon\n09:42:50 fork 19289 child /usr/lib/accountsservice/accounts-daemon\n09:42:50 exec 19289 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19289 parent /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19290 child /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\nTime Event PID Info Duration Process\n09:42:50 exec 19290 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19290 parent /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19291 child /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exec 19291 sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19291 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19292 child sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19291 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19293 child grep\n09:42:50 exec 19292 \n09:42:50 exec 19293 \n09:42:50 exit 19292 0 0.001 sh -c locale -a | grep -F .utf8 \n09:42:50 exit 19293 0 0.000 grep\n09:42:50 exit 19291 0 0.002 sh -c locale -a | grep -F .utf8 \n09:42:50 exit 19290 0 0.008 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exit 19289 0 0.010 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 1247 parent /usr/lib/accountsservice/accounts-daemon\n09:42:50 fork 19294 child /usr/lib/accountsservice/accounts-daemon\n09:42:50 exec 19294 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19294 parent /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19295 child /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 exec 19295 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19295 parent /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19296 child /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exec 19296 sh -c locale -a | grep -F .utf8 \nTime Event PID Info Duration Process\n09:42:50 fork 19296 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19297 child locale\n09:42:50 fork 19296 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19298 child sh -c locale -a | grep -F .utf8 \n09:42:50 exec 19297 locale -a\n09:42:50 exit 19297 0 0.001 locale -a\n09:42:50 exec 19298 grep -F .utf8\n09:42:50 exit 19298 0 0.001 grep -F .utf8\n09:42:50 exit 19296 0 0.002 sh -c locale -a | grep -F .utf8 \n09:42:50 exit 19295 0 0.008 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exit 19294 0 0.009 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 1247 parent /usr/lib/accountsservice/accounts-daemon\n09:42:50 fork 19299 child /usr/lib/accountsservice/accounts-daemon\n09:42:50 exec 19299 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19299 parent /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 fork 19300 child /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:50 exec 19300 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19300 parent /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 fork 19301 child /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exec 19301 sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19301 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19302 child sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19301 parent sh -c locale -a | grep -F .utf8 \n09:42:50 fork 19303 child sh -c locale -a | grep -F .utf8 \nTime Event PID Info Duration Process\n09:42:50 exec 19303 grep -F .utf8\n09:42:50 exec 19302 locale -a\n09:42:50 exit 19302 0 0.001 locale -a\n09:42:50 exit 19303 0 0.001 grep -F .utf8\n09:42:50 exit 19301 0 0.002 sh -c locale -a | grep -F .utf8 \n09:42:50 exit 19300 0 0.007 /usr/bin/perl /usr/share/language-tools/language-options\n09:42:50 exit 19299 0 0.009 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n09:42:53 fork 19264 parent bash\n09:42:53 fork 19304 child bash\n09:42:53 exec 19304 dmesg\n09:42:53 exit 19304 0 0.052 dmesg\n09:42:54 fork 19264 parent bash\n09:42:54 fork 19305 child bash\n09:42:54 exec 19305 ps -ef\n09:42:54 exit 19305 0 0.024 ps -ef\n^C\n Fork Exec Exit Coredump Comm Total Process\n 17 10 7 0 0 34 bash\n 8 6 5 0 0 19 sh -c locale -a | grep -F .utf8 \n 4 4 4 0 0 12 /usr/bin/perl /usr/share/language-tools/language-options\n 4 4 4 0 0 12 /bin/sh -e /usr/share/language-tools/language-validate en_GB:en\n 1 1 4 0 3 9 gnome-terminal\n 4 4 0 0 0 8 /usr/lib/accountsservice/accounts-daemon\n 3 2 2 0 0 7 /bin/sh /usr/bin/lesspipe\n 2 1 2 0 2 7 compiz\n 4 0 0 0 0 4 init --user --state-fd 29 --restart\n 0 0 3 0 0 3 grep -F .utf8\n 0 0 3 0 0 3 locale -a\n 2 0 0 0 0 2 gnome-session --session=ubuntu\n 0 1 1 0 0 2 grep\n 0 1 0 0 0 1 locale\n 0 0 1 0 0 1 ps -ef\n 0 0 1 0 0 1 debian-distro-info --all\n 0 0 1 0 0 1 ls /etc/bash_completion.d\n 0 0 1 0 0 1 dmesg\n 0 0 0 0 1 1 /usr/lib/x86_64-linux-gnu/indicator-session/indicator-session-service\n 0 0 1 0 0 1 readlink -f /home/king/.canonistack/novarc\n 0 0 1 0 0 1 dircolors -b\n 0 0 1 0 0 1 groups\n 0 0 1 0 0 1 ubuntu-distro-info --all\n 0 0 1 0 0 1 dirname /usr/bin/lesspipe\n 0 0 1 0 0 1 basename /usr/bin/lesspipe\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcolinianking%2Fforkstat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcolinianking%2Fforkstat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcolinianking%2Fforkstat/lists"}