LINUX  Β·  NETLINK CONNECTOR  Β·  ZERO DEPS

proc-trace-exec

Watch every exec() call on your Linux system β€” in real time, with process trees, exit timing, and user context. No eBPF. No ptrace. No kernel modules.

⭐ View on GitHub Screenshots β†’ Build it β†’
proc-trace-exec β€” bash 
$ sudo proc-trace-exec -t make
91100+ make
  91101+ gcc -O2 -c src/main.c -o src/main.o
  91102+ gcc -O2 -c src/util.c -o src/util.o
  91103+ ld -o output src/main.o src/util.o
  91103- ld exited status=0 time=0.042s
  91102- gcc exited status=0 time=0.118s
  91101- gcc exited status=0 time=0.134s
91100- make exited status=0 time=0.201s
CAPABILITIES
🌳

Process Tree

Indented output shows exact parent→child relationships. See who spawned what, however deep the hierarchy goes.

⏱️

Exit Timing

The -t flag shows exit status and wall-clock runtime for every process. Instantly spot which subprocess is the bottleneck.

🌐

System-Wide

Catches every exec() on the machine, not just children of your shell. One socket, full visibility.

🎯

Subtree Filter

Use -p PID[,PID,...] to watch only descendants of specific processes, or pass CMD... to trace a single command's subtree.

🎨

Color Output

ANSI colors auto-detected when stdout is a tty. PIDs in amber, commands in cyan, exit markers in green/red, timing in blue.

πŸ”Œ

Zero Dependencies

Single static binary. Uses the kernel's proc connector via a netlink socket β€” no eBPF, no ptrace, no kernel modules, no root privileges if CAP_NET_ADMIN is granted.

WHY THIS EXISTS

Built to answer one question: what is my system actually doing?

When a build takes 3 minutes, which subprocess is the bottleneck? When an install script runs, what does it actually exec? When your app forks children, are they the processes you expect?

Existing tools are painful: strace -e execve -f is extremely verbose and affects performance. auditd is complex to configure and requires daemon setup. eBPF requires kernel 5.8+ and root. ps polling misses short-lived processes entirely.

proc-trace-exec answers these questions with one command and one static binary β€” subscribing to the kernel's own process event stream rather than intercepting syscalls.

How it works in one sentence: the Linux kernel broadcasts a netlink event for every fork/exec/exit system-wide; proc-trace-exec subscribes to that stream and formats it.
System-wide process tree with user annotation
USE CASES
πŸ”¨

Build System Archaeology

See every subprocess cmake, make, gradle, or bazel spawns. Find the slow step. Understand the full dependency graph.

πŸ”

Security Auditing

Watch what an installer script, package, or binary does before you trust it. Does it exec curl? wget? chmod? You'll see everything.

πŸ“¦

Package Manager Tracing

Trace every subprocess spawned by apt, yum, pip, or npm during install. Understand what pre/post-install scripts actually do.

πŸ›

Shell Script Debugging

Find the exact command silently failing. Unlike set -x, this catches exec'd subshells that don't inherit xtrace.

πŸ“Š

Performance Profiling

Count process spawns in hot paths. Identify fork bombs early. See which step in your pipeline is spawning hundreds of subprocesses.

πŸŽ“

Learning & Exploration

Understand how programs work by watching what they exec. A great way to explore unfamiliar systems, CI environments, or new software.