Usage

Flags, examples, and output format reference.

SYNOPSIS
proc-trace-exec [-cdeflqQtu] [-o FILE] [-p PID[,PID,...]] | CMD...
FlagArgumentDescription
๐ŸŽจ-cForce-enable ANSI color output. Auto-detected when stdout is a tty; NO_COLOR=1 disables it.
๐Ÿ“-dPrint working directory of each process (via /proc/<pid>/cwd). Shown before the command, separated by %.
๐ŸŒฟ-ePrint full environment of each process. One variable per line, indented under the exec line.
โฌœ-fFlat output โ€” suppress indentation. Useful when piping to grep or awk.
๐Ÿ”—-lPrint the full resolved executable path (via /proc/<pid>/exe) instead of argv[0].
๐Ÿ“-oFILEAppend output to FILE instead of stdout. Colors are disabled for file output unless -c is also set.
๐ŸŽฏ-pPID[,PID,...]Only show exec()s in the subtree(s) of the given PID(s). Accepts a comma-separated list or can be specified multiple times.
๐Ÿคซ-qSuppress arguments โ€” show only the executable name (argv[0]).
๐Ÿ”‡-QSuppress error messages (e.g. "process vanished before notification"). Useful for long-running background use.
โฑ๏ธ-tShow exit status and wall-clock runtime. Adds + to exec lines and prints a - exit line for each process.
๐Ÿ‘ค-uPrint owning user of each process as <username> before the command.
OUTPUT FORMAT

Anatomy of an output line

Each exec event produces one line. With -t, a matching exit line follows when the process terminates.

2-space indent per depth level (suppressed with -f)
32741 PID โ€” process ID in amber
+ exec marker (green) โ€” only shown with -t
- exit marker (red) โ€” only with -t, on process exit
<root> user in red (root) or green (other) โ€” only with -u
/home/rick cwd in magenta, followed by % โ€” only with -d
find command (argv[0]) in bright cyan; full path with -l
/etc -name '*.conf' arguments in dim grey (suppressed with -q)
status=0 exit status: green if 0, red if non-zero โ€” exit lines only
signal=SIGTERM signal name in red if the process was killed โ€” exit lines only
time=0.003s wall-clock runtime in cyan โ€” exit lines only
EXAMPLES

Watch everything system-wide

The simplest invocation โ€” no flags, no command. Shows every exec() on the machine with process tree indentation.

system-wide
$ sudo proc-trace-exec
1100 sshd
  1101 bash
    1150 git status
      1151 git-status
    1152 vim README.md

Trace a command with timing

Run a command directly and trace its entire subtree. -t adds exec/exit markers and wall-clock timing.

cmd mode + timing
$ sudo proc-trace-exec -t sh -c 'find /etc -name "*.conf" | head -3'
32741+ sh -c 'find /etc -name "*.conf" | head -3'
  32742+ find /etc -name '*.conf'
  32743+ head -3
  32743- head exited status=0 time=0.001s
  32742- find exited status=141 time=0.003s
32741- sh exited status=0 time=0.006s

Watch multiple nginx workers

Comma-separate PIDs from pgrep to watch a whole group of processes at once.

multi-pid
$ sudo proc-trace-exec -p $(pgrep nginx | paste -sd,) -u -t

User, cwd, and full path

Combine flags for maximum context: user, working directory, and fully resolved executable path.

-u -d -l
$ sudo proc-trace-exec -u -d -l -t sh -c 'ls /tmp'
41000+ <root> /root % /usr/bin/dash -c 'ls /tmp'
  41001+ <root> /root % /usr/bin/ls /tmp
  41001- ls exited status=0 time=0.001s
41000- dash exited status=0 time=0.002s

Flat output โ€” pipe to grep

Use -f to remove indentation, making it safe to pipe to grep, awk, or tee.

flat + grep
$ sudo proc-trace-exec -Qf | grep python

Log everything to a file

Run in the background, suppressing all error noise, and write to a log file for later analysis.

background logger
$ sudo proc-trace-exec -Qto /var/log/execs.log &
[1] 9981

Grant capability โ€” run without sudo

Grant CAP_NET_ADMIN to the binary so normal users can run it without sudo.

capability grant
$ sudo setcap cap_net_admin+ep ./proc-trace-exec
$ ./proc-trace-exec -t make   # runs as your user, no sudo needed