unplugged-system/external/bcc/tools/bashreadline_example.txt

Demonstrations of bashreadline, the Linux eBPF/bcc version.


This prints bash commands from all running bash shells on the system. For
example:

# ./bashreadline
TIME      PID    COMMAND
05:28:25  21176  ls -l
05:28:28  21176  date
05:28:35  21176  echo hello world
05:28:43  21176  foo this command failed
05:28:45  21176  df -h
05:29:04  3059   echo another shell
05:29:13  21176  echo first shell again

When running the script on Arch Linux, you may need to specify the location
of libreadline.so library:

# ./bashreadline -s /lib/libreadline.so
TIME      PID    COMMAND
11:17:34  28796  whoami
11:17:41  28796  ps -ef
11:17:51  28796  echo "Hello eBPF!"


The entered command may fail. This is just showing what command lines were
entered interactively for bash to process.

It works by tracing the return of the readline() function using uprobes
(specifically a uretprobe).
Initial commit: AOSP 14 with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00			`Demonstrations of bashreadline, the Linux eBPF/bcc version.`


			`This prints bash commands from all running bash shells on the system. For`
			`example:`

			`# ./bashreadline`
			`TIME PID COMMAND`
			`05:28:25 21176 ls -l`
			`05:28:28 21176 date`
			`05:28:35 21176 echo hello world`
			`05:28:43 21176 foo this command failed`
			`05:28:45 21176 df -h`
			`05:29:04 3059 echo another shell`
			`05:29:13 21176 echo first shell again`

			`When running the script on Arch Linux, you may need to specify the location`
			`of libreadline.so library:`

			`# ./bashreadline -s /lib/libreadline.so`
			`TIME PID COMMAND`
			`11:17:34 28796 whoami`
			`11:17:41 28796 ps -ef`
			`11:17:51 28796 echo "Hello eBPF!"`


			`The entered command may fail. This is just showing what command lines were`
			`entered interactively for bash to process.`

			`It works by tracing the return of the readline() function using uprobes`
			`(specifically a uretprobe).`