Home Linux Trace Syscall Activity In Linux With Process Monitor (Procmon)

Trace Syscall Activity In Linux With Process Monitor (Procmon)

By sk

Microsoft have been doing commendable work for the benefit of both Linux and open-source for the past few years now. They open-sourced many applications, such as VSCode, .NET, Teams, Edge browser etc. A recent addition to the list is Process Monitor. Process Monitor, shortly Procmon, allows a developer to conveniently and easily trace syscall activity in Linux systems.

Process Monitor is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Sysinternals suite consists several tools to manage, diagnose, troubleshoot, and monitor a Microsoft Windows system. Process Monitor is part of the Sysinternals suite.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It monitors file system, Registry, process, thread and DLL activity in real-time in Windows operating systems.

Of course, Linux has a native command-line utility named Strace to trace the system calls and signals. Strace is cool but Procmon views were always cleaner and nicer in my opinion.

Microsoft released Procmon for Linux several months ago. Procmon is written in C++ and its source code is freely available in GitHub.

Install Process Monitor in Linux

Make sure you have added Microsoft's Linux software repository in your Linux system. For example, run the following commands to add Microsoft Linux repository on Ubuntu Linux:

$ wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt update

After enabling Microsoft repository, run the following command to install Procmon on Ubuntu:

$ sudo apt install procmon

On other Linux distributions, replace apt with your distribution's package manager. For instance, you can install Procmon in Fedora, RHEL using command:

$ sudo dnf install procmon

Trace Syscall activity in Linux with Process Monitor

To trace all processes and syscalls on your Linux system, launch Process monitor as sudo or root user without any options:

$ sudo procmon

Sample output:

Trace Syscall activity in Linux with Process Monitor
Trace Syscall activity in Linux with Process Monitor

To view the event properties of any process, just select it and hit ENTER key.

View event properties in Procmon
View event properties in Procmon

You can use functions keys F1 to F9 to do various tasks, such as displaying help, sorting processes, searching, filtering, exporting, displaying stats etc. For instance, press F8 to display top 10 syscall statistics. To exit Process Monitor, press q or F9 key.

At present Procmon for Linux contains limited set of features only. In fact, it looks like a fraction of what process monitor does on windows. If Procmon can be as complete as it is under Windows, it would be more helpful for the Linux developers. For more details, refer the project's GitHub page.


Related read:

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More