Microsoft recently created a Linux version of the Process Monitor application in the Windows Sysinternal stool set and opensourced it under the MIT protocol. Process Monitor (Procmon) is a process monitoring tool that provides developers with an easy and effective way to track system calls ( syscall) activity. The tool can help diagnose problems such as program crashes, high resource usage, and even potential malicious infections.
Procmon on Windows.
The Sysinternals toolset is classic and powerful on Windows. Linux users can now also try procmon to monitor the system process.
Procmon on Linux.
When using Procmon on Linux, you can specify the process ID or specific system calls to monitor using the following parameters:
Usage: procmon [OPTIONS] OPTIONS -h/–help Prints this help screen -p/–pids Comma separated list of process ids to monitor -e/–events Comma separated list of system calls to monitor -c/–collect [FILEPATH] Option to start Procmon in a headless mode -f/–file FILEPATH Open a Procmon trace file
Suppose you want to monitor process IDs 738 and 2657:
sudo procmon -p 738,2657
To monitor all read and write calls listed by PID 738, you can use the following commands:
sudo procmon -p 738 -e read,write
Currently, you need AUbuntu 18.04 LTS to build a Linux procmon application, a kernel requirement of 4.18 and above, and no more than 5.3.