NAME

shellsnoop - snoop live shell activity. Uses DTrace.

SYNOPSIS

shellsnoop [-hqsv] [-p PID] [-u UID]

DESCRIPTION

A program to print read/write details from shells, such as keystrokes and command outputs.

This program sounds somewhat dangerous (snooping keystrokes), but is no more so than /usr/bin/truss, and both need root or dtrace privileges to run. In fact, less dangerous, as we only print visible text (not password text, for example). Having said that, it goes without saying that this program shouldn't be used for breeching privacy of other users.

This was written as a tool to demonstrate the capabilities of DTrace.

Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command.

OS

Solaris

STABILITY

stable - this script uses the syscall provider.

OPTIONS

-q: quiet, only print data
-s: include start time, us
-v: include start time, string
-p PID: PID to snoop
-u UID: user ID to snoop

EXAMPLES

Default output,: # shellsnoop
human readable timestamps,: # shellsnoop -v
watch this PID only,: # shellsnoop -p 1892
watch this PID data only,: # shellsnoop -qp 1892

FIELDS

UID: user ID
PID: process ID
PPID: parent process ID
COMM: command name
DIR: direction (R read, W write)
TEXT: text contained in the read/write
TIME: timestamp for the command, us
STRTIME: timestamp for the command, string

DOCUMENTATION

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.

EXIT

shellsnoop will run forever until Ctrl-C is hit.

AUTHOR

Brendan Gregg [Sydney, Australia]