100 lines
1.8 KiB
Plaintext
100 lines
1.8 KiB
Plaintext
.TH shellsnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
|
|
.SH NAME
|
|
shellsnoop \- snoop live shell activity. Uses DTrace.
|
|
.SH SYNOPSIS
|
|
.B shellsnoop
|
|
[\-hqsv] [\-p PID] [\-u UID]
|
|
.SH DESCRIPTION
|
|
A program to print read/write details from shells,
|
|
such as keystrokes and command outputs.
|
|
|
|
This program sounds somewhat dangerous (snooping keystrokes), but is
|
|
no more so than /usr/bin/truss, and both need root or dtrace privileges to
|
|
run. In fact, less dangerous, as we only print visible text (not password
|
|
text, for example). Having said that, it goes without saying that this
|
|
program shouldn't be used for breeching privacy of other users.
|
|
|
|
This was written as a tool to demonstrate the capabilities of DTrace.
|
|
|
|
Since this uses DTrace, only the root user or users with the
|
|
dtrace_kernel privilege can run this command.
|
|
.SH OS
|
|
Solaris
|
|
.SH STABILITY
|
|
stable - this script uses the syscall provider.
|
|
.SH OPTIONS
|
|
.TP
|
|
\-q
|
|
quiet, only print data
|
|
.TP
|
|
\-s
|
|
include start time, us
|
|
.TP
|
|
\-v
|
|
include start time, string
|
|
.TP
|
|
\-p PID
|
|
PID to snoop
|
|
.TP
|
|
\-u UID
|
|
user ID to snoop
|
|
.PP
|
|
.SH EXAMPLES
|
|
.TP
|
|
Default output,
|
|
#
|
|
.B shellsnoop
|
|
.TP
|
|
human readable timestamps,
|
|
#
|
|
.B shellsnoop
|
|
\-v
|
|
.TP
|
|
watch this PID only,
|
|
#
|
|
.B shellsnoop
|
|
\-p 1892
|
|
.TP
|
|
watch this PID data only,
|
|
#
|
|
.B shellsnoop
|
|
\-qp 1892
|
|
.PP
|
|
.SH FIELDS
|
|
.TP
|
|
UID
|
|
user ID
|
|
.TP
|
|
PID
|
|
process ID
|
|
.TP
|
|
PPID
|
|
parent process ID
|
|
.TP
|
|
COMM
|
|
command name
|
|
.TP
|
|
DIR
|
|
direction (R read, W write)
|
|
.TP
|
|
TEXT
|
|
text contained in the read/write
|
|
.TP
|
|
TIME
|
|
timestamp for the command, us
|
|
.TP
|
|
STRTIME
|
|
timestamp for the command, string
|
|
.PP
|
|
.SH DOCUMENTATION
|
|
See the DTraceToolkit for further documentation under the
|
|
Docs directory. The DTraceToolkit docs may include full worked
|
|
examples with verbose descriptions explaining the output.
|
|
.SH EXIT
|
|
shellsnoop will run forever until Ctrl\-C is hit.
|
|
.SH AUTHOR
|
|
Brendan Gregg
|
|
[Sydney, Australia]
|
|
.SH SEE ALSO
|
|
dtrace(1M)
|