shellsnoop captures the text input and output from shells running on the
system. In the following example shellsnoop was run in one window, while
in another several commands were run: date, cal, uname -a, uptime and find.
shellsnoop has successfully captured the text that was displayed on the
other window.
# shellsnoop
PID PPID CMD DIR TEXT
4724 3762 ksh R
4724 3762 ksh W date
4741 4724 date W Sun Mar 28 23:10:06 EST 2004
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W cal
4742 4724 cal W March 2004
4742 4724 cal W S M Tu W Th F S
4742 4724 cal W 1 2 3 4 5 6
4742 4724 cal W 7 8 9 10 11 12 13
4742 4724 cal W 14 15 16 17 18 19 20
4742 4724 cal W 21 22 23 24 25 26 27
4742 4724 cal W 28 29 30 31
4742 4724 cal W
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W uname -a
4743 4724 uname W SunOS jupiter 5.10 s10_51 i86pc i386 i86pc
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W uptime
4744 4724 uptime W 11:10pm up 4 day(s), 11:15, 4 users, load average: 0.05, 0.02, 0.02
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W ls -l d*
4745 4724 ls W -rwxr--r-- 3 root sys 1292 Jan 14 16:24 devfsadm
4745 4724 ls W -rwxr--r-- 1 root sys 904 Jan 14 16:24 devlinks
4745 4724 ls W -rwxr--r-- 6 root sys 621 Jan 14 16:17 dhcp
4745 4724 ls W -rwxr--r-- 2 root sys 494 Jan 14 16:17 dhcpagent
4745 4724 ls W -rwxr--r-- 5 root sys 1050 Jan 16 2002 directory
4745 4724 ls W -rwxr--r-- 2 root sys 779 Jan 14 16:17 domainname
4745 4724 ls W -rwxr--r-- 1 root sys 469 Jan 14 16:24 drvconfig
4745 4724 ls W -r-xr-xr-x 4 root other 2804 Mar 27 13:37 dtlogin
4724 3762 ksh R
4724 3762 ksh W jupiter:/etc/init.d>
4724 3762 ksh R
4724 3762 ksh R
4724 3762 ksh W find /etc/default
4746 4724 find W /etc/default
4746 4724 find W /etc/default/cron
4746 4724 find W /etc/default/devfsadm
4746 4724 find W /etc/default/dhcpagent
4746 4724 find W /etc/default/fs
4746 4724 find W /etc/default/inetd
4746 4724 find W /etc/default/inetinit
4746 4724 find W /etc/default/kbd
4746 4724 find W /etc/default/keyserv
4746 4724 find W /etc/default/ipsec
4746 4724 find W /etc/default/nss
4746 4724 find W /etc/default/passwd
4746 4724 find W /etc/default/syslogd
4746 4724 find W /etc/default/tar
4746 4724 find W /etc/default/utmpd
4746 4724 find W /etc/default/init
4746 4724 find W /etc/default/login
4746 4724 find W /etc/default/su
4746 4724 find W /etc/default/power
4746 4724 find W /etc/default/sys-suspend
4746 4724 find W /etc/default/rpc.nisd
4746 4724 find W /etc/default/nfs
[...]
shellsnoop has a "-q" option for running in "quiet" mode - the previous
columns are not printed, so only shell output is seen,
# shellsnoop -q
# date
Wed Nov 30 16:19:48 EST 2005
#
# cal
November 2005
S M Tu W Th F S
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30
#
The output appears somewhat boring, this is something you need to see
in realtime.