1 .TH shellsnoop 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
3 shellsnoop \- snoop live shell activity. Uses DTrace.
6 [\-hqsv] [\-p PID] [\-u UID]
8 A program to print read/write details from shells,
9 such as keystrokes and command outputs.
11 This program sounds somewhat dangerous (snooping keystrokes), but is
12 no more so than /usr/bin/truss, and both need root or dtrace privileges to
13 run. In fact, less dangerous, as we only print visible text (not password
14 text, for example). Having said that, it goes without saying that this
15 program shouldn't be used for breeching privacy of other users.
17 This was written as a tool to demonstrate the capabilities of DTrace.
19 Since this uses DTrace, only the root user or users with the
20 dtrace_kernel privilege can run this command.
24 stable - this script uses the syscall provider.
28 quiet, only print data
31 include start time, us
34 include start time, string
48 human readable timestamps,
58 watch this PID data only,
78 direction (R read, W write)
81 text contained in the read/write
84 timestamp for the command, us
87 timestamp for the command, string
90 See the DTraceToolkit for further documentation under the
91 Docs directory. The DTraceToolkit docs may include full worked
92 examples with verbose descriptions explaining the output.
94 shellsnoop will run forever until Ctrl\-C is hit.