ttysnoop [-h] [-C] device
ttysnoop watches a tty or pts device, and prints the same output that is appearing on that device. It can be used to mirror the output from a shell session, or the system console.
This works by use of kernel dynamic tracing of the tty_write() function. This tool will need updating in case that kernel function changes in a future kernel version.
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
Don't clear the screen.
Either a path to a tty device (eg, /dev/tty0) or a pts number (eg, the "3" from /dev/pts/3).
- Snoop output from /dev/pts/2
# ttysnoop /dev/pts/2
- Snoop output from /dev/pts/2 (shortcut)
# ttysnoop 2
- Snoop output from the system console
# ttysnoop /dev/console
- Snoop output from /dev/tty0
# ttysnoop /dev/tty0
As the rate of tty_write() is expected to be very low (<100/s), the overhead of this tool is expected to be negligible.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
Unstable - in development.