1 shellsnoop captures the text input and output from shells running on the 2 system. In the following example shellsnoop was run in one window, while 3 in another several commands were run: date, cal, uname -a, uptime and find. 4 shellsnoop has successfully captured the text that was displayed on the 5 other window. 6 7 8 # shellsnoop 9 PID PPID CMD DIR TEXT 10 4724 3762 ksh R 11 4724 3762 ksh W date 12 13 4741 4724 date W Sun Mar 28 23:10:06 EST 2004 14 4724 3762 ksh R 15 4724 3762 ksh W jupiter:/etc/init.d> 16 4724 3762 ksh R 17 4724 3762 ksh R 18 4724 3762 ksh W cal 19 20 4742 4724 cal W March 2004 21 4742 4724 cal W S M Tu W Th F S 22 4742 4724 cal W 1 2 3 4 5 6 23 4742 4724 cal W 7 8 9 10 11 12 13 24 4742 4724 cal W 14 15 16 17 18 19 20 25 4742 4724 cal W 21 22 23 24 25 26 27 26 4742 4724 cal W 28 29 30 31 27 4742 4724 cal W 28 4724 3762 ksh R 29 4724 3762 ksh W jupiter:/etc/init.d> 30 4724 3762 ksh R 31 4724 3762 ksh R 32 4724 3762 ksh W uname -a 33 34 4743 4724 uname W SunOS jupiter 5.10 s10_51 i86pc i386 i86pc 35 4724 3762 ksh R 36 4724 3762 ksh W jupiter:/etc/init.d> 37 4724 3762 ksh R 38 4724 3762 ksh R 39 4724 3762 ksh W uptime 40 41 4744 4724 uptime W 11:10pm up 4 day(s), 11:15, 4 users, load average: 0.05, 0.02, 0.02 42 4724 3762 ksh R 43 4724 3762 ksh W jupiter:/etc/init.d> 44 4724 3762 ksh R 45 4724 3762 ksh R 46 4724 3762 ksh R 47 4724 3762 ksh W jupiter:/etc/init.d> 48 4724 3762 ksh R 49 4724 3762 ksh R 50 4724 3762 ksh W ls -l d* 51 52 4745 4724 ls W -rwxr--r-- 3 root sys 1292 Jan 14 16:24 devfsadm 53 4745 4724 ls W -rwxr--r-- 1 root sys 904 Jan 14 16:24 devlinks 54 4745 4724 ls W -rwxr--r-- 6 root sys 621 Jan 14 16:17 dhcp 55 4745 4724 ls W -rwxr--r-- 2 root sys 494 Jan 14 16:17 dhcpagent 56 4745 4724 ls W -rwxr--r-- 5 root sys 1050 Jan 16 2002 directory 57 4745 4724 ls W -rwxr--r-- 2 root sys 779 Jan 14 16:17 domainname 58 4745 4724 ls W -rwxr--r-- 1 root sys 469 Jan 14 16:24 drvconfig 59 4745 4724 ls W -r-xr-xr-x 4 root other 2804 Mar 27 13:37 dtlogin 60 4724 3762 ksh R 61 4724 3762 ksh W jupiter:/etc/init.d> 62 4724 3762 ksh R 63 4724 3762 ksh R 64 4724 3762 ksh W find /etc/default 65 66 4746 4724 find W /etc/default 67 4746 4724 find W /etc/default/cron 68 4746 4724 find W /etc/default/devfsadm 69 4746 4724 find W /etc/default/dhcpagent 70 4746 4724 find W /etc/default/fs 71 4746 4724 find W /etc/default/inetd 72 4746 4724 find W /etc/default/inetinit 73 4746 4724 find W /etc/default/kbd 74 4746 4724 find W /etc/default/keyserv 75 4746 4724 find W /etc/default/ipsec 76 4746 4724 find W /etc/default/nss 77 4746 4724 find W /etc/default/passwd 78 4746 4724 find W /etc/default/syslogd 79 4746 4724 find W /etc/default/tar 80 4746 4724 find W /etc/default/utmpd 81 4746 4724 find W /etc/default/init 82 4746 4724 find W /etc/default/login 83 4746 4724 find W /etc/default/su 84 4746 4724 find W /etc/default/power 85 4746 4724 find W /etc/default/sys-suspend 86 4746 4724 find W /etc/default/rpc.nisd 87 4746 4724 find W /etc/default/nfs 88 [...] 89 90 91 92 shellsnoop has a "-q" option for running in "quiet" mode - the previous 93 columns are not printed, so only shell output is seen, 94 95 # shellsnoop -q 96 # date 97 Wed Nov 30 16:19:48 EST 2005 98 # 99 # cal 100 November 2005 101 S M Tu W Th F S 102 1 2 3 4 5 103 6 7 8 9 10 11 12 104 13 14 15 16 17 18 19 105 20 21 22 23 24 25 26 106 27 28 29 30 107 108 # 109 110 The output appears somewhat boring, this is something you need to see 111 in realtime. 112 113
Indexes created Wed Apr 22 00:22:44 UTC 2026