xref: /aosp_15_r20/external/bcc/tools/ttysnoop_example.txt (revision 387f9dfdfa2baef462e92476d413c7bc2470293e) 
1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of ttysnoop, the Linux eBPF/bcc version.
2*387f9dfdSAndroid Build Coastguard Worker
3*387f9dfdSAndroid Build Coastguard Worker
4*387f9dfdSAndroid Build Coastguard Workerttysnoop watches a tty or pts device, and prints the same output that is
5*387f9dfdSAndroid Build Coastguard Workerappearing on that device. It can be used to mirror the output from a shell
6*387f9dfdSAndroid Build Coastguard Workersession, or the system console.
7*387f9dfdSAndroid Build Coastguard Worker
8*387f9dfdSAndroid Build Coastguard WorkerLet's snoop /dev/pts/2:
9*387f9dfdSAndroid Build Coastguard Worker
10*387f9dfdSAndroid Build Coastguard Worker# ./ttysnoop 2
11*387f9dfdSAndroid Build Coastguard Worker<screen clears>
12*387f9dfdSAndroid Build Coastguard Workerdate
13*387f9dfdSAndroid Build Coastguard WorkerSun Oct 16 01:28:47 UTC 2016
14*387f9dfdSAndroid Build Coastguard Worker# uname -a
15*387f9dfdSAndroid Build Coastguard WorkerLinux bgregg-xenial-bpf-i-xxx 4.8.0-rc4-virtual #1 SMP Wed Aug 31 22:54:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
16*387f9dfdSAndroid Build Coastguard Worker# df -h
17*387f9dfdSAndroid Build Coastguard WorkerFilesystem      Size  Used Avail Use% Mounted on
18*387f9dfdSAndroid Build Coastguard Workerudev            7.4G     0  7.4G   0% /dev
19*387f9dfdSAndroid Build Coastguard Workertmpfs           1.5G   89M  1.4G   6% /run
20*387f9dfdSAndroid Build Coastguard Worker/dev/xvda1      7.8G  4.5G  3.3G  59% /
21*387f9dfdSAndroid Build Coastguard Workertmpfs           7.4G     0  7.4G   0% /dev/shm
22*387f9dfdSAndroid Build Coastguard Workertmpfs           5.0M     0  5.0M   0% /run/lock
23*387f9dfdSAndroid Build Coastguard Workertmpfs           7.4G     0  7.4G   0% /sys/fs/cgroup
24*387f9dfdSAndroid Build Coastguard Workertmpfs           250M     0  250M   0% /run/shm
25*387f9dfdSAndroid Build Coastguard Worker/dev/md0        160G   20G  141G  13% /mnt
26*387f9dfdSAndroid Build Coastguard Workertmpfs           1.5G     0  1.5G   0% /run/user/0
27*387f9dfdSAndroid Build Coastguard Worker# ^C
28*387f9dfdSAndroid Build Coastguard Worker
29*387f9dfdSAndroid Build Coastguard WorkerWhat we're seeing is another shell session. The first line was "date" without
30*387f9dfdSAndroid Build Coastguard Workerthe shell prompt ("#") because we began tracing after the prompt was printed.
31*387f9dfdSAndroid Build Coastguard WorkerThe other commands appeared, keystroke by keystroke, as the user was typing
32*387f9dfdSAndroid Build Coastguard Workerthem. Spooky!
33*387f9dfdSAndroid Build Coastguard Worker
34*387f9dfdSAndroid Build Coastguard WorkerRemember to Ctrl-C to exit ttysnoop.
35*387f9dfdSAndroid Build Coastguard Worker
36*387f9dfdSAndroid Build Coastguard Worker
37*387f9dfdSAndroid Build Coastguard WorkerTo figure out which pts device number to use, you can check your own with "ps"
38*387f9dfdSAndroid Build Coastguard Workerand other's with "w". For example:
39*387f9dfdSAndroid Build Coastguard Worker
40*387f9dfdSAndroid Build Coastguard Worker# ps -p $$
41*387f9dfdSAndroid Build Coastguard Worker  PID TTY          TIME CMD
42*387f9dfdSAndroid Build Coastguard Worker 9605 pts/1    00:00:00 bash
43*387f9dfdSAndroid Build Coastguard Worker# w
44*387f9dfdSAndroid Build Coastguard Worker 01:26:37 up 9 days, 35 min,  2 users,  load average: 0.22, 0.22, 0.15
45*387f9dfdSAndroid Build Coastguard WorkerUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
46*387f9dfdSAndroid Build Coastguard Workerroot     pts/1    100.127.65.241   00:39    2.00s  0.33s  0.33s -bash
47*387f9dfdSAndroid Build Coastguard Workerroot     pts/2    100.127.65.241   00:40   16.00s  1.06s  1.06s -bash
48*387f9dfdSAndroid Build Coastguard Worker
49*387f9dfdSAndroid Build Coastguard WorkerSo I'm pts/1, and there's another session that's pts/2.
50*387f9dfdSAndroid Build Coastguard Worker
51*387f9dfdSAndroid Build Coastguard Worker
52*387f9dfdSAndroid Build Coastguard WorkerThis can also snoop tty devices using their full path. Eg, snooping the system
53*387f9dfdSAndroid Build Coastguard Workerconsole:
54*387f9dfdSAndroid Build Coastguard Worker
55*387f9dfdSAndroid Build Coastguard Worker# ./ttysnoop /dev/console
56*387f9dfdSAndroid Build Coastguard WorkerOct 16 01:32:06 bgregg-xenial-bpf-i-xxx kernel: [780087.407428] bash (9888): drop_caches: 1
57*387f9dfdSAndroid Build Coastguard WorkerOct 16 01:32:38 bgregg-xenial-bpf-i-xxx snmpd[2708]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
58*387f9dfdSAndroid Build Coastguard WorkerOct 16 01:33:32 bgregg-xenial-bpf-i-xxx snmpd[2708]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
59*387f9dfdSAndroid Build Coastguard WorkerOct 16 01:34:26 bgregg-xenial-bpf-i-xxx snmpd[2708]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
60*387f9dfdSAndroid Build Coastguard Worker^C
61*387f9dfdSAndroid Build Coastguard Worker
62*387f9dfdSAndroid Build Coastguard WorkerNeat!
63*387f9dfdSAndroid Build Coastguard Worker
64*387f9dfdSAndroid Build Coastguard Worker
65*387f9dfdSAndroid Build Coastguard WorkerUSAGE:
66*387f9dfdSAndroid Build Coastguard Worker
67*387f9dfdSAndroid Build Coastguard Worker# ./ttysnoop.py -h
68*387f9dfdSAndroid Build Coastguard Workerusage: ttysnoop.py [-h] [-C] device
69*387f9dfdSAndroid Build Coastguard Worker
70*387f9dfdSAndroid Build Coastguard WorkerSnoop output from a pts or tty device, eg, a shell
71*387f9dfdSAndroid Build Coastguard Worker
72*387f9dfdSAndroid Build Coastguard Workerpositional arguments:
73*387f9dfdSAndroid Build Coastguard Worker  device         path to a tty device (eg, /dev/tty0) or pts number
74*387f9dfdSAndroid Build Coastguard Worker
75*387f9dfdSAndroid Build Coastguard Workeroptional arguments:
76*387f9dfdSAndroid Build Coastguard Worker  -h, --help      show this help message and exit
77*387f9dfdSAndroid Build Coastguard Worker  -C, --noclear   don't clear the screen
78*387f9dfdSAndroid Build Coastguard Worker  -s, --datasize  size of the transmitting buffer (default 256)
79*387f9dfdSAndroid Build Coastguard Worker  -c, --datacount number of times ttysnop checks for data (default 16)
80*387f9dfdSAndroid Build Coastguard Worker
81*387f9dfdSAndroid Build Coastguard Workerexamples:
82*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop /dev/pts/2          # snoop output from /dev/pts/2
83*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop 2                   # snoop output from /dev/pts/2 (shortcut)
84*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop /dev/console        # snoop output from the system console
85*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop /dev/tty0           # snoop output from /dev/tty0
86*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop /dev/pts/2 -s 1024  # snoop output from /dev/pts/2 with data size 1024
87*387f9dfdSAndroid Build Coastguard Worker    ./ttysnoop /dev/pts/2 -c 2     # snoop output from /dev/pts/2 with 2 checks for 256 bytes of data in buffer
88*387f9dfdSAndroid Build Coastguard Worker                                     (potentionaly retrieving 512 bytes)
89