shellsnoop captures the text input and output from shells running on the system. In the following example shellsnoop was run in one window, while in another several commands were run: date, cal, uname -a, uptime and find. shellsnoop has successfully captured the text that was displayed on the other window. # shellsnoop PID PPID CMD DIR TEXT 4724 3762 ksh R 4724 3762 ksh W date 4741 4724 date W Sun Mar 28 23:10:06 EST 2004 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W cal 4742 4724 cal W March 2004 4742 4724 cal W S M Tu W Th F S 4742 4724 cal W 1 2 3 4 5 6 4742 4724 cal W 7 8 9 10 11 12 13 4742 4724 cal W 14 15 16 17 18 19 20 4742 4724 cal W 21 22 23 24 25 26 27 4742 4724 cal W 28 29 30 31 4742 4724 cal W 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W uname -a 4743 4724 uname W SunOS jupiter 5.10 s10_51 i86pc i386 i86pc 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W uptime 4744 4724 uptime W 11:10pm up 4 day(s), 11:15, 4 users, load average: 0.05, 0.02, 0.02 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W ls -l d* 4745 4724 ls W -rwxr--r-- 3 root sys 1292 Jan 14 16:24 devfsadm 4745 4724 ls W -rwxr--r-- 1 root sys 904 Jan 14 16:24 devlinks 4745 4724 ls W -rwxr--r-- 6 root sys 621 Jan 14 16:17 dhcp 4745 4724 ls W -rwxr--r-- 2 root sys 494 Jan 14 16:17 dhcpagent 4745 4724 ls W -rwxr--r-- 5 root sys 1050 Jan 16 2002 directory 4745 4724 ls W -rwxr--r-- 2 root sys 779 Jan 14 16:17 domainname 4745 4724 ls W -rwxr--r-- 1 root sys 469 Jan 14 16:24 drvconfig 4745 4724 ls W -r-xr-xr-x 4 root other 2804 Mar 27 13:37 dtlogin 4724 3762 ksh R 4724 3762 ksh W jupiter:/etc/init.d> 4724 3762 ksh R 4724 3762 ksh R 4724 3762 ksh W find /etc/default 4746 4724 find W /etc/default 4746 4724 find W /etc/default/cron 4746 4724 find W /etc/default/devfsadm 4746 4724 find W /etc/default/dhcpagent 4746 4724 find W /etc/default/fs 4746 4724 find W /etc/default/inetd 4746 4724 find W /etc/default/inetinit 4746 4724 find W /etc/default/kbd 4746 4724 find W /etc/default/keyserv 4746 4724 find W /etc/default/ipsec 4746 4724 find W /etc/default/nss 4746 4724 find W /etc/default/passwd 4746 4724 find W /etc/default/syslogd 4746 4724 find W /etc/default/tar 4746 4724 find W /etc/default/utmpd 4746 4724 find W /etc/default/init 4746 4724 find W /etc/default/login 4746 4724 find W /etc/default/su 4746 4724 find W /etc/default/power 4746 4724 find W /etc/default/sys-suspend 4746 4724 find W /etc/default/rpc.nisd 4746 4724 find W /etc/default/nfs [...] shellsnoop has a "-q" option for running in "quiet" mode - the previous columns are not printed, so only shell output is seen, # shellsnoop -q # date Wed Nov 30 16:19:48 EST 2005 # # cal November 2005 S M Tu W Th F S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 # The output appears somewhat boring, this is something you need to see in realtime.