From: Can't dig that daddy (cdtdaddy@hotmail.it)
Date: Mon Jul 18 2005 - 08:28:28 EDT
A little patch I'm using to "follow" forking processes...
Have a nice day,
Can't dig that daddy.
---------snip-----------------
20c20
< open (F, "tail -f $ARGV[0] |");
---
> open (F, "strace -p $ARGV[0] 2>&1 |");
22c22
< next if !/^read/;
---
> next if !/^read/ && !/^clone/;
37a38,40
> } elsif (/^clone\(.+,\s.+,\s.+\)\s=\s(\d+)/) {
> system("/usr/bin/perl -w $0 $1");
---------snip-----------------
Alle 16:59, marted́ 12 luglio 2005, Lachniet, Mark ha scritto:
> Apparently Tom's original message never made it to the list, but I think
> this is well worth the bandwidth to share. Tom wrote a quick Perl
> script to parse the output from strace, so you could use the method I
> described a little (lot) more conveniently. I haven't tested it but it
> looks pretty straight forward. Sorry bout the line breaks but I didn't
> want to send an attachment.
>
> Mark Lachniet
>
> ---------snip-----------------
> #!/usr/bin/perl -w
> #
> # Monitoring a user's shellcommands by using strace and displaying and
> cleaning up the read() syscalls
> # Based on the tip posted to secfocus by Mark Lachniet, written by Tom
> Van de Wiele.
> #
> # To be used on a logfile or in real-time (as fast as /usr/bin/script
> logs to file that is) like this:
> #
> # # script /tmp/what_is_user_foo_doing.log
> # Script started, file is /tmp/what_is_user_foo_doing.log
> # # strace -p <PID of shell of user>
> #
> # Using a different terminal at the same time:
> # # perl strace_clean.pl /tmp/what_is_user_doing.log
> #
> #
> use strict; # hi Kris :)
>
> my $char;
>
> open (F, "tail -f $ARGV[0] |");
> while (<F>) {
> next if !/^read/;
> next if /^$/;
> if (/^read\(0,\s\"(.*)\".*/) {
> $char = $1;
> if ($char =~ /\\r/) {
> print "\n";
> }
> elsif ($char =~ /\\177/) {
> print "\b";
> }
> elsif ($char =~ /\\t/) {
> print "<TAB>";
> }
> else {
> print $char;
> }
> }
> }
>
> # EOF
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:35 EDT