guest@apple-gunkies.ai.mit.edu (Guest Account) (12/31/90)
Hello I'd like to ask what the best way is to monitor a tty invisibly to the user. Obviously cat </dev/ttyxx doesn't work, it prevents the commands to got o the processes. How would one do this ? Joe
ji@ctr.columbia.edu (John Ioannidis) (01/01/91)
In article <12559@life.ai.mit.edu> guest@apple-gunkies.ai.mit.edu (Guest Account) writes: > >Hello > >I'd like to ask what the best way is to monitor a tty invisibly to >the user. Obviously cat </dev/ttyxx doesn't work, it prevents >the commands to got o the processes. >How would one do this ? > >Joe If the TTY is a hard-wired termnal (a rare breed these days), just tap the cable (you'll actually need two terminals, one for tapping the incoming, and one for tapping the outgoing signal. Where I worked a few summers ago, we had an intruder coming over a modem, and we traced what he did this way. If the TTY is really a pty, and the user is using a shell that stays in cooked mode (sh, csh, ksh the -[eg]macs option left unset), then you can peek into the contents of the "canonical queue" by reading /dev/kmem. I have a program that does that if you want. If it's in raw mode, then you can't do it without changing anything in the kernel. If you have STREAMS-based ttys (e.g., SunOS), then it should be easy to write a STREAMS driver that inserts itself between two layers in some other user's STREAMS stack and tees traffic in your direction. /ji In-Real-Life: John "Heldenprogrammer" Ioannidis E-Mail-To: ji@cs.columbia.edu V-Mail-To: +1 212 854 8120 P-Mail-To: 450 Computer Science \n Columbia University \n New York, NY 10027
harry@svnet.UUCP (Harry Skelton) (01/03/91)
ji@ctr.columbia.edu (John Ioannidis) writes: . guest@apple-gunkies.ai.mit.edu (Guest Account) writes: . > . >Hello . > . >I'd like to ask what the best way is to monitor a tty invisibly to . >the user. Obviously cat </dev/ttyxx doesn't work, it prevents . >the commands to got o the processes. . >How would one do this ? . > . >Joe . . If the TTY is a hard-wired termnal (a rare breed these days), just tap . the cable (you'll actually need two terminals, one for tapping the . incoming, and one for tapping the outgoing signal. Where I worked a . few summers ago, we had an intruder coming over a modem, and we traced . what he did this way. Just don't wire your Data Transmit line into the connection, you may end up sending answerback information, etc and screw up the line. . . If the TTY is really a pty, and the user is using a shell that stays . in cooked mode (sh, csh, ksh the -[eg]macs option left unset), then . you can peek into the contents of the "canonical queue" by reading . /dev/kmem. I have a program that does that if you want. If it's in raw . mode, then you can't do it without changing anything in the kernel. Could you send me a copy John? . . If you have STREAMS-based ttys (e.g., SunOS), then it should be easy . to write a STREAMS driver that inserts itself between two layers in . some other user's STREAMS stack and tees traffic in your direction. Just watch the config under AT&T's streams. (prior to 4.0) You could just push him into a pty regarless with a pty handling program (see recent alt.sources postings) and tee the output from the pty. I find this easy since it works on most systems but does require you to be the SA or have root access sometimes. --- Harry Skelton - UniForum - Senior Systems Administrator.