rewrite snoop

andrewh1978 · andrewh1978 · commit 93ae2cd7e890 · 2025-09-19T18:14:28.000+01:00
diff --git a/assets/ttysnoop/_snoop b/assets/ttysnoop/_snoop
@@ -2,12 +2,26 @@
 
 global ttys
 
-probe kernel.function("pty_write") {
+probe kernel.function("pty_open") {
   tty = kernel_string($tty->name)
-  if (tty =~ "^pts" && !ttys[tty] && uid() > 1000 && uid() < 1200) {
-    ttys[tty]=1
-    uid = sprintf("%d", uid() - 1000)
-    system("screen -dmS training".uid.".".tty.".snoop bash -c '(trap \"\" INT; snoop ".tty.")'")
+  if (tty =~ "^pts" && uid() > 1000 && uid() < 1200 && execname() == "sshd") {
+    n = substr(tty, 3, 2)
+    ttys[n]++
+    if (ttys[n] == 2) {
+      uid = sprintf("%d", uid() - 1000)
+      system("screen -dmS training.".tty.".training".uid.".snoop bash -c 'trap \"\" INT; while :; do snoop ".tty."; done'")
+    }
+  }
+}
+
+probe kernel.function("pty_close") {
+  tty = kernel_string($tty->name)
+  if (tty =~ "^ptm" && execname() == "sshd") {
+    n = substr(tty, 3, 2)
+    ttys[n]--
+    if (!ttys[n]) {
+      system("screen -S training.pts".n.". -X quit")
+    }
   }
 }
 
diff --git a/assets/ttysnoop/_snoopall b/assets/ttysnoop/_snoopall
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+tmux new-session -d -s snoop -n main bash -c "trap '' INT; watch screen -ls"
+
+while :; do
+  sleep 1
+  oldscreens=$screens
+  screens=$(screen -ls | awk '/training.*snoop/{print$1}' | sort -t . -k 2,2 -k 3,3)
+  [ "$screens" = "$oldscreens" ] && continue
+  tmux select-pane -t snoop:0.0
+  tmux kill-pane -a
+  for i in $screens; do
+    tmux split-window -t "snoop:main" -h "screen -x $i"
+    tmux select-pane -T $i
+    tmux select-layout -t "snoop:main" tiled
+  done
+done
diff --git a/assets/ttysnoop/snoopall b/assets/ttysnoop/snoopall
@@ -1,11 +1 @@
-#!/usr/bin/env bash
-
-tmux new-session -d -s snoop -n main bash -c "watch "who | grep training""
-
-for i in $(screen -ls | awk '/training.*snoop/{print$1}' | sort -t . -k 2,2 -k 3,3); do
-  tmux split-window -t "snoop:main" -h "screen -x $i"
-  tmux select-pane -T $i
-  tmux select-layout -t "snoop:main" tiled
-done
-
 tmux attach -t snoop
diff --git a/scripts/ttysnoop b/scripts/ttysnoop
@@ -3,7 +3,7 @@ rpm -ih https://dl.rockylinux.org/vault/rocky/9.5/devel/x86_64/os/Packages/k/ker
 rpm -ih https://dl.rockylinux.org/vault/rocky/9.5/devel/x86_64/debug/tree/Packages/k/kernel-debuginfo-5.14.0-503.14.1.el9_5.x86_64.rpm https://dl.rockylinux.org/vault/rocky/9.5/devel/x86_64/os/Packages/k/kernel-debuginfo-common-x86_64-5.14.0-503.14.1.el9_5.x86_64.rpm https://dl.rockylinux.org/vault/rocky/9.5/devel/x86_64/os/Packages/k/kernel-headers-5.14.0-503.14.1.el9_5.x86_64.rpm
 dnf install -y systemtap
 
-install -m 700 /assets/ttysnoop/snoop /assets/ttysnoop/snoopall /assets/ttysnoop/_snoop /usr/sbin
+install -m 700 /assets/ttysnoop/snoop /assets/ttysnoop/snoopall /assets/ttysnoop/_snoop /assets/ttysnoop/_snoopall /usr/sbin
 
 snoop test &
 while [ ! -d /proc/systemtap ]; do
@@ -12,5 +12,9 @@ while [ ! -d /proc/systemtap ]; do
 done
 kill %1
 
-echo "@reboot nohup /usr/sbin/_snoop &" | crontab -
-nohup /usr/sbin/_snoop &
+cat <<EOF | crontab -
+@reboot nohup /usr/sbin/_snoop &
+@reboot nohup /usr/sbin/_snoopall &
+EOF
+nohup /usr/sbin/_snoop &
+nohup /usr/sbin/_snoopall &
