tty snoop-device type program
where tty is the leaf-name of the tty that should be snooped upon (eg. ttyS2, not /dev/ttyS2) OR the wildcard '*', which matches ANY tty. snoop-device is the device through which tty should be snooped (eg. /dev/tty8) OR the literal constant "socket". The latter is used to tell ttysnoops that the snoop-device will be a dynamically allocated pty. type specifies the type of program that should be run, currently recognized types are "init", "user" and "login" altough the former two aren't really needed. Finally, program is the full pathname to the program to run when ttysnoops has cloned tty onto snoop-device .
# # example /etc/snooptab # ttyS0 /dev/tty7 login /bin/login ttyS1 /dev/tty8 login /bin/login # # the wildcard tty should always be the last one in the file # * socket login /bin/login # # example end #
With the above example, whenever a user logs in on /dev/ttyS0 or /dev/ttyS1, either tty will be snooped through /dev/tty7 or /dev/tty8 respectively. Any other tty's will be snooped through a pty that will be allocated at the time of login. The system-administrator can then run ttysnoop Ar pty to snoop through the pty. Note that it is up to the system-administrator to setup getty and/or telnetd so that they execute ttysnoops instead of /bin/login.