Projects / Snoop

Snoop

Snoop is a GNU/Linux file descriptor monitoring tool inspired by FreeBSD's 'watch'. It goes beyond simple TTY snooping by allowing the interception of any file descriptor. You can attach on the fly to regular files, TTYs, named pipes, character devices, and pretty much anything that is represented by a file descriptor and addressable in the standard name space.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  14 Jul 2008 17:42

    Release Notes: Updated to work with recent kernels.

    •  19 Mar 2007 16:52

      Release Notes: This release addresses the compatibility issues with recent kernels. It also extends the monitoring capabilities to parent directories in order to intercept creation events and attach targets on the fly.

      •  21 Feb 2006 16:16

        Release Notes: This version introduces the ability to attach to virtually any type of file descriptor (regular files, sockets, pipes, etc.) using the /proc/[pid]/fd/[fd#] file name format.

        •  02 Nov 2005 09:26

          Release Notes: This release introduces inotify-based file monitoring, which allows automatic (re)attaching. It also features an improved kernel compatibility layer.

          •  23 Jul 2005 06:35

            Release Notes: This release introduces some usability improvements and fixes a potentially serious bug. The program now supports attaching to the same FD multiple times (reentrant hooks), keeping track of underlying file operations changes and reporting the number of attached FDs through the userspace utility.

            Recent comments

            21 Jul 2008 22:24 mali

            Re: Snoop is badly chosen name

            >
            > > The "snoop" sniffer was never ported
            > > to Linux[...]
            >
            > Probably because there are alternate
            > solutions available, such as ttyrpld

            This doesn't quite make sense: the discussion you're quoting was about name clashes with a network sniffer. A network sniffer (snoop from SVr4 according to Jorg) not being ported to linux has nothing to do with the availability of tty snoopers.

            > which, while relying on patching the
            > source, does not change a filp's f_op
            > (which can lead to surprising crashes
            > just like trying to override syscalls).
            > See
            > http://ttyrpld.sourceforge.net/desc.php
            > for details.

            Nice plug, but avoiding patching and rebuilding the kernel is quite a feature. How many kernel versions does ttyrpld support? I seriously doubt you generated rpldhk patches for more than a handful of kernels. What happens with the people using unsupported versions (or distro-patched kernels - which probably count for more than 90% of the installed base)? The patch based approach (besides being inconvenient) simply doesn't scale.


            There's also a significant difference in scope: snoop is not just a tty logger but a generic fd monitoring tool. You can attach to any open file descriptor - sockets, files, pipes - you name it. If you can find it in /proc/<pid>/fd/, you can attach to it and take a peek at what's going on in a non intrusive way.


            As far as stability is concerned, I have yet to see or hear of crashes caused by the snoop module. The tty layer plays tricks with fipl->f_op too, so that in itself is not fundamentally broken. If you can spot any races please file a bug report, but as far as I can tell the f_op updates are performed in a safe manner.

            21 Jul 2008 19:49 jengelh

            Re: Snoop is badly chosen name


            > The "snoop" sniffer was never ported to Linux[...]

            Probably because there are alternate solutions available, such as ttyrpld which, while relying on patching the source, does not change a filp's f_op (which can lead to surprising crashes just like trying to override syscalls). See http://ttyrpld.sourceforge.net/desc.php for details.

            18 Jul 2005 07:06 mali

            Re: Snoop is badly chosen name
            You do have a point but so is http://www.die.net/doc/linux/man/man1/watch.1.html vs http://www.bsdguides.org/guides/freebsd/misc/watch.php and a dozen other commands.


            The "snoop" sniffer was never ported to Linux and I think the Linux package namespace is different enough from other UNIces to make this a non-issue. Heck, the availability of "snoop" on Freshmeat & SourceForge tells it all :)


            Thanks for pointing it out though.

            18 Jul 2005 06:39 schily

            Snoop is badly chosen name
            Snoop is the TCP/IP network sniffer on UNIX SVr4.

            This is true since 1989, so you should rename your

            program....

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.