How would I go about writing a Linux TTY sniffer?

Question

For educational purposes (not that anyone should care about the motivations behind such an exercise) I'd like to write a program that can read/write to/from alternate tty/pty's. I've read papers (from the 1990's) but can't employ the implementation they use, on modern Linux/glibc

I was hoping that someone had researched into this in the past (not too far in the past), or at least, read documentation pertaining to it, that they could provide, that would enlighten me further.

I also wonder if (considering the fact that Linux doesn't have STREAMs) if this exercise *strong text*must be done via a loadable kernel module [ lkm ]

I have many questions and probably a misunderstanding of some of the fundamental ideologies that allow such objectives to be put in place, could someone help? :)

Answer 1

I'm ssh'd into a remote linux box twice, producing /dev/pts/0 and /dev/pts/1. From 0, I can open 1 for read, thereby stealing all the stuff the user types to 1. If I want them to see their typing, I have to write it back to /dev/pts/1. Of course, their input never makes it to their shell, so I have to create a shell process at my end (on 0) and pipe their input it, then pipe the shell's out back to 1.

This all works great for me. While all this is going on, I can save off all the data read and written during the process wherever I like.

Of course, you can't do this unless you are root or are snooping on a session you own, but you only wanted this for educational purposes, right?

Answer 2

The linspy.c code in that Phrack article is a Linux kernel module. It won't compile against a modern kernel, because the internal kernel interfaces change frequently.

However, the basic approach it uses is sound (although it is completely missing locking required for correctness in an SMP environment), and with the application of sufficient elbow grease you should be able to port it to compile against the latest kernel.