From owner-freebsd-questions  Tue May 19 08:51:56 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA11963
          for freebsd-questions-outgoing; Tue, 19 May 1998 08:51:56 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from violet.csi.cam.ac.uk (exim@violet.csi.cam.ac.uk [131.111.8.58])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11951
          for <freebsd-questions@freebsd.org>; Tue, 19 May 1998 08:51:48 -0700 (PDT)
          (envelope-from bjc23@hermes.cam.ac.uk)
Received: from bjc23.trin.cam.ac.uk ([131.111.212.250])
	by violet.csi.cam.ac.uk with smtp (Exim 1.92 #1)
	id 0ybof6-0001cm-00; Tue, 19 May 1998 16:50:44 +0100
Date: Tue, 19 May 1998 16:50:46 +0100 (BST)
From: Ben Cohen <bjc23@hermes.cam.ac.uk>
X-Sender: bjc23@bjc23.trin.cam.ac.uk
Reply-To: bjc23@hermes.cam.ac.uk
To: bsd mailing lists <bsd@righi.df.unibo.it>
cc: THIERRY.HERBELOT@telspace.alcatel.fr, freebsd-questions@FreeBSD.ORG
Subject: Re: =?ISO-8859-1?Q?R=E9p_:_sniffit?=
In-Reply-To: <Pine.BSF.3.96.980519161047.8438A-100000@righi.df.unibo.it>
Message-ID: <Pine.BSF.3.96.980519164749.655D-100000@bjc23.trin.cam.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> I need to knwow what users are doing
> sinec I Suspect for a dangerous user,
> so tcpdump is not useful for me

You can use the command w to see what commands users are currently 
running.

You can use ps -U<user> to see what processes the user is running.

You can use watch /dev/<terminal> to see what is being displayed on that
terminal.  (But you need to recompile the kernel with pseudo-device snp 1
and then MAKEDEV snp0)

Ben.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message