0

I have this screen process which has open my serial port:

$ sudo lsof | grep /dev/ttyS0
    screen    23520        root    6u      CHR               4,64         0t0       1421 /dev/ttyS0
$ cd /proc/23520
$ head -n 5 status
    Name:   screen
    State:  S (sleeping)
    Tgid:   23520
    Pid:    23520
$ screen -ls
    There is a screen on:
        21200.pts-1.porkypig    (07/10/2013 12:25:42 PM)    (Detached)
$ screen -r 21200.pts-1.porkypig

When I reattached to the screen session, to see exactly what it's doing. I see this long log of information. It seems like the result of "tail -f", that is, a continous log being output. 

/proc/23520 $ cd cwd
 pwd
/proc/23520/cwd
ls -l
-rw-r--r--  1 root        root        2147 2013-10-07 17:55 minicom.log

When I switch into the directory (cwd) that this process was run from, I notice minicom.log, which makes me suspect the user ran something like "tail -f minicom.log".

I know that in linux we can use history to track back commands that were run. But how can I confirm the command was run to display what I am currently looking at in my screen session?

JohnMerlino
  • 7,309

2 Answers2

0

The best way would be to strace the PID.

For example; screen sessions are located in /var/run/screen/<screen session>. If you ls in that directory you'll see the PID of the session.

You can then strace -p <pid> on that PID. It wont be pretty but it's the closest you'll get.

  • When I do that, I just get this: strace -p 23520 Process 23520 attached - interrupt to quit select(1024, [3 6], [], NULL, NULL – JohnMerlino Oct 09 '13 at 20:20
0

In your case the screen PID is 21200 (according to the screen -ls command). So pstree 21200 will do. Similarly, htop in tree mode (press [F5]) will also see the process tree.

Luke Lee
  • 221