I have this screen process which has open my serial port:

$ sudo lsof | grep /dev/ttyS0 screen 23520 root 6u CHR 4,64 0t0 1421 /dev/ttyS0
$ cd /proc/23520
$ head -n 5 status Name: screen State: S (sleeping) Tgid: 23520 Pid: 23520
$ screen -ls There is a screen on: 21200.pts-1.porkypig (07/10/2013 12:25:42 PM) (Detached)
$ screen -r 21200.pts-1.porkypig

When I reattached to the screen session, to see exactly what it's doing. I see this long log of information. It seems like the result of "tail -f", that is, a continous log being output.

/proc/23520 $ cd cwd pwd
/proc/23520/cwd
ls -l
-rw-r--r-- 1 root root 2147 2013-10-07 17:55 minicom.log

When I switch into the directory (cwd) that this process was run from, I notice minicom.log, which makes me suspect the user ran something like "tail -f minicom.log".

I know that in linux we can use history to track back commands that were run. But how can I confirm the command was run to display what I am currently looking at in my screen session?

2 Answers

The best way would be to strace the PID.

For example; screen sessions are located in /var/run/screen/<screen session>. If you ls in that directory you'll see the PID of the session.

You can then strace -p <pid> on that PID. It wont be pretty but it's the closest you'll get.

1

In your case the screen PID is 21200 (according to the screen -ls command). So pstree 21200 will do. Similarly, htop in tree mode (press [F5]) will also see the process tree.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy