ttyrpld is a multi-OS kernel-level tty logger (key- and screenlogger for ttys) with (a)synchronous replay supprt. It supports most tty types, including the on-system virtual consoles, bsd and unix98-style ptys (xterm/ssh), serial, etc. Being implemented within the kernel makes it unavoidable for the default user. The overhead if the logging daemon is not active is one pointer check.
Differences from existing solutions (at the time of writing this in ~2006): Many other solutions deploy the logging completely in userspace and make it dependent on the user to activate the logging, e.g. with /usr/bin/script or /usr/bin/screen's hardcopy feature (Ctrl-a H). I have only seen few other kernel-based loggers. One of them is outdated, others query the x86 keyboard driver using interrupt hijacking and fixed translation. This is very unportable, because it only catches raw AT keyboard scancodes, but not USB or even other keyboards (unless they are in compatibility mode), and it does not work at all for SSH connections.
Only the FreeBSD snooper called watch, which operates on the /dev/snp* devices, can be taken for a comparison. However, it can only do the interactive live feed mode, no logging is possible for later replay. Packet time stamps are also missing.
Resources
- Latest release: 2.61 (2020-01-12)
- Source code release archive
- Git source code repository – https://codeberg.org/jengelh/ttyrpld
(Codeberg was chosen for reasons of EU data privacy laws.) - Git source code repository – https://git.inai.de/ttyrpld (clone only; no webview; EU)