Ideally there would be a libpcap format that has a header containing the source/dest PID (when available) followed by optional additional data (credentials, file descriptors) and finally the data. Unfortunately there are no perfect tracers at the moment for Unix domain sockets that produce pcaps (to my best knowledge). The suggested CONFIG_UNIX_DIAG option is unfortunately also not helpful here, it can only be used to collect statistics, not acquire realtime data as they flow by (see linux/unix_diag.h). Socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CONNECT:some.sock You could write a quick multiplexer yourself or hack something like this that also outputs a pcap (beware of the limitations, for example AF_UNIX can pass file descriptors, AF_INET cannot): # fake TCP server connects to real Unix socket Requires kernel support and availability of debugging symbols. You can use SystemTap for setting such trace points, here is an example to monitor for outgoing messages. Break on/modify unix_stream_recvmsg, unix_stream_sendmsg (or unix_dgram_* or unix_seqpacket_*) in the kernel and output the data, somewhere.With strace you can use -e trace=file for most of them ( pread is only covered by -e trace=desc, but it probably not used for Unix sockets by most of the programs). Disadvantage of this approach is that you first have to find your file descriptor and then still might miss out system calls. There are lots of them, read, pread64, readv, preadv, recvmsg and many more. Use strace and capture on possible system calls that perform I/O.Passive (also works for already running processes):.See this analysis by osgx on SO for more details on the internals of packet capture in general.īack to the original question on AF_UNIX socket monitoring, if you are mainly interested in application data, you have some options: Data is buffered in sk->sk_receive_queue and in the unix_stream_sendmsg function, there is no code that ultimately lead into calling the tpacket_rcv function for packet captures. The basic entry points for data are unix_stream_recvmsg and unix_stream_sendmsg for SOCK_STREAM ( SOCK_DGRAM and SOCK_SEQPACKET have similarly named functions). Unix sockets have no such fake header and the link-layer header types registry does not list anything related to this. Standard Ethernet captures have an Ethernet header with source/destination, etc. There is no kernel interface for capturing from AF_UNIX sockets. libpcap uses the Linux-specific AF_PACKET (alias PF_PACKET) domain which only allows you to capture data for data going through a " netdevice" (such as Ethernet interfaces). As of Linux kernel v4.2-rc5 it is not possible to capture directly using the interfaces that are in use by libpcap.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |