65
31
I'd like to monitor responses on a unix socket without disturbing the original connections and pipe them to a script for processing.
I know how to do this with tcpdump for tcp connections but I cannot seem to find a solution for local unix sockets.
Is this even possible?
ck_
Posted 2012-10-07T20:23:08.093
Reputation: 1 585
16
There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.
Here is the link to the post: Unix Socket Sniffer
There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.
If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.
Hope someone enlighten us with anoter way :)
Good luck
Valor
Posted 2012-10-07T20:23:08.093
Reputation: 471
Yah, you can do the middleman method also with socat but I am hoping for a more direct way without modifying existing settings elsewhere. – ck_ – 2012-10-08T01:15:40.820
1Then lsof and strace it's the only way I'm aware of. Watch out on produciton when you detach strace from the process, check that everything keeps running after that. – Valor – 2012-10-08T01:31:42.803
3
After some more digging around I found a similar question with some details about why this is not directly possible over on stackoverflow http://stackoverflow.com/questions/8394613/watchdog-monitoring-unix-domain-socket-triggering-events-upon-specific-content
– ck_ – 2012-10-08T13:56:10.79382
you can use socat.
sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original
What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.
storoj
Posted 2012-10-07T20:23:08.093
Reputation: 921
4That's easy when the original unix socket has a path on the filesystem. but what if it's an abstract namespace unix socket that you cannot actually move? – Valerio Schiavoni – 2016-06-14T17:59:47.650
3Care to add a little more explanation? – Kazark – 2013-04-01T16:10:07.077
6
You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.
For any useful purpose, setting -s to something big is a must.
omnigrok
Posted 2012-10-07T20:23:08.093
Reputation: 61
This worked well for me, and easy to do. Use strace -p <pid> to watch a running process. – Matt Munson – 2016-02-25T03:07:28.270
quick command: strace -s9999 -f $(for i in $( pidof php5-fpm ) ; do echo -n " -p $i "; done ) 2>&1 | tee /tmp/php.log and then run the tests. You have the /tmp/php.log to slowly check if the log is too big. If you are getting too much traffic, do a request with a query-string with your name or something so you can search for it in the logs – higuita – 2017-04-18T16:51:05.453
1@higuita I know it's been a long time, but instead of that loop you can let printf handle the repetition. printf " -p %s" $(pidof php5-fpm) will prefix each pid argument with -p and is much more practical to write. – JoL – 2018-07-20T01:26:53.600
3
// backup the socket
sudo mv /var/run/docker.sock /var/run/docker.sock.original
// use tcp port 8089 proxy the original socket
sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original
// use the new socket to proxy the 8089 port
sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089
then:
sudo tcpdump -i lo -netvv port 8089
任喜军
Posted 2012-10-07T20:23:08.093
Reputation: 31
1el magnifeco! Thanks – typelogic – 2019-10-30T21:48:56.003
1
Related: Watchdog monitoring UNIX domain socket, triggering events upon specific content
– kenorb – 2017-08-27T18:33:25.440