[plug] Monitoring the Unix domain network
Cameron Patrick
cameron at patrick.wattle.id.au
Fri Jun 3 13:37:31 WST 2005
Craig Ringer wrote:
> You might be able to dump the traffic into a file using a small program
> that uses ptrace (?); maybe even write out a libpcap format file (you
> might have to add "dummy" TCP/UDP headers, ethernet headers, etc) so it
> can be examined with ethereal. That'd probably be quite a bit of work,
> though and I don't know if it'd even work.
It should be pretty trivial, actually, if you don't care about
portability beyond Linux systems. First look in /proc/$pid/fd for
which file descriptors are Unix sockets. Then repeatedly
PTRACE_SYSCALL the app and look for read()/write() system calls to FDs
which you know to be sockets, and socket()/close() system calls to
adjust your list of sockets. Scary if you're not used to ptrace, but
not _that_ hard. There doesn't seem to be an easy way to find what
socket an fd is connected to, or whether a socket is AF_UNIX or other;
but there must be since netstat can do it, so the source code to
netstat may be of interest. Failing that you could do the code
injection trick (use ptrace to back up part of the victim's address
space, insert some code of your own, single step through it, then
restore the victim's original code and continue from where it left
off).
Subterfugue (http://subterfugue.org/) may provide an interesting
starting point for writing this kind of low-level voodoo in relatively
portable Python. Failing that, the source code to Cryopid (perhaps
the earlier versions, the ones I wrote small bits of and could
actually understand) may also prove to be an interesting reference.
I'll stop now before Bernard goes out and actually implements any of
this :-P
Cameron.
More information about the plug
mailing list