Tjyylli

Little known, relatively unlikely, but scientifically plausible, apocalyptic (or near apocalyptic) events

Avoiding the "not like other girls" trope?

ssTTsSTtRrriinInnnnNNNIiinngg

How can I determine if the org that I'm currently connected to is a scratch org?

How would I stat a creature to be immune to everything but the Magic Missile spell? (just for fun)

Why was the shrinking from 8″ made only to 5.25″ and not smaller (4″ or less)?

Examples of smooth manifolds admitting inbetween one and a continuum of complex structures

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

What killed these X2 caps?

Alternative to sending password over mail?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Venezuelan girlfriend wants to travel the USA to be with me. What is the process?

Is it possible to create a QR code using text?

Detention in 1997

Can I run a new neutral wire to repair a broken circuit?

What exploit Are these user agents trying to use?

How could indestructible materials be used in power generation?

A category-like structure without composition?

How do I deal with an unproductive colleague in a small company?

Can my sorcerer use a spellbook only to collect spells and scribe scrolls, not cast?

Why can't we play rap on piano?

What do you call someone who asks many questions?

Short story with a alien planet, government officials must wear exploding medallions

What is a romance in Latin?

Can I monitor a local unix domain socket like tcpdump?

Is there a software that allows RS232 sniffing and TCP/UDP listeningHow does the Inetutils telnet utility determine if a connection is still alive?SSH over local unix socketBridging two socketsSoftware to proxy socket connections across a TTY-like linkToo many open files on socketDetermining what process has bound a port (without listening) on WindowsHow do I troubleshoot if I see the incoming packet in tcpdump, but not at the socket?windows server 2012 network socket debugging (winsock / netsh) - debugging toolsHow to find attached processes via unix domain socket?How to have a value different from 0 in netstat's Send-Q column for a socket in the LISTEN state?

55

27

I'd like to monitor responses on a unix socket without disturbing the original connections and pipe them to a script for processing.

I know how to do this with tcpdump for tcp connections but I cannot seem to find a solution for local unix sockets.

Is this even possible?

unix domain sockets tcpdump

share|improve this question

edited Oct 7 '12 at 20:44

ck_

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Related: Watchdog monitoring UNIX domain socket, triggering events upon specific content
  
  – kenorb
  Aug 27 '17 at 18:33
  

  
  
  
  

add a comment | 

55

27

I'd like to monitor responses on a unix socket without disturbing the original connections and pipe them to a script for processing.

I know how to do this with tcpdump for tcp connections but I cannot seem to find a solution for local unix sockets.

Is this even possible?

unix domain sockets tcpdump

share|improve this question

edited Oct 7 '12 at 20:44

ck_

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Related: Watchdog monitoring UNIX domain socket, triggering events upon specific content
  
  – kenorb
  Aug 27 '17 at 18:33
  

  
  
  
  

add a comment | 

I'd like to monitor responses on a unix socket without disturbing the original connections and pipe them to a script for processing.

I know how to do this with tcpdump for tcp connections but I cannot seem to find a solution for local unix sockets.

Is this even possible?

unix domain sockets tcpdump

share|improve this question

edited Oct 7 '12 at 20:44

ck_

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

share|improve this question

edited Oct 7 '12 at 20:44

ck_

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

share|improve this question

edited Oct 7 '12 at 20:44

ck_

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

asked Oct 7 '12 at 20:23

ck_ck_

1,13511014

4 Answers
4

active

oldest

votes

14

There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.

Here is the link to the post: Unix Socket Sniffer

There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.

If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.

Hope someone enlighten us with anoter way :)

Good luck

share|improve this answer

answered Oct 7 '12 at 21:39

ValorValor

45136

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yah, you can do the middleman method also with socat but I am hoping for a more direct way without modifying existing settings elsewhere.
  
  – ck_
  Oct 8 '12 at 1:15
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Then lsof and strace it's the only way I'm aware of. Watch out on produciton when you detach strace from the process, check that everything keeps running after that.
  
  – Valor
  Oct 8 '12 at 1:31
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  After some more digging around I found a similar question with some details about why this is not directly possible over on stackoverflow stackoverflow.com/questions/8394613/…
  
  – ck_
  Oct 8 '12 at 13:56
  

  
  
  
  

add a comment | 

77

you can use socat.

sudo mv /path/to/sock /path/to/sock.original

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.

share|improve this answer

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Care to add a little more explanation?
  
  – Kazark
  Apr 1 '13 at 16:10
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  That's easy when the original unix socket has a path on the filesystem. but what if it's an abstract namespace unix socket that you cannot actually move?
  
  – Valerio Schiavoni
  Jun 14 '16 at 17:59
  

  
  
  
  

add a comment | 

6

You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.

For any useful purpose, setting -s to something big is a must.

share|improve this answer

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This worked well for me, and easy to do. Use strace -p <pid> to watch a running process.
  
  – Matt Munson
  Feb 25 '16 at 3:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  quick command: strace -s9999 -f $(for i in $( pidof php5-fpm ) ; do echo -n " -p $i "; done ) 2>&1 | tee /tmp/php.log and then run the tests. You have the /tmp/php.log to slowly check if the log is too big. If you are getting too much traffic, do a request with a query-string with your name or something so you can search for it in the logs
  
  – higuita
  Apr 18 '17 at 16:51
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @higuita I know it's been a long time, but instead of that loop you can let printf handle the repetition. printf " -p %s" $(pidof php5-fpm) will prefix each pid argument with -p and is much more practical to write.
  
  – JoL
  Jul 20 '18 at 1:26
  

  
  
  
  

add a comment | 

0

// backup the socket

sudo mv /var/run/docker.sock /var/run/docker.sock.original



// use tcp port 8089 proxy the original socket

sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original



// use the new socket to proxy the 8089 port

sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

then: sudo tcpdump -i lo -netvv port 8089

share

answered 3 mins ago

任喜军任喜军

11

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f484671%2fcan-i-monitor-a-local-unix-domain-socket-like-tcpdump%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

14

There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.

Here is the link to the post: Unix Socket Sniffer

There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.

If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.

Hope someone enlighten us with anoter way :)

Good luck

share|improve this answer

answered Oct 7 '12 at 21:39

ValorValor

45136

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yah, you can do the middleman method also with socat but I am hoping for a more direct way without modifying existing settings elsewhere.
  
  – ck_
  Oct 8 '12 at 1:15
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Then lsof and strace it's the only way I'm aware of. Watch out on produciton when you detach strace from the process, check that everything keeps running after that.
  
  – Valor
  Oct 8 '12 at 1:31
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  After some more digging around I found a similar question with some details about why this is not directly possible over on stackoverflow stackoverflow.com/questions/8394613/…
  
  – ck_
  Oct 8 '12 at 13:56
  

  
  
  
  

add a comment | 

14

There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.

Here is the link to the post: Unix Socket Sniffer

There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.

If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.

Hope someone enlighten us with anoter way :)

Good luck

share|improve this answer

answered Oct 7 '12 at 21:39

ValorValor

45136

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yah, you can do the middleman method also with socat but I am hoping for a more direct way without modifying existing settings elsewhere.
  
  – ck_
  Oct 8 '12 at 1:15
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Then lsof and strace it's the only way I'm aware of. Watch out on produciton when you detach strace from the process, check that everything keeps running after that.
  
  – Valor
  Oct 8 '12 at 1:31
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  After some more digging around I found a similar question with some details about why this is not directly possible over on stackoverflow stackoverflow.com/questions/8394613/…
  
  – ck_
  Oct 8 '12 at 13:56
  

  
  
  
  

add a comment | 

There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.

Here is the link to the post: Unix Socket Sniffer

There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.

If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.

Hope someone enlighten us with anoter way :)

Good luck

share|improve this answer

answered Oct 7 '12 at 21:39

ValorValor

45136

share|improve this answer

answered Oct 7 '12 at 21:39

ValorValor

45136

answered Oct 7 '12 at 21:39

ValorValor

45136

answered Oct 7 '12 at 21:39

ValorValor

45136

77

you can use socat.

sudo mv /path/to/sock /path/to/sock.original

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.

share|improve this answer

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Care to add a little more explanation?
  
  – Kazark
  Apr 1 '13 at 16:10
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  That's easy when the original unix socket has a path on the filesystem. but what if it's an abstract namespace unix socket that you cannot actually move?
  
  – Valerio Schiavoni
  Jun 14 '16 at 17:59
  

  
  
  
  

add a comment | 

77

you can use socat.

sudo mv /path/to/sock /path/to/sock.original

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.

share|improve this answer

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Care to add a little more explanation?
  
  – Kazark
  Apr 1 '13 at 16:10
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  That's easy when the original unix socket has a path on the filesystem. but what if it's an abstract namespace unix socket that you cannot actually move?
  
  – Valerio Schiavoni
  Jun 14 '16 at 17:59
  

  
  
  
  

add a comment | 

you can use socat.

sudo mv /path/to/sock /path/to/sock.original

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.

share|improve this answer

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

sudo mv /path/to/sock /path/to/sock.original

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

share|improve this answer

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

edited Apr 10 '14 at 15:15

gesell

1556

edited Apr 10 '14 at 15:15

gesell

1556

answered Apr 1 '13 at 15:49

storojstoroj

871162

answered Apr 1 '13 at 15:49

storojstoroj

871162

6

You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.

For any useful purpose, setting -s to something big is a must.

share|improve this answer

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This worked well for me, and easy to do. Use strace -p <pid> to watch a running process.
  
  – Matt Munson
  Feb 25 '16 at 3:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  quick command: strace -s9999 -f $(for i in $( pidof php5-fpm ) ; do echo -n " -p $i "; done ) 2>&1 | tee /tmp/php.log and then run the tests. You have the /tmp/php.log to slowly check if the log is too big. If you are getting too much traffic, do a request with a query-string with your name or something so you can search for it in the logs
  
  – higuita
  Apr 18 '17 at 16:51
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @higuita I know it's been a long time, but instead of that loop you can let printf handle the repetition. printf " -p %s" $(pidof php5-fpm) will prefix each pid argument with -p and is much more practical to write.
  
  – JoL
  Jul 20 '18 at 1:26
  

  
  
  
  

add a comment | 

6

You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.

For any useful purpose, setting -s to something big is a must.

share|improve this answer

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This worked well for me, and easy to do. Use strace -p <pid> to watch a running process.
  
  – Matt Munson
  Feb 25 '16 at 3:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  quick command: strace -s9999 -f $(for i in $( pidof php5-fpm ) ; do echo -n " -p $i "; done ) 2>&1 | tee /tmp/php.log and then run the tests. You have the /tmp/php.log to slowly check if the log is too big. If you are getting too much traffic, do a request with a query-string with your name or something so you can search for it in the logs
  
  – higuita
  Apr 18 '17 at 16:51
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @higuita I know it's been a long time, but instead of that loop you can let printf handle the repetition. printf " -p %s" $(pidof php5-fpm) will prefix each pid argument with -p and is much more practical to write.
  
  – JoL
  Jul 20 '18 at 1:26
  

  
  
  
  

add a comment | 

You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.

For any useful purpose, setting -s to something big is a must.

share|improve this answer

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

share|improve this answer

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

answered Sep 21 '14 at 23:04

omnigrokomnigrok

6111

0

// backup the socket

sudo mv /var/run/docker.sock /var/run/docker.sock.original



// use tcp port 8089 proxy the original socket

sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original



// use the new socket to proxy the 8089 port

sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

then: sudo tcpdump -i lo -netvv port 8089

share

answered 3 mins ago

任喜军任喜军

11

add a comment | 

0

// backup the socket

sudo mv /var/run/docker.sock /var/run/docker.sock.original



// use tcp port 8089 proxy the original socket

sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original



// use the new socket to proxy the 8089 port

sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

then: sudo tcpdump -i lo -netvv port 8089

share

answered 3 mins ago

任喜军任喜军

11

add a comment | 

// backup the socket

sudo mv /var/run/docker.sock /var/run/docker.sock.original



// use tcp port 8089 proxy the original socket

sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original



// use the new socket to proxy the 8089 port

sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

then: sudo tcpdump -i lo -netvv port 8089

share

answered 3 mins ago

任喜军任喜军

11

// backup the socket

sudo mv /var/run/docker.sock /var/run/docker.sock.original



// use tcp port 8089 proxy the original socket

sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original



// use the new socket to proxy the 8089 port

sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

share

answered 3 mins ago

任喜军任喜军

11

answered 3 mins ago

任喜军任喜军

11

answered 3 mins ago

任喜军任喜军

11