There are a lot of tools for peeking into communication that is performed using the network sockets:
to just name a few.
But I didn't find any program that could perform this treat for the unix sockets. I found only one comment on some mailing list that someone hacked the Linux kernel to perform this (most probably altered the read syscall) but no code whatsoever.
I didn't want to start hacking the kernel as my only experience with it was compiling it during short time when I run Gentoo on my desktop. Then it occurred to me: Why not use the
chroot?
Idea is quite simple. A Server and a client communicate via the unix socket, which is a named socket and is located somewhere in the file system. We run the server in standard way. For the client we create a chroot environment. We run the client in the chroot jail. Our sniffer program connects two sockets: the standard one with the one in chroot jail. While transferring the traffic it can dump it into a log file :-D.
So I wrote an app that performs this:
SockSniffer ;-).
In the packet there are four files:
- socksniff - the sniffer, it will output the log files into $PWD/dumps directory.
- sockmerge - this program will merge log files in $PWD/dumps directory and output it in libpcap format which is readable for wireshark.
- client.pl and server.pl - client and server scripts to test the sniffer.
All those scripts are written in Perl. Output of socksniff are hex dumps of the traffic. One file per "packet". To use the sockmerge script wireshark (or ethereal) needs to be installed.
In coming days I will post a guide how to sniff traffic generated by the GoogleDesktop for Linux.
