Sunday, October 21, 2007

Sniffing the Google Desktop for Linux traffic.

I promised to present how to sniff communication between clients and server of Google Desktop for Linux.

So I'll be using SockSniffer scripts I prepared and wrote about [1], [2].
$ tar xvzf SockSniffer.0.2.tar.gz
$ mkdir jail
$ cd jail
$ $HOME/SockSniffer.0.2/makejail.sh
$ sudo $HOME/SockSniffer.0.2/mountjail.sh
$ sudo chroot $PWD
$ su my_user_name
$ cd
$ gdlinux

No we should have two Google Desktop icons in taskbar.

In chrooted console:
$ cd .google/desktop
$ rm a1_sock
In Another console:
$ mkdir socksniff_logs
$ cd socksniff_logs
$ $HOME/SockSniffer.0.2/socksniff $HOME/.google/desktop/a1_sock $HOME/jail$HOME/.google/desktop/a1_sock

Now use the Google Desktop for a while.
Close it.
Kill the socksniff process (e.g. using ^c).

In socksniff console:
$ $HOME/SockSniffer.0.2/sockmerge

Open $HOME/socksniff_logs/dumps/merge.pcap in wireshark.

That's it. Now we can analyze the traffic.

And here's an example dump.

SockSniffer v.0.2

New version of SockSniffer (v0.2):
  • makejail.sh and mountjail.sh scripts added.
    These scripts are used to prepare chroot jail for client to be sniffed.
    They are prepared with GoogleDesktop in mind.
  • Added some comments in the code.
  • The socksniff script was corrected: The -n option didn't work for server traffic.
SockSniffer.0.2.tar.gz

Saturday, October 20, 2007

Unix socket sniffer

There are a lot of tools for peeking into communication that is performed using the network sockets:
to just name a few.

But I didn't find any program that could perform this treat for the unix sockets. I found only one comment on some mailing list that someone hacked the Linux kernel to perform this (most probably altered the read syscall) but no code whatsoever.

I didn't want to start hacking the kernel as my only experience with it was compiling it during short time when I run Gentoo on my desktop. Then it occurred to me: Why not use the chroot?

Idea is quite simple. A Server and a client communicate via the unix socket, which is a named socket and is located somewhere in the file system. We run the server in standard way. For the client we create a chroot environment. We run the client in the chroot jail. Our sniffer program connects two sockets: the standard one with the one in chroot jail. While transferring the traffic it can dump it into a log file :-D.

So I wrote an app that performs this: SockSniffer ;-).
In the packet there are four files:
  • socksniff - the sniffer, it will output the log files into $PWD/dumps directory.
  • sockmerge - this program will merge log files in $PWD/dumps directory and output it in libpcap format which is readable for wireshark.
  • client.pl and server.pl - client and server scripts to test the sniffer.
All those scripts are written in Perl. Output of socksniff are hex dumps of the traffic. One file per "packet". To use the sockmerge script wireshark (or ethereal) needs to be installed.

In coming days I will post a guide how to sniff traffic generated by the GoogleDesktop for Linux.