But I didn't find any program that could perform this treat for the unix sockets. I found only one comment on some mailing list that someone hacked the Linux kernel to perform this (most probably altered the read syscall) but no code whatsoever.
I didn't want to start hacking the kernel as my only experience with it was compiling it during short time when I run Gentoo on my desktop. Then it occurred to me: Why not use the chroot?
Idea is quite simple. A Server and a client communicate via the unix socket, which is a named socket and is located somewhere in the file system. We run the server in standard way. For the client we create a chroot environment. We run the client in the chroot jail. Our sniffer program connects two sockets: the standard one with the one in chroot jail. While transferring the traffic it can dump it into a log file :-D.
So I wrote an app that performs this: SockSniffer ;-).
In the packet there are four files:
- socksniff - the sniffer, it will output the log files into $PWD/dumps directory.
- sockmerge - this program will merge log files in $PWD/dumps directory and output it in libpcap format which is readable for wireshark.
- client.pl and server.pl - client and server scripts to test the sniffer.
In coming days I will post a guide how to sniff traffic generated by the GoogleDesktop for Linux.