I'd like to monitor responses on a unix socket without disturbing the original connections and pipe them to a script for processing.
I know how to do this with tcpdump for tcp connections but I cannot seem to find a solution for local unix sockets.
Is this even possible?
you can use socat.
sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original
What is happening above: First move original socket to sock.original. Socat creates a new socket ('UNIX-LISTEN') in the originals location and forwards all to the original ('UNIX-connect'). The -v tells socat to also print output to STDERR.
There's a guy that claims to do so by creating an app that acts as a gateway between two sockets and logging all data that flows. So you can't tap on a socket but if you can restart the service and tune it to use this guy app you will be able to see all traffic.
Here is the link to the post: Unix Socket Sniffer
There's another way that needs you to find the process id attached to the socket, then find with lsof the file descriptor of the socket and then tap the file descriptor using strace.
If you can stop whatever client/server is using the socket and reconfigure it I would recommend always the first method, second method it's tricky and requires you to tap a current process which on some apps could cause it to crash.
Hope someone enlighten us with anoter way :)
Good luck
You might also try using strace on one of the processes on either side of the socket, since this will let you watch what is written/read. I found in my production environments, I don't have socat, but do have strace.
For any useful purpose, setting -s to something big is a must.
// backup the socket
sudo mv /var/run/docker.sock /var/run/docker.sock.original
// use tcp port 8089 proxy the original socket
sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original
// use the new socket to proxy the 8089 port
sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089
then:
sudo tcpdump -i lo -netvv port 8089
A bit late, but I modified a systemtap script that will do this for people who can't forward socket traffic from a listening process. Use at your own peril, I have only tested this for Red Hat Enterprise Linux 7 but the structures we reference are generic and (hopefully) don't change very much:
/*
* watch_unix_socket.stp
*
* This is a simply more modern version of the script found here:
* https://sourceware.org/systemtap/wiki/WSunixSockets
*
* The first argument is the location of the file descriptor for a UNIX socket.
* To find this address, for example, for the Docker socket run:
*
* # lsof 2>&1 | awk '/docker.sock/ {print $7}' | grep -v '0t0' | sort -u
* 0xffff8ed0b4eb1800
*
* And use that address to run this systemtap script:
*
* # stap watch_unix_socket.stp 0xffff8ed0b4eb1800
*/
probe begin {
printf("Watching input into socket 0x%x...\n", $1);
}
probe kernel.function("unix_stream_sendmsg") {
if ($sock->sk != $1) {
printf("%d %s is accessing %p\n", pid(), execname(), $sock->sk);
printf("====================\n");
len = 0
for (i = 0; i < $msg->msg_iovlen; i++) {
len += $msg->msg_iov[i]->iov_len;
}
printf("%d [", len);
for (i = 0; i < $msg->msg_iovlen; i++) {
printf("%s", user_string_n($msg->msg_iov[i]->iov_base, $msg->msg_iov[i]->iov_len));
}
printf("] [");
for (i = 0; i < $msg->msg_iovlen; i++) {
printf("%s", user_string_n($msg->msg_iov[i]->iov_base, $msg->msg_iov[i]->iov_len));
}
printf("]\n\n");
}
}
I keep it updated as a Github Gist on my page.
If someone is still looking for an answer in 2024, try this sockdump tool. The tool is based on bpf, and the author also has an answer on unix stackexchange. It worked for me on 6.1.0-18-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux. A sample run -
$ sudo ./sockdump.py --format string /tmp/unix_socket.event.fs
waiting for data
19:19:30.941 >>> process switch [76076 -> 76104] path /tmp/unix_socket.event.fs len 28(28)
Content-Type: auth/request
19:19:30.941 >>> process terver [76104 -> 76076] path /tmp/unix_socket.event.fs len 16(16)
auth abcdefgh
19:20:05.620 >>> process switch [76076 -> 76104] path /tmp/unix_socket.event.fs len 57(57)
Content-Type: text/disconnect-notice
Content-Length: 67
19:20:05.620 >>> process switch [76076 -> 76104] path /tmp/unix_socket.event.fs len 67(67)
Disconnected, goodbye.
PS: this requires installing BCC tools from iovisor, and I believe kernel version >= 5.10.
