Hi,

I want to write a sniffer program which sniffs the packet from a Unix socket. Is it possible?
I have written a small server and client programs using unix socket (sockaddr_un). Now I want to write a sniffer program which sniffs the packet from the socket. Am not able to do it.

Thank-you,
Sri

NOTE: This might be better in the Linux/Unix forum - maybe a moderator can move it as appropriate.

Traditionally, a sniffer intercepts network traffic from a device; usually a network interface card (NIC). Sniffing can also be done with a network tap/bridge that sits between two machines on a network.

In your case, I think you are using sockets as an inter process communication (IPC) mechanism. In that case, there is no network or NIC to speak of. You have a couple of options - not many of them are very straightforward. You can (in order of increasing difficulty):

  • Engineer the source code to have debug statements that you monitor
  • use strace on either the client or server depending on your needs
  • use strace on the file descriptor itself
  • use LD_PRELOAD with your own shim library to intercept packets

Like I said, all but the first require some additional know-how and exploration.

What exactly is your goal? message content? message frequency? debugging?

I have a Server and multiple clients communicating with it using Unix Socket. They use their protocol for communication. I want to write a Protocol Dumper. So want to snoop the Unix Socket and want to dump all the packets on the console.

If that is the case you will probably be looking at the fourth case. strace only gives you the call interface, not the content. If you want the content you will have to intercept the comms prior to it going out the socket.

I've seen - in a short google search - some techniques that use a chroot environment to acheive the same effect so you may have a few more options then just the ones I've listed above.

Thanks.. strace is difficult... So am writing a proxy for server to capture the packets.

This question has already been answered. Start a new discussion instead.