Linux – How to sniff unix dgram socket without having file path

linuxsocatssunix-sockets

From that article, I realized that:

a UNIX domain socket is bound to a file path.

So, I need to sniff DGRAM Unix socket through the socat as mentioned here. But when I try to retrieve the path for this purpose, I find that the target application uses a socket without file path.

The ss -apex command shows results both with and without file paths, e.g.:

u_dgr UNCONN 0 0 /var/lib/samba/private/msg.sock/32222   1345285 * 0   users:(("nmbd",pid=32222,fd=7))
u_dgr UNCONN 0 0 * 8567674   * 0   users:(("gnome-shell",pid=16368,fd=23))

From the ss man page I can't find out, what does it mean e.g. * 8567674 without file path.

So, two questions:

Why there is no file path to unix socket for some cases?
How can I sniff unix DGRAM socket through socat without having file path?

Best Answer

Question #1

Q1: From the ss man page I can't find out, what does it mean e.g. * 8567674 without file path.

From the docs it explains the Address:Port column like so:

excerpt

The format and semantics of ADDRESS_PATTERN depends on address family.

inet - ADDRESS_PATTERN consists of IP prefix, optionally followed by colon and port. If prefix or port part is absent or replaced with *, this means wildcard match.

inet6 - The same as inet, only prefix refers to an IPv6 address. Unlike inet colon becomes ambiguous, so that ss allows to use scheme, like used in URLs, where address is suppounded with [ ... ].

unix - ADDRESS_PATTERN is shell-style wildcard.

packet - format looks like inet, only interface index stays instead of port and link layer protocol id instead of address.

netlink - format looks like inet, only socket pid stays instead of port and netlink channel instead of address.

PORT is syntactically ADDRESS_PATTERN with wildcard address part. Certainly, it is undefined for UNIX sockets.

The last sentence is your answer.

Question #2

Q2: Why there is no file path to unix socket for some cases?

See this SO Q&A titled: How to use unix domain socket without creating a socket file.

excerpt

You can create a unix domain socket with an "abstract socket address". Simply make the first character of the sun_path string in the sockaddr_un you pass to bind be '\0'. After this initial NUL, write a string to the remainder of sun_path and pad it out to UNIX_PATH_MAX with NULs (or anything else).

Sockets created this way will not have any filesystem entry, ....

Question #3

Q3: How can I sniff unix DGRAM socket through socat without having file path?

Again more googling once you know what things are called: socat docs.

excerpt

ABSTRACT-LISTEN:

ABSTRACT-SENDTO:

ABSTRACT-RECVFROM:

ABSTRACT-RECV:

ABSTRACT-CLIENT: >

The ABSTRACT addresses are almost identical to the related UNIX addresses except that they do not address file system based sockets but an alternate UNIX domain address space. To archive this the socket address strings are prefixed with "\0" internally. This feature is available (only?) on Linux. Option groups are the same as with the related UNIX addresses, except that the ABSTRACT addresses are not member of the NAMED group.

Best Answer

Question #1

Question #2

Question #3

Related Solutions

The meaning of the contents of /proc/net/unix

Apache – How to a service with PrivateTmp=true access a unix socket in the /tmp directory (e.g. to submit Torque jobs from PHP running in Apache)

Related Question