Kind of hard to explain but I noticed when strace
ing the PID that has the socket open I cannot see any of the communication. How can I sit in the middle of a socket file to watch communication?
Linux – How to ‘strace’ a unix domain socket
linux-kernelsocketstrace
Best Answer
sockets are a kernel API for communication. Using the socket API, you can exchange data between two endpoints over TCP/IP connections, SCTP associations, UDP datagrams, or between two processes (datagram or connection) using Unix domain sockets...
Being a kernel API, any interaction with a socket is via system calls (
socket
,bind
,connect
,listen
,accept
,sendmsg
,send
,recv
,write/read
...).So typically,
strace
will be able to trace those becausestrace
traces system calls. The only communication mechanism thatstrace
can't trace is IPC over shared memory (because reading/writing something in memory obviously doesn't involve a system call).More likely, in your case, it's something else. My bet would be that the application is multi-threaded and you're not stracing the right thread. Or it could be that the application is setuid/setgid and not started as superuser.
If you want to strace what's being exchanged over Unix domain sockets, the options are:
strace
and otherptrace
debugger (trace the server or the clients)auditd
/auditctl
), again that traces the system callsLD_PRELOAD
trick to wrap the system calls that interact with the socketFor the MITM, you could for instance use
socat
. Here for a connection oriented Unix domain socket like for X11:Then, you see the X11 traffic that
xlogo
and the X server exchange.