Linux – How to ‘strace’ a unix domain socket

sockets are a kernel API for communication. Using the socket API, you can exchange data between two endpoints over TCP/IP connections, SCTP associations, UDP datagrams, or between two processes (datagram or connection) using Unix domain sockets...

Being a kernel API, any interaction with a socket is via system calls (socket, bind, connect, listen, accept, sendmsg, send, recv, write/read...).

So typically, strace will be able to trace those because strace traces system calls. The only communication mechanism that strace can't trace is IPC over shared memory (because reading/writing something in memory obviously doesn't involve a system call).

More likely, in your case, it's something else. My bet would be that the application is multi-threaded and you're not stracing the right thread. Or it could be that the application is setuid/setgid and not started as superuser.

If you want to strace what's being exchanged over Unix domain sockets, the options are:

• strace and other ptrace debugger (trace the server or the clients)
• The audit system (auditd/auditctl), again that traces the system calls
• use a LD_PRELOAD trick to wrap the system calls that interact with the socket
• instrument the code of the application to add logging there.
• systemtap and other low level kernel tracing/debugging systems as already mentioned
• insert a man in the middle.

For the MITM, you could for instance use socat. Here for a connection oriented Unix domain socket like for X11:

socat -x unix-listen:/tmp/.X11-unix/X42,fork unix:/tmp/.X11-unix/X0
DISPLAY=:42 xlogo

Then, you see the X11 traffic that xlogo and the X server exchange.