ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] capture on Unix Sockets ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: jim cromie <jcromie@xxxxxxxxxx>
Date: Mon, 25 Feb 2002 16:01:41 -0700
Guy Harris wrote:


On Mon, Feb 25, 2002 at 02:51:56PM -0700, jim cromie wrote:


this is a long-shot
(it doesnt show up on capture interfaces list)
but..

is there any way to capture Unix sockets or FIFOs ?



No.  The reason why UNIX-domain sockets and FIFOs don't show up on
capture interface lists is that there's no network interface involved,
and libpcap can only capture on network interfaces.


if not, is it reasonable to write a small program to
open such for reading, and echo stuff to UDP packets ?



You could perhaps do that - unfortunately, if your program reads from
the UNIX-domain socket, it'll probably be the only program able to do
so; if some other program is trying to read from the socket, they won't
both be able to read the same message from the socket at the same time,
as the first one to read it will get the message.

Unless there's some provision in the kernel for the particular OS you're
running for sniffing a UNIX-domain socket (i.e., passively reading from
it, and seeing traffic in *both* directions, without affecting what the
programs that are actively using the socket see), you probably won't be
able to sniff the traffic even with such a program.



happily, Im running Linux, so it is possible -

RECV(2)             Linux Programmer's Manual             RECV(2)

NAME
      recv, recvfrom, recvmsg - receive a message from a socket
...
      MSG_PEEK
This flag causes the receive operation to return data from the beginning of the receive queue without removing that data from the queue. Thus, a subsequent receive 
             call will return the same data.
actually, this sounds somewhat portable (but I dont have other Unix at hand to verify) 

is this a decent candidate for a plug-in ?
can plugins have a GUI to control their activity ?
if so, Ill do a little digging..
so anyway, presuming I can peek and echo to UDP, would it make sense to send them to 127.0.0.2 ? they should still appear on lo, and be presumably filterable on src 127.0.0.2 (or is it dest in this case?). 
Im gropeing to try to insure that such packets dont interfere
with other stuff.  High dest ports might be sufficient..

-jimc
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube