unix socket 抓包

1. SystemTap工具使用

1.工具下载

https://sourceware.org/systemtap/ftp/releases/

2. unixSocket抓包

2.1 Socat抓包

sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

2.2 Strace跟踪

strace -s9999  -f $(for i in $( pidof php5-fpm ) ; do echo -n " -p $i "; done ) 2>&1  | tee /tmp/php.log
----------------------------------------------
$ # 展示 docker images 涉及到的 write 调用
$ strace -e trace=write -e write=3 -v -s 1024 docker images 1>/dev/null

2.3 使用TCP抓包

// backup the socket
sudo mv /var/run/docker.sock /var/run/docker.sock.original

// use tcp port 8089 proxy the original socket
sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original

// use the new socket to proxy the 8089 port
sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

sudo tcpdump -i lo -netvv port 8089

$ # 1. 获取 docker 监听的 socket 文件
$ lsof -p $(pgrep dockerd) | grep docker.sock
dockerd 16087 root 6u unix 0xffff9cec3aee4000 0t0 45084 /var/run/docker.sock type=STREAM
$ # 2. 重命名原来的 socket 文件
$ sudo mv /var/run/docker.sock{,.orig}
$ # 3. 创建中间的 tcp socket 并拷贝流量
$ sudo socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.orig &
$ # 4. 创建原来的 socket 文件并拷贝流量
$ sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8080 &
$ # 5. 使用 tcpdump 在中间的 tcp socket 上抓包
$ sudo tcpdump -i lo tcp port 8080 -XX

2.4 python unixdump

sudo -H pip3 install unixdump
或
sudo python3 setup.py install
或
python3 setup.py bdist_wheel
sudo -H pip3 install ./dist/unixdump-*.whl

使用：
sudo unixdump -b -s '/tmp/domain-socket'

3.gdb debug unix socket

# debug unix socket,gdb  version >= 9.0
gdb kernel
(gdb) target remote /tmp/gdb-socket
-----------------------------------
# debug udp
target remote udp:manyfarms:2828

4. golang UnixDump

   github.com/Gui774ume/unixdump
   # 编译安装
   make build
   make install
   

参考链接

https://plantegg.github.io/2018/01/01/通过tcpdump对Unix Socket 进行抓包解析/

http://graag.blogspot.com/2007/10/unix-socket-sniffer.html

https://plantegg.github.io/2018/01/01/通过tcpdump对Unix Socket 进行抓包解析/

https://pypi.org/project/unixdump/#:~:text="tcpdump for unix domain sockets" unixdump is a,filters for a wide range of filtering granularity.

https://kirk91.github.io/posts/e850c11/

https://qemu-project.gitlab.io/qemu/system/gdb.html

https://pkg.go.dev/github.com/Gui774ume/unixdump#section-readme