unix socket connection tracking

unix socket connection tracking

[Lukasz Stelmach]

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

Greetings All.

I feel dumb as never so please enlight me. Is ther a way to find out which
process is on the other end of a unix socket pointed by a specified fd in a process.

Lets say that I have got a process gconfd-2. I've straced it and got:

writev(25, [{"GIOP\1\2\1\0\267\1\0\0", 12},....

now I look at lsof
COMMAND     PID     USER   FD   TYPE     DEVICE SIZE  NODE NAME
gconfd-2   2282 jdoe       25u  unix 0xc55a9380       4222 socket

and netstat

Proto RefCnt Flags       Type       State         I-Node PID/Program name  Path
unix  3      [ ]         STREAM     CONNECTED     4222     2282/gconfd-2

OK, fine when the gconfd-2 has written the data something's had to read it. I
ask: How can I find what has read the data? Forgive me if it's trivial but I
really find no way to learn it. Neither in /proc nor using some tools like above.

Best regards.
PS. please don't forget to CC.
-- 
Było mi bardzo miło.                    Czwarta pospolita klęska, [...]
>Łukasz<                      Już nie katolicka lecz złodziejska.  (c)PP


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]

Re: unix socket connection tracking

[Jan Engelhardt]

>I feel dumb as never so please enlight me. Is ther a way to find out which
>process is on the other end of a unix socket pointed by a specified fd in a process.

getpeer*()



Jan Engelhardt
-- 

Re: unix socket connection tracking

[Lukasz Stelmach]

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

Jan Engelhardt wrote:
>> I feel dumb as never so please enlight me. Is ther a way to find out which
>> process is on the other end of a unix socket pointed by a specified fd in a process.
> 
> getpeer*()

getpeername(2) (that is the only man page I've got)

That's not exactly what I want. Or even exactly not what I want. I want to learn
about sockets from a third person perspective. I've got a process which I can
strace(1), but nothing more, and I want to know who is it talking to.

-- 
Było mi bardzo miło.                    Czwarta pospolita klęska, [...]
>Łukasz<                      Już nie katolicka lecz złodziejska.  (c)PP


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]

Re: unix socket connection tracking

[Jan Engelhardt]

>>> I feel dumb as never so please enlight me. Is ther a way to find out which
>>> process is on the other end of a unix socket pointed by a specified fd in a process.
>> 
>> getpeer*()
>
>getpeername(2) (that is the only man page I've got)
>
Exactly. And if you do the same on another socket from another process, you 
can match up what sockets are connected.
You always need to examine more than one process. (Unless the process talks 
to itself.)

>That's not exactly what I want. Or even exactly not what I want. I want to learn
>about sockets from a third person perspective. I've got a process which I can
>strace(1), but nothing more, and I want to know who is it talking to.
>

Jan Engelhardt
-- 

Re: unix socket connection tracking

[Jan Engelhardt]

>>>>> I feel dumb as never so please enlight me. Is ther a way to find out which
>>>>> process is on the other end of a unix socket pointed by a specified fd in a process.
>>>> getpeer*()
>>> getpeername(2) (that is the only man page I've got)
>>>
>> Exactly. And if you do the same on another socket from another process, you 
>> can match up what sockets are connected.
>> You always need to examine more than one process. (Unless the process talks 
>> to itself.)
>
>But how can I examine a file-descriptor (socket) from within other process. Like
>this.
>
>A [fd:4]------[fd:6] B -+
>|                       |
>`---[ptrace] C [ptrace]-'
>

 7315 pts/9    S+     0:00          |               \_ ssh jengelh@lo
 3698 ?        Ss     0:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
 7316 ?        Ss     0:00  \_ sshd: jengelh [priv]                            
 7320 ?        S      0:00      \_ sshd: jengelh@pts/10                        
 7321 pts/10   Ss     0:00          \_ -bash

Just look at all processes and logically connect them:

15:32 shanghai:/D/home/jengelh # l /proc/7315/fd
total 7
dr-x------  2 root root  0 Apr 22 15:32 .
dr-xr-xr-x  5 root root  0 Apr 22 15:32 ..
lrwx------  1 root root 64 Apr 22 15:32 0 -> /dev/pts/9
lrwx------  1 root root 64 Apr 22 15:32 1 -> /dev/pts/9
lrwx------  1 root root 64 Apr 22 15:32 2 -> /dev/pts/9
lrwx------  1 root root 64 Apr 22 15:32 3 -> socket:[85928]
lrwx------  1 root root 64 Apr 22 15:32 4 -> /dev/pts/9
lrwx------  1 root root 64 Apr 22 15:32 5 -> /dev/pts/9
lrwx------  1 root root 64 Apr 22 15:32 6 -> /dev/pts/9

15:33 shanghai:/D/home/jengelh # l /proc/7316/fd/
total 6
dr-x------  2 root root  0 Apr 22 15:32 .
dr-xr-xr-x  5 root root  0 Apr 22 15:32 ..
lrwx------  1 root root 64 Apr 22 15:32 0 -> /dev/null
lrwx------  1 root root 64 Apr 22 15:33 1 -> /dev/null
lrwx------  1 root root 64 Apr 22 15:33 2 -> /dev/null
lrwx------  1 root root 64 Apr 22 15:33 3 -> socket:[85929]
lrwx------  1 root root 64 Apr 22 15:33 4 -> /dev/ptmx
lrwx------  1 root root 64 Apr 22 15:33 5 -> socket:[85959]

No need for ptrace. No need for getpeername() either, but it's useful to 
get the real addresses of sockets.


Jan Engelhardt
-- 

Re: unix socket connection tracking

[Lukasz Stelmach]

[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]

Jan Engelhardt wrote:
>>>>>> I feel dumb as never so please enlight me. Is ther a way to find out which
>>>>>> process is on the other end of a unix socket pointed by a specified fd in a process.
>>>>> getpeer*()
>>>> getpeername(2) (that is the only man page I've got)
[...]
> Just look at all processes and logically connect them:
> 
> 15:32 shanghai:/D/home/jengelh # l /proc/7315/fd
[...]
> 15:33 shanghai:/D/home/jengelh # l /proc/7316/fd/
[...]
> No need for ptrace. No need for getpeername() either, but it's useful to 
> get the real addresses of sockets.

Please understand my situation. I've got GNOME running, gconfd-2 is a "registry"
management process that accepts connections through a unix domain socket (named
one) from many *unrelated* (child/parent) processes. In fact from most gnome
applications. I *do* strace it to see what it does. It does some write(2)s to
some sockets. I would like to know which socket leads where. Try to strace
gconfd-2 and you'will see what I mean.

For now James Cloos gave the best option, to look for a socket with an i-node
number adjectant (+-1) to the socket I know.

-- 
Było mi bardzo miło.                    Czwarta pospolita klęska, [...]
>Łukasz<                      Już nie katolicka lecz złodziejska.  (c)PP


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]

Re: unix socket connection tracking

[Jan Engelhardt]

>
>Please understand my situation. I've got GNOME running, gconfd-2 is a "registry"
>management process that accepts connections through a unix domain socket (named
>one) from many *unrelated* (child/parent) processes. In fact from most gnome
>applications. I *do* strace it to see what it does. It does some write(2)s to
>some sockets. I would like to know which socket leads where. Try to strace
>gconfd-2 and you'will see what I mean.
>

UNIX sockets do not necessarily have a path in the filesystem. In fact, 
every socket object you see in the filesystem gets mapped to an object 
within sockfs (which you can't mount). You recognize it as "[socket:147829]"
when looking in /proc/11249/fd/. You will never see /dev/log within
/proc/XX/fd.

You can look at the source of the `lsof` utility which does some socket 
resolution.

lsof:
syslog-ng 3656 root       3u  unix 0xdf70f5e0              6404 /dev/log
gconfd-2 11249 jengelh   14u  unix 0xd4e4f1e0            147829 socket




Jan Engelhardt
--