Sniff the data passing through a Linux Process

Another way to identify what is received by your application is to use strace and lsof. This is particularly useful if you can't TCPdump for some reason. Here's an example of how to do it on the Ossec Analysisd process.

lsof

Get the process you want to sniff on:

# ps aux|grep ossec
ossecm   25908  0.0  0.0  12672   592 ?        S    18:58   0:00 /var/ossec/bin/ossec-maild
root     25912  0.0  0.0  12552   572 ?        S    18:58   0:00 /var/ossec/bin/ossec-execd
ossec    25916 10.5  0.1  14356  2256 ?        S    18:58   1:07 /var/ossec/bin/ossec-analysisd
root     25921  0.0  0.0   4296   576 ?        S    18:58   0:00 /var/ossec/bin/ossec-logcollector
ossecr   25926  7.0  0.0  32028  1604 ?        Sl   18:58   0:45 /var/ossec/bin/ossec-remoted
root     25934  0.6  0.0   5556  1704 ?        S    18:58   0:03 /var/ossec/bin/ossec-syscheckd
ossec    25937  0.0  0.0  12804   592 ?        S    18:58   0:00 /var/ossec/bin/ossec-monitord

We want to dump traffic for pid ossec-analysisd, so pid 25916. We use lsof to list the file descriptors that this process owns:

# lsof -p 25916
COMMAND     PID  USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
ossec-ana 25916 ossec  cwd    DIR                8,1      4096   788089 /var/ossec
ossec-ana 25916 ossec  rtd    DIR                8,1      4096   788089 /var/ossec
ossec-ana 25916 ossec  txt    REG                8,1    417640   788207 /var/ossec/bin/ossec-analysisd
ossec-ana 25916 ossec  mem    REG                8,1     51712   654275 /lib/libnss_files-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     43552   654277 /lib/libnss_nis-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     97256   654272 /lib/libnsl-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     35712   654273 /lib/libnss_compat-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1   1572232   654245 /lib/libc-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1    136936   654235 /lib/ld-2.11.1.so
ossec-ana 25916 ossec    0u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    1u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    2u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    3u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    4u  unix 0xffff880037937a80       0t0 42545812 /queue/ossec/queue
ossec-ana 25916 ossec    5u   REG                8,1         0   788360 /var/ossec/queue/fts/hostinfo
ossec-ana 25916 ossec    6u   REG                8,1     27320   788361 /var/ossec/queue/fts/fts-queue
ossec-ana 25916 ossec    7u   REG                8,1         0   788362 /var/ossec/queue/fts/ig-queue
ossec-ana 25916 ossec    8w   REG                8,1         0   922505 /var/ossec/logs/archives/2012/Jul/ossec-archive-13.log
ossec-ana 25916 ossec    9w   REG                8,1   5643431   922497 /var/ossec/logs/alerts/2012/Jul/ossec-alerts-13.log
ossec-ana 25916 ossec   10w   REG                8,1 657336642   922506 /var/ossec/logs/firewall/2012/Jul/ossec-firewall-13.log
ossec-ana 25916 ossec   11u   REG                8,1   5442020   788723 /var/ossec/queue/syscheck/(10.1.2.3_s-spongebob1) 10.1.0.224->syscheck
ossec-ana 25916 ossec   12u   REG                8,1     19351   788600 /var/ossec/queue/rootcheck/rootcheck
ossec-ana 25916 ossec   13u   REG                8,1   5433253   789324 /var/ossec/queue/syscheck/syscheck
ossec-ana 25916 ossec   14u   REG                8,1      3314   788458 /var/ossec/queue/rootcheck/(10.1.4.5_s-s4) 10.1.3.9->rootcheck
[...]

If we want all of the events from the fts-queue, then we will point strace to file descriptor numer 6.

strace

strace can dump pretty much anything from a running process. The following command will capture READ signals (-e trace=read) from process number 25916 (-p 25916), but only for file descriptor number 6 (-e read=6).

# strace -e trace=read -e read=6 -p 25916

Process 25916 attached - interrupt to quit
read(13, "+++23:41471:0:0:a365778432246739"..., 4096) = 4096
read(13, "226a50d0772fd46a !1340219738 /us"..., 4096) = 4096
read(13, "linux-gnu/4.4/include/cross-stda"..., 4096) = 4096
read(13, "ffe:03d018d455d297f8a5dc6f0429a9"..., 4096) = 4096
read(13, "9955:e8bcfa4cb602d8865c1547d73d7"..., 4096) = 4096
read(13, "inst\n+++15:41471:0:0:a8c3ad58e96"..., 4096) = 4096
read(13, "2681318fc811:f3ef9a412147efd1a7d"..., 4096) = 4096
read(13, "+14:41471:0:0:3caed8f84a328adf2a"..., 4096) = 4096
read(13, "o.60.0.1\n+++143066:33188:0:0:598"..., 4096) = 4096
read(13, "7adc632e8:c616407dbc94ac42032729"..., 4096) = 4096
read(13, "be54064514c0deecabe0aac !1340219"..., 4096) = 4096
[....]

Non-ascii characters are hexadecimal encoded.

By default, the output is limited to 32 characters. If you want the full output, use -s 4096.

strace -e trace=read -e read=6 -p 25916 -q -r -x -s 4096

If you're sniffing a program that spawns multiple threads, you need to use the flag -f to tell strace to follow these threads.

strace -f -e trace=read
en/ressources/astuces/process_sniffing.txt · Last modified: 2014/01/08 18:31 (external edit)
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0