Table of Contents
Sniff the data passing through a Linux Process
Another way to identify what is received by your application is to use strace and lsof. This is particularly useful if you can't TCPdump for some reason. Here's an example of how to do it on the Ossec Analysisd process.
lsof
Get the process you want to sniff on:
# ps aux|grep ossec ossecm 25908 0.0 0.0 12672 592 ? S 18:58 0:00 /var/ossec/bin/ossec-maild root 25912 0.0 0.0 12552 572 ? S 18:58 0:00 /var/ossec/bin/ossec-execd ossec 25916 10.5 0.1 14356 2256 ? S 18:58 1:07 /var/ossec/bin/ossec-analysisd root 25921 0.0 0.0 4296 576 ? S 18:58 0:00 /var/ossec/bin/ossec-logcollector ossecr 25926 7.0 0.0 32028 1604 ? Sl 18:58 0:45 /var/ossec/bin/ossec-remoted root 25934 0.6 0.0 5556 1704 ? S 18:58 0:03 /var/ossec/bin/ossec-syscheckd ossec 25937 0.0 0.0 12804 592 ? S 18:58 0:00 /var/ossec/bin/ossec-monitord
We want to dump traffic for pid ossec-analysisd, so pid 25916. We use lsof to list the file descriptors that this process owns:
# lsof -p 25916 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ossec-ana 25916 ossec cwd DIR 8,1 4096 788089 /var/ossec ossec-ana 25916 ossec rtd DIR 8,1 4096 788089 /var/ossec ossec-ana 25916 ossec txt REG 8,1 417640 788207 /var/ossec/bin/ossec-analysisd ossec-ana 25916 ossec mem REG 8,1 51712 654275 /lib/libnss_files-2.11.1.so ossec-ana 25916 ossec mem REG 8,1 43552 654277 /lib/libnss_nis-2.11.1.so ossec-ana 25916 ossec mem REG 8,1 97256 654272 /lib/libnsl-2.11.1.so ossec-ana 25916 ossec mem REG 8,1 35712 654273 /lib/libnss_compat-2.11.1.so ossec-ana 25916 ossec mem REG 8,1 1572232 654245 /lib/libc-2.11.1.so ossec-ana 25916 ossec mem REG 8,1 136936 654235 /lib/ld-2.11.1.so ossec-ana 25916 ossec 0u CHR 1,3 0t0 5377 /dev/null ossec-ana 25916 ossec 1u CHR 1,3 0t0 5377 /dev/null ossec-ana 25916 ossec 2u CHR 1,3 0t0 5377 /dev/null ossec-ana 25916 ossec 3u CHR 1,3 0t0 5377 /dev/null ossec-ana 25916 ossec 4u unix 0xffff880037937a80 0t0 42545812 /queue/ossec/queue ossec-ana 25916 ossec 5u REG 8,1 0 788360 /var/ossec/queue/fts/hostinfo ossec-ana 25916 ossec 6u REG 8,1 27320 788361 /var/ossec/queue/fts/fts-queue ossec-ana 25916 ossec 7u REG 8,1 0 788362 /var/ossec/queue/fts/ig-queue ossec-ana 25916 ossec 8w REG 8,1 0 922505 /var/ossec/logs/archives/2012/Jul/ossec-archive-13.log ossec-ana 25916 ossec 9w REG 8,1 5643431 922497 /var/ossec/logs/alerts/2012/Jul/ossec-alerts-13.log ossec-ana 25916 ossec 10w REG 8,1 657336642 922506 /var/ossec/logs/firewall/2012/Jul/ossec-firewall-13.log ossec-ana 25916 ossec 11u REG 8,1 5442020 788723 /var/ossec/queue/syscheck/(10.1.2.3_s-spongebob1) 10.1.0.224->syscheck ossec-ana 25916 ossec 12u REG 8,1 19351 788600 /var/ossec/queue/rootcheck/rootcheck ossec-ana 25916 ossec 13u REG 8,1 5433253 789324 /var/ossec/queue/syscheck/syscheck ossec-ana 25916 ossec 14u REG 8,1 3314 788458 /var/ossec/queue/rootcheck/(10.1.4.5_s-s4) 10.1.3.9->rootcheck [...]
If we want all of the events from the fts-queue, then we will point strace to file descriptor numer 6.
strace
strace can dump pretty much anything from a running process. The following command will capture READ signals (-e trace=read) from process number 25916 (-p 25916), but only for file descriptor number 6 (-e read=6).
# strace -e trace=read -e read=6 -p 25916 Process 25916 attached - interrupt to quit read(13, "+++23:41471:0:0:a365778432246739"..., 4096) = 4096 read(13, "226a50d0772fd46a !1340219738 /us"..., 4096) = 4096 read(13, "linux-gnu/4.4/include/cross-stda"..., 4096) = 4096 read(13, "ffe:03d018d455d297f8a5dc6f0429a9"..., 4096) = 4096 read(13, "9955:e8bcfa4cb602d8865c1547d73d7"..., 4096) = 4096 read(13, "inst\n+++15:41471:0:0:a8c3ad58e96"..., 4096) = 4096 read(13, "2681318fc811:f3ef9a412147efd1a7d"..., 4096) = 4096 read(13, "+14:41471:0:0:3caed8f84a328adf2a"..., 4096) = 4096 read(13, "o.60.0.1\n+++143066:33188:0:0:598"..., 4096) = 4096 read(13, "7adc632e8:c616407dbc94ac42032729"..., 4096) = 4096 read(13, "be54064514c0deecabe0aac !1340219"..., 4096) = 4096 [....]
Non-ascii characters are hexadecimal encoded.
By default, the output is limited to 32 characters. If you want the full output, use -s 4096.
strace -e trace=read -e read=6 -p 25916 -q -r -x -s 4096
If you're sniffing a program that spawns multiple threads, you need to use the flag -f to tell strace to follow these threads.
strace -f -e trace=read