Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:ressources:astuces:process_sniffing [2014/01/08 17:31] (current)
Line 1: Line 1:
 +====== Sniff the data passing through a Linux Process ======
  
 +Another way to identify what is received by your application is to use **strace** and **lsof**. This is particularly useful if you can't TCPdump for some reason. Here's an example of how to do it on the Ossec Analysisd process.
 +
 +===== lsof =====
 +
 +Get the process you want to sniff on:
 +<​code>​
 +# ps aux|grep ossec
 +ossecm ​  ​25908 ​ 0.0  0.0  12672   592 ?        S    18:58   0:00 /​var/​ossec/​bin/​ossec-maild
 +root     ​25912 ​ 0.0  0.0  12552   572 ?        S    18:58   0:00 /​var/​ossec/​bin/​ossec-execd
 +ossec    25916 10.5  0.1  14356  2256 ?        S    18:58   1:07 /​var/​ossec/​bin/​ossec-analysisd
 +root     ​25921 ​ 0.0  0.0   ​4296 ​  576 ?        S    18:58   0:00 /​var/​ossec/​bin/​ossec-logcollector
 +ossecr ​  ​25926 ​ 7.0  0.0  32028  1604 ?        Sl   ​18:​58 ​  0:45 /​var/​ossec/​bin/​ossec-remoted
 +root     ​25934 ​ 0.6  0.0   ​5556 ​ 1704 ?        S    18:58   0:03 /​var/​ossec/​bin/​ossec-syscheckd
 +ossec    25937  0.0  0.0  12804   592 ?        S    18:58   0:00 /​var/​ossec/​bin/​ossec-monitord
 +</​code>​
 +
 +We want to dump traffic for pid **ossec-analysisd**,​ so pid **25916**. We use **lsof** to list the file descriptors that this process owns:
 +
 +<​code>​
 +# lsof -p 25916
 +COMMAND ​    ​PID ​ USER   ​FD ​  ​TYPE ​            ​DEVICE ​ SIZE/​OFF ​    NODE NAME
 +ossec-ana 25916 ossec  cwd    DIR                8,1      4096   ​788089 /var/ossec
 +ossec-ana 25916 ossec  rtd    DIR                8,1      4096   ​788089 /var/ossec
 +ossec-ana 25916 ossec  txt    REG                8,1    417640 ​  ​788207 /​var/​ossec/​bin/​ossec-analysisd
 +ossec-ana 25916 ossec  mem    REG                8,1     ​51712 ​  ​654275 /​lib/​libnss_files-2.11.1.so
 +ossec-ana 25916 ossec  mem    REG                8,1     ​43552 ​  ​654277 /​lib/​libnss_nis-2.11.1.so
 +ossec-ana 25916 ossec  mem    REG                8,1     ​97256 ​  ​654272 /​lib/​libnsl-2.11.1.so
 +ossec-ana 25916 ossec  mem    REG                8,1     ​35712 ​  ​654273 /​lib/​libnss_compat-2.11.1.so
 +ossec-ana 25916 ossec  mem    REG                8,1   ​1572232 ​  ​654245 /​lib/​libc-2.11.1.so
 +ossec-ana 25916 ossec  mem    REG                8,1    136936 ​  ​654235 /​lib/​ld-2.11.1.so
 +ossec-ana 25916 ossec    0u   ​CHR ​               1,3       ​0t0 ​    5377 /dev/null
 +ossec-ana 25916 ossec    1u   ​CHR ​               1,3       ​0t0 ​    5377 /dev/null
 +ossec-ana 25916 ossec    2u   ​CHR ​               1,3       ​0t0 ​    5377 /dev/null
 +ossec-ana 25916 ossec    3u   ​CHR ​               1,3       ​0t0 ​    5377 /dev/null
 +ossec-ana 25916 ossec    4u  unix 0xffff880037937a80 ​      0t0 42545812 /​queue/​ossec/​queue
 +ossec-ana 25916 ossec    5u   ​REG ​               8,1         ​0 ​  ​788360 /​var/​ossec/​queue/​fts/​hostinfo
 +ossec-ana 25916 ossec    6u   ​REG ​               8,1     ​27320 ​  ​788361 /​var/​ossec/​queue/​fts/​fts-queue
 +ossec-ana 25916 ossec    7u   ​REG ​               8,1         ​0 ​  ​788362 /​var/​ossec/​queue/​fts/​ig-queue
 +ossec-ana 25916 ossec    8w   ​REG ​               8,1         ​0 ​  ​922505 /​var/​ossec/​logs/​archives/​2012/​Jul/​ossec-archive-13.log
 +ossec-ana 25916 ossec    9w   ​REG ​               8,1   ​5643431 ​  ​922497 /​var/​ossec/​logs/​alerts/​2012/​Jul/​ossec-alerts-13.log
 +ossec-ana 25916 ossec   ​10w ​  ​REG ​               8,1 657336642 ​  ​922506 /​var/​ossec/​logs/​firewall/​2012/​Jul/​ossec-firewall-13.log
 +ossec-ana 25916 ossec   ​11u ​  ​REG ​               8,1   ​5442020 ​  ​788723 /​var/​ossec/​queue/​syscheck/​(10.1.2.3_s-spongebob1) 10.1.0.224->​syscheck
 +ossec-ana 25916 ossec   ​12u ​  ​REG ​               8,1     ​19351 ​  ​788600 /​var/​ossec/​queue/​rootcheck/​rootcheck
 +ossec-ana 25916 ossec   ​13u ​  ​REG ​               8,1   ​5433253 ​  ​789324 /​var/​ossec/​queue/​syscheck/​syscheck
 +ossec-ana 25916 ossec   ​14u ​  ​REG ​               8,1      3314   ​788458 /​var/​ossec/​queue/​rootcheck/​(10.1.4.5_s-s4) 10.1.3.9->​rootcheck
 +[...]
 +</​code>​
 +
 +If we want all of the events from the **fts-queue**,​ then we will point strace to file descriptor numer **6**.
 +
 +===== strace =====
 +
 +**strace** can dump pretty much anything from a running process. The following command will capture READ signals (**-e trace=read**) from process number 25916 (**-p 25916**), but only for file descriptor number 6 (**-e read=6**).
 +
 +<​code>​
 +# strace -e trace=read -e read=6 -p 25916
 +
 +Process 25916 attached - interrupt to quit
 +read(13, "​+++23:​41471:​0:​0:​a365778432246739"​...,​ 4096) = 4096
 +read(13, "​226a50d0772fd46a !1340219738 /​us"​...,​ 4096) = 4096
 +read(13, "​linux-gnu/​4.4/​include/​cross-stda"​...,​ 4096) = 4096
 +read(13, "​ffe:​03d018d455d297f8a5dc6f0429a9"​...,​ 4096) = 4096
 +read(13, "​9955:​e8bcfa4cb602d8865c1547d73d7"​...,​ 4096) = 4096
 +read(13, "​inst\n+++15:​41471:​0:​0:​a8c3ad58e96"​...,​ 4096) = 4096
 +read(13, "​2681318fc811:​f3ef9a412147efd1a7d"​...,​ 4096) = 4096
 +read(13, "​+14:​41471:​0:​0:​3caed8f84a328adf2a"​...,​ 4096) = 4096
 +read(13, "​o.60.0.1\n+++143066:​33188:​0:​0:​598"​...,​ 4096) = 4096
 +read(13, "​7adc632e8:​c616407dbc94ac42032729"​...,​ 4096) = 4096
 +read(13, "​be54064514c0deecabe0aac !1340219"​...,​ 4096) = 4096
 +[....]
 +</​code>​
 +
 +Non-ascii characters are hexadecimal encoded.
 +
 +By default, the output is limited to 32 characters. If you want the full output, use **-s 4096**.
 +
 +<​code>​
 +strace -e trace=read -e read=6 -p 25916 -q -r -x -s 4096
 +</​code>​
 +
 +If you're sniffing a program that spawns multiple threads, you need to use the flag **-f** to tell strace to follow these threads.
 +
 +<​code>​
 +strace -f -e trace=read
 +</​code>​
en/ressources/astuces/process_sniffing.txt ยท Last modified: 2014/01/08 17:31 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0