====== Sniff the data passing through a Linux Process ======

Another way to identify what is received by your application is to use **strace** and **lsof**. This is particularly useful if you can't TCPdump for some reason. Here's an example of how to do it on the Ossec Analysisd process.

===== lsof =====

Get the process you want to sniff on:
<code>
# ps aux|grep ossec
ossecm   25908  0.0  0.0  12672   592 ?        S    18:58   0:00 /var/ossec/bin/ossec-maild
root     25912  0.0  0.0  12552   572 ?        S    18:58   0:00 /var/ossec/bin/ossec-execd
ossec    25916 10.5  0.1  14356  2256 ?        S    18:58   1:07 /var/ossec/bin/ossec-analysisd
root     25921  0.0  0.0   4296   576 ?        S    18:58   0:00 /var/ossec/bin/ossec-logcollector
ossecr   25926  7.0  0.0  32028  1604 ?        Sl   18:58   0:45 /var/ossec/bin/ossec-remoted
root     25934  0.6  0.0   5556  1704 ?        S    18:58   0:03 /var/ossec/bin/ossec-syscheckd
ossec    25937  0.0  0.0  12804   592 ?        S    18:58   0:00 /var/ossec/bin/ossec-monitord
</code>

We want to dump traffic for pid **ossec-analysisd**, so pid **25916**. We use **lsof** to list the file descriptors that this process owns:

<code>
# lsof -p 25916
COMMAND     PID  USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
ossec-ana 25916 ossec  cwd    DIR                8,1      4096   788089 /var/ossec
ossec-ana 25916 ossec  rtd    DIR                8,1      4096   788089 /var/ossec
ossec-ana 25916 ossec  txt    REG                8,1    417640   788207 /var/ossec/bin/ossec-analysisd
ossec-ana 25916 ossec  mem    REG                8,1     51712   654275 /lib/libnss_files-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     43552   654277 /lib/libnss_nis-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     97256   654272 /lib/libnsl-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1     35712   654273 /lib/libnss_compat-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1   1572232   654245 /lib/libc-2.11.1.so
ossec-ana 25916 ossec  mem    REG                8,1    136936   654235 /lib/ld-2.11.1.so
ossec-ana 25916 ossec    0u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    1u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    2u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    3u   CHR                1,3       0t0     5377 /dev/null
ossec-ana 25916 ossec    4u  unix 0xffff880037937a80       0t0 42545812 /queue/ossec/queue
ossec-ana 25916 ossec    5u   REG                8,1         0   788360 /var/ossec/queue/fts/hostinfo
ossec-ana 25916 ossec    6u   REG                8,1     27320   788361 /var/ossec/queue/fts/fts-queue
ossec-ana 25916 ossec    7u   REG                8,1         0   788362 /var/ossec/queue/fts/ig-queue
ossec-ana 25916 ossec    8w   REG                8,1         0   922505 /var/ossec/logs/archives/2012/Jul/ossec-archive-13.log
ossec-ana 25916 ossec    9w   REG                8,1   5643431   922497 /var/ossec/logs/alerts/2012/Jul/ossec-alerts-13.log
ossec-ana 25916 ossec   10w   REG                8,1 657336642   922506 /var/ossec/logs/firewall/2012/Jul/ossec-firewall-13.log
ossec-ana 25916 ossec   11u   REG                8,1   5442020   788723 /var/ossec/queue/syscheck/(10.1.2.3_s-spongebob1) 10.1.0.224->syscheck
ossec-ana 25916 ossec   12u   REG                8,1     19351   788600 /var/ossec/queue/rootcheck/rootcheck
ossec-ana 25916 ossec   13u   REG                8,1   5433253   789324 /var/ossec/queue/syscheck/syscheck
ossec-ana 25916 ossec   14u   REG                8,1      3314   788458 /var/ossec/queue/rootcheck/(10.1.4.5_s-s4) 10.1.3.9->rootcheck
[...]
</code>

If we want all of the events from the **fts-queue**, then we will point strace to file descriptor numer **6**.

===== strace =====

**strace** can dump pretty much anything from a running process. The following command will capture READ signals (**-e trace=read**) from process number 25916 (**-p 25916**), but only for file descriptor number 6 (**-e read=6**).

<code>
# strace -e trace=read -e read=6 -p 25916

Process 25916 attached - interrupt to quit
read(13, "+++23:41471:0:0:a365778432246739"..., 4096) = 4096
read(13, "226a50d0772fd46a !1340219738 /us"..., 4096) = 4096
read(13, "linux-gnu/4.4/include/cross-stda"..., 4096) = 4096
read(13, "ffe:03d018d455d297f8a5dc6f0429a9"..., 4096) = 4096
read(13, "9955:e8bcfa4cb602d8865c1547d73d7"..., 4096) = 4096
read(13, "inst\n+++15:41471:0:0:a8c3ad58e96"..., 4096) = 4096
read(13, "2681318fc811:f3ef9a412147efd1a7d"..., 4096) = 4096
read(13, "+14:41471:0:0:3caed8f84a328adf2a"..., 4096) = 4096
read(13, "o.60.0.1\n+++143066:33188:0:0:598"..., 4096) = 4096
read(13, "7adc632e8:c616407dbc94ac42032729"..., 4096) = 4096
read(13, "be54064514c0deecabe0aac !1340219"..., 4096) = 4096
[....]
</code>

Non-ascii characters are hexadecimal encoded.

By default, the output is limited to 32 characters. If you want the full output, use **-s 4096**.

<code>
strace -e trace=read -e read=6 -p 25916 -q -r -x -s 4096
</code>

If you're sniffing a program that spawns multiple threads, you need to use the flag **-f** to tell strace to follow these threads.

<code>
strace -f -e trace=read
</code>