时空索引>> sockdump>> 返回
项目作者: mechpen

项目描述 :
Dump unix domain socket traffic with bpf
高级语言: Python
项目地址: git://github.com/mechpen/sockdump.git
创建时间: 2018-09-25T07:13:57Z
项目社区:https://github.com/mechpen/sockdump
开源协议:
下载


sockdump

Dump unix domain socket traffic.

Supports STREAM and DGRAM types.

Requirement

  • bcc
  • python bcc bindings

Example

string output

  1. $ sudo ./sockdump.py --format string /var/run/docker.sock
  2. waiting for data
  3. 19:23:06.633 >>> process docker [31042 -> 13710] len 81(81)
  4. HEAD /_ping HTTP/1.1
  5. Host: docker
  6. User-Agent: Docker-Client/19.03.5 (linux)
  8. 19:23:06.633 >>> process dockerd [13710 -> 31042] len 280(280)
  9. HTTP/1.1 200 OK
  10. Api-Version: 1.40
  11. Cache-Control: no-cache, no-store, must-revalidate
  12. Content-Length: 0
  13. Content-Type: text/plain; charset=utf-8
  14. Docker-Experimental: false
  15. Ostype: linux
  16. Pragma: no-cache
  17. Server: Docker/19.03.5 (linux)
  18. Date: Fri, 20 Dec 2019 03:23:06 GMT
  20. 19:23:06.633 >>> process docker [31042 -> 13710] len 96(96)
  21. GET /v1.40/containers/json HTTP/1.1
  22. Host: docker
  23. User-Agent: Docker-Client/19.03.5 (linux)
  25. 19:23:06.633 >>> process dockerd [13710 -> 31042] len 204(204)
  26. HTTP/1.1 200 OK
  27. Api-Version: 1.40
  28. Content-Type: application/json
  29. Docker-Experimental: false
  30. Ostype: linux
  31. Server: Docker/19.03.5 (linux)
  32. Date: Fri, 20 Dec 2019 03:23:06 GMT
  33. Content-Length: 3
  35. []
  36. ^C
  37. 4 packets captured

hexstring output with prefix-based matching

ptp4l + pmc used to show that sockdump can capture from all sockets starting with ‘/var/run/p’,
as pmc uses ‘/var/run/pmc.$PID’ socket and talks to ptp4l that listens on ‘/var/run/ptp4l’.

  1. $ sudo ./sockdump.py '/var/run/p*' --format hexstring
  2. waiting for data
  3. 10:11:28.968 >>> process pmc [1108317 -> 0] len 74(74)
  4. \x0d\x12\x00\x4a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x5d\x00\x00\x04\x7f\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x01\x00\x16\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  5. 10:11:28.968 >>> process ptp4l [896569 -> 0] len 74(74)
  6. \x0d\x12\x00\x4a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x57\xdd\xff\xfe\x07\x93\x21\x00\x00\x00\x00\x04\x7f\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x5d\x00\x00\x02\x00\x00\x01\x00\x16\x20\x00\x01\x00\x00\x01\x80\xf8\xfe\xff\xff\x80\x48\x57\xdd\xff\xfe\x07\x93\x21\x00\x00
  7. ^C
  8. 2 packets captured

pcap output

  1. $ sudo ./sockdump.py /var/run/docker.sock --format pcap --output dump
  2. waiting for data
  3. ^C
  4. 8 packets captured
  5. $ wireshark -X lua_script:wireshark/dummy.lua dump

wireshark