Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:42 am


Internet Protocol, Transport Control Protocol, Network protocols, Routing, Routers, IP aliases, Routes, Ethernet

Author Message
mandrei99
Post  Post subject: FreeBSD how to sniff a unix socket using "socat" utility.  |  Posted: Thu Dec 12, 2013 6:13 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

FreeBSD how to sniff a unix socket using "socat" utility.

Unlike network sockets, tcpdump is unable to sniff unix file sockets (those special files whose file mode is an "s" for socket, example: srw-rw-rw- 1 root wheel 0 Dec 12 10:35 /tmp/php-fpm.sock).

However, the "socat" utility can act as a man in the middle for unix file sockets, meaning that it creates a separate socket that clients connect to and relies the incoming information to the original daemon socket.

Since my previous example was with php-fpm, here's how to listen on php-fpm unix file socket with socat:

Code:
# socat -t100 -x -v UNIX-LISTEN:/tmp/php-fpm.sock.socat,mode=777,reuseaddr,fork UNIX-CONNECT:/tmp/php-fpm.sock       
> 2013/12/12 11:09:38.548061  length=752 from=0 to=751
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00  ................
01 04 00 01 02 c3 05 00 0f 34 53 43 52 49 50 54  .........4SCRIPT
5f 46 49 4c 45 4e 41 4d 45 2f 75 73 72 2f 6c 6f  _FILENAME/usr/lo
63 61 6c 2f 77 77 77 2f 64 65 66 61 75 6c 74 5f  cal/www/default_
73 65 72 76 65 72 2f 70 75 62 6c 69 63 2e 68 74  server/public.ht
6d 6c 2f 2f 69 6e 64 65 78 2e 70 68 70 09 2f 50  ml//index.php./P
48 50 5f 56 41 4c 55 45 75 70 6c 6f 61 64 5f 6d  HP_VALUEupload_m
61 78 5f 66 69 6c 65 73 69 7a 65 3d 31 31 30 35  ax_filesize=1105
4d 20 0a                                         M .
20 70 6f 73 74 5f 6d 61 78 5f 73 69 7a 65 3d 31   post_max_size=1
31 30 35 4d 09 0a                                105M..
50 41 54 48 5f 49 4e 46 4f 2f 69 6e 64 65 78 2e  PATH_INFO/index.
70 68 70 0c 00 51 55 45 52 59 5f 53 54 52 49 4e  php..QUERY_STRIN
47 0e 03 52 45 51 55 45 53 54 5f 4d 45 54 48 4f  G..REQUEST_METHO
44 47 45 54 0c 00 43 4f 4e 54 45 4e 54 5f 54 59  DGET..CONTENT_TY
50 45 0e 00 43 4f 4e 54 45 4e 54 5f 4c 45 4e 47  PE..CONTENT_LENG
54 48 0b 0a                                      TH..
53 43 52 49 50 54 5f 4e 41 4d 45 2f 69 6e 64 65  SCRIPT_NAME/inde
78 2e 70 68 70 0b 01 52 45 51 55 45 53 54 5f 55  x.php..REQUEST_U
52 49 2f 0c 0a                                   RI/..
44 4f 43 55 4d 45 4e 54 5f 55 52 49 2f 69 6e 64  DOCUMENT_URI/ind
65 78 2e 70 68 70 0d 29 44 4f 43 55 4d 45 4e 54  ex.php.)DOCUMENT
5f 52 4f 4f 54 2f 75 73 72 2f 6c 6f 63 61 6c 2f  _ROOT/usr/local/
77 77 77 2f 64 65 66 61 75 6c 74 5f 73 65 72 76  www/default_serv
65 72 2f 70 75 62 6c 69 63 2e 68 74 6d 6c 0f 08  er/public.html..
53 45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48  SERVER_PROTOCOLH
54 54 50 2f 31 2e 31 11 07 47 41 54 45 57 41 59  TTP/1.1..GATEWAY
5f 49 4e 54 45 52 46 41 43 45 43 47 49 2f 31 2e  _INTERFACECGI/1.
31 0f 0b 53 45 52 56 45 52 5f 53 4f 46 54 57 41  1..SERVER_SOFTWA
52 45 6e 67 69 6e 78 2f 31 2e 32 2e 34 0b 09 52  REnginx/1.2.4..R
45 4d 4f 54 45 5f 41 44 44 52 31 30 2e 31 2e 31  EMOTE_ADDR10.1.1
2e 35 30 0b 05 52 45 4d 4f 54 45 5f 50 4f 52 54  .50..REMOTE_PORT
35 36 32 37 33 0b 09 53 45 52 56 45 52 5f 41 44  56273..SERVER_AD
44 52 31 30 2e 31 2e 31 2e 35 30 0b 02 53 45 52  DR10.1.1.50..SER
56 45 52 5f 50 4f 52 54 38 30 0b 01 53 45 52 56  VER_PORT80..SERV
45 52 5f 4e 41 4d 45 5f 0f 03 52 45 44 49 52 45  ER_NAME_..REDIRE
43 54 5f 53 54 41 54 55 53 32 30 30 09 09 48 54  CT_STATUS200..HT
54 50 5f 48 4f 53 54 31 30 2e 31 2e 31 2e 35 30  TP_HOST10.1.1.50
0f 3b 48 54 54 50 5f 55 53 45 52 5f 41 47 45 4e  .;HTTP_USER_AGEN
54 45 4c 69 6e 6b 73 2f 30 2e 31 31 2e 37 20 28  TELinks/0.11.7 (
74 65 78 74 6d 6f 64 65 3b 20 46 72 65 65 42 53  textmode; FreeBS
44 20 37 2e 34 2d 53 54 41 42 4c 45 20 69 33 38  D 7.4-STABLE i38
36 3b 20 32 33 37 78 37 34 2d 32 29 0b 03 48 54  6; 237x74-2)..HT
54 50 5f 41 43 43 45 50 54 2a 2f 2a 14 04 48 54  TP_ACCEPT*/*..HT
54 50 5f 41 43 43 45 50 54 5f 45 4e 43 4f 44 49  TP_ACCEPT_ENCODI
4e 47 67 7a 69 70 14 02 48 54 54 50 5f 41 43 43  NGgzip..HTTP_ACC
45 50 54 5f 4c 41 4e 47 55 41 47 45 65 6e 0f 0a  EPT_LANGUAGEen..
48 54 54 50 5f 43 4f 4e 4e 45 43 54 49 4f 4e 4b  HTTP_CONNECTIONK
65 65 70 2d 41 6c 69 76 65 00 00 00 00 00 01 04  eep-Alive.......
00 01 00 00 00 00 01 05 00 01 00 00 00 00        ..............
--
< 2013/12/12 11:09:38.575645  length=64 from=0 to=63
01 06 00 01 00 27 01 00 43 6f 6e 74 65 6e 74 2d  .....'..Content-
74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d  type: text/html.
0a                                               .
0d 0a                                            ..
48 65 6c 6c 6f 20 77 6f 72 6c 64 21 00 01 03 00  Hello world!....
01 00 08 00 00 00 00 00 00 00 00 00 00           .............
--


In the above test, php-fpm listens on /tmp/php-fpm.sock file, socat creates a dummy socket file "/tmp/php-fpm.sock.socat" and I pointed my NGINX to connect to this file. When "socat" receives input on the dummy socket file it relies it to the original php-fpm socket and displays the output to the console. The same behavior is for the return information (from PHP to NGINX)
Current unix file sockets:
Code:
srw-rw-rw-  1 root  wheel  0 Dec 12 10:35 /tmp/php-fpm.sock
srwxrwxrwx  1 root  wheel  0 Dec 12 11:09 /tmp/php-fpm.sock.socat


Code:
...
fastcgi_pass unix:/tmp/php-fpm.sock.socat;
...





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "FreeBSD how to sniff a unix socket using "socat" utility."
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. FreeBSD find pid that opened TCP/UDP socket without lsof using address of protocol control block(PCB

mandrei99

0

1155

Wed Dec 11, 2013 4:56 am

mandrei99 View the latest post

There are no new unread posts for this topic. Unix reverse dns lookup - using dig command - PTR dns record type

mandrei99

1

8672

Tue Jan 13, 2015 4:48 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD PF supported icmp types

admin

0

1129

Fri Jan 28, 2011 9:15 am

admin View the latest post

There are no new unread posts for this topic. FreeBSD - multiple routing tables

mandrei99

0

4794

Wed Aug 28, 2013 8:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD: How to list IPv6 neighbors

mandrei99

0

1929

Mon Oct 06, 2014 10:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD show network interface statistics

mandrei99

0

2150

Wed Sep 25, 2013 9:30 am

mandrei99 View the latest post

There are no new unread posts for this topic. Set up FTP PROXY via command line in Linux/FreeBSD

mandrei99

0

15189

Tue Jan 20, 2015 5:01 pm

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD tcpdump on enc0 doesn't show any traffic

mandrei99

0

1420

Fri Jun 21, 2013 8:54 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD - Adding VLAN Tagged subinterface using ifconfig

admin

0

7244

Mon Aug 19, 2013 10:44 am

admin View the latest post

There are no new unread posts for this topic. FreeBSD list interface multicast group membership

mandrei99

0

1566

Tue Dec 03, 2013 9:02 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO