Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

FreeBSD how to sniff a unix socket using "socat" utility.
https://forum.ivorde.com/freebsd-how-to-sniff-a-unix-socket-using-socat-utility-t15931.html
Page 1 of 1

Author:  mandrei99 [ Thu Dec 12, 2013 6:13 am ]
Post subject:  FreeBSD how to sniff a unix socket using "socat" utility.

Unlike network sockets, tcpdump is unable to sniff unix file sockets (those special files whose file mode is an "s" for socket, example: srw-rw-rw- 1 root wheel 0 Dec 12 10:35 /tmp/php-fpm.sock).

However, the "socat" utility can act as a man in the middle for unix file sockets, meaning that it creates a separate socket that clients connect to and relies the incoming information to the original daemon socket.

Since my previous example was with php-fpm, here's how to listen on php-fpm unix file socket with socat:

Code:
# socat -t100 -x -v UNIX-LISTEN:/tmp/php-fpm.sock.socat,mode=777,reuseaddr,fork UNIX-CONNECT:/tmp/php-fpm.sock       
> 2013/12/12 11:09:38.548061  length=752 from=0 to=751
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00  ................
01 04 00 01 02 c3 05 00 0f 34 53 43 52 49 50 54  .........4SCRIPT
5f 46 49 4c 45 4e 41 4d 45 2f 75 73 72 2f 6c 6f  _FILENAME/usr/lo
63 61 6c 2f 77 77 77 2f 64 65 66 61 75 6c 74 5f  cal/www/default_
73 65 72 76 65 72 2f 70 75 62 6c 69 63 2e 68 74  server/public.ht
6d 6c 2f 2f 69 6e 64 65 78 2e 70 68 70 09 2f 50  ml//index.php./P
48 50 5f 56 41 4c 55 45 75 70 6c 6f 61 64 5f 6d  HP_VALUEupload_m
61 78 5f 66 69 6c 65 73 69 7a 65 3d 31 31 30 35  ax_filesize=1105
4d 20 0a                                         M .
20 70 6f 73 74 5f 6d 61 78 5f 73 69 7a 65 3d 31   post_max_size=1
31 30 35 4d 09 0a                                105M..
50 41 54 48 5f 49 4e 46 4f 2f 69 6e 64 65 78 2e  PATH_INFO/index.
70 68 70 0c 00 51 55 45 52 59 5f 53 54 52 49 4e  php..QUERY_STRIN
47 0e 03 52 45 51 55 45 53 54 5f 4d 45 54 48 4f  G..REQUEST_METHO
44 47 45 54 0c 00 43 4f 4e 54 45 4e 54 5f 54 59  DGET..CONTENT_TY
50 45 0e 00 43 4f 4e 54 45 4e 54 5f 4c 45 4e 47  PE..CONTENT_LENG
54 48 0b 0a                                      TH..
53 43 52 49 50 54 5f 4e 41 4d 45 2f 69 6e 64 65  SCRIPT_NAME/inde
78 2e 70 68 70 0b 01 52 45 51 55 45 53 54 5f 55  x.php..REQUEST_U
52 49 2f 0c 0a                                   RI/..
44 4f 43 55 4d 45 4e 54 5f 55 52 49 2f 69 6e 64  DOCUMENT_URI/ind
65 78 2e 70 68 70 0d 29 44 4f 43 55 4d 45 4e 54  ex.php.)DOCUMENT
5f 52 4f 4f 54 2f 75 73 72 2f 6c 6f 63 61 6c 2f  _ROOT/usr/local/
77 77 77 2f 64 65 66 61 75 6c 74 5f 73 65 72 76  www/default_serv
65 72 2f 70 75 62 6c 69 63 2e 68 74 6d 6c 0f 08  er/public.html..
53 45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48  SERVER_PROTOCOLH
54 54 50 2f 31 2e 31 11 07 47 41 54 45 57 41 59  TTP/1.1..GATEWAY
5f 49 4e 54 45 52 46 41 43 45 43 47 49 2f 31 2e  _INTERFACECGI/1.
31 0f 0b 53 45 52 56 45 52 5f 53 4f 46 54 57 41  1..SERVER_SOFTWA
52 45 6e 67 69 6e 78 2f 31 2e 32 2e 34 0b 09 52  REnginx/1.2.4..R
45 4d 4f 54 45 5f 41 44 44 52 31 30 2e 31 2e 31  EMOTE_ADDR10.1.1
2e 35 30 0b 05 52 45 4d 4f 54 45 5f 50 4f 52 54  .50..REMOTE_PORT
35 36 32 37 33 0b 09 53 45 52 56 45 52 5f 41 44  56273..SERVER_AD
44 52 31 30 2e 31 2e 31 2e 35 30 0b 02 53 45 52  DR10.1.1.50..SER
56 45 52 5f 50 4f 52 54 38 30 0b 01 53 45 52 56  VER_PORT80..SERV
45 52 5f 4e 41 4d 45 5f 0f 03 52 45 44 49 52 45  ER_NAME_..REDIRE
43 54 5f 53 54 41 54 55 53 32 30 30 09 09 48 54  CT_STATUS200..HT
54 50 5f 48 4f 53 54 31 30 2e 31 2e 31 2e 35 30  TP_HOST10.1.1.50
0f 3b 48 54 54 50 5f 55 53 45 52 5f 41 47 45 4e  .;HTTP_USER_AGEN
54 45 4c 69 6e 6b 73 2f 30 2e 31 31 2e 37 20 28  TELinks/0.11.7 (
74 65 78 74 6d 6f 64 65 3b 20 46 72 65 65 42 53  textmode; FreeBS
44 20 37 2e 34 2d 53 54 41 42 4c 45 20 69 33 38  D 7.4-STABLE i38
36 3b 20 32 33 37 78 37 34 2d 32 29 0b 03 48 54  6; 237x74-2)..HT
54 50 5f 41 43 43 45 50 54 2a 2f 2a 14 04 48 54  TP_ACCEPT*/*..HT
54 50 5f 41 43 43 45 50 54 5f 45 4e 43 4f 44 49  TP_ACCEPT_ENCODI
4e 47 67 7a 69 70 14 02 48 54 54 50 5f 41 43 43  NGgzip..HTTP_ACC
45 50 54 5f 4c 41 4e 47 55 41 47 45 65 6e 0f 0a  EPT_LANGUAGEen..
48 54 54 50 5f 43 4f 4e 4e 45 43 54 49 4f 4e 4b  HTTP_CONNECTIONK
65 65 70 2d 41 6c 69 76 65 00 00 00 00 00 01 04  eep-Alive.......
00 01 00 00 00 00 01 05 00 01 00 00 00 00        ..............
--
< 2013/12/12 11:09:38.575645  length=64 from=0 to=63
01 06 00 01 00 27 01 00 43 6f 6e 74 65 6e 74 2d  .....'..Content-
74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d  type: text/html.
0a                                               .
0d 0a                                            ..
48 65 6c 6c 6f 20 77 6f 72 6c 64 21 00 01 03 00  Hello world!....
01 00 08 00 00 00 00 00 00 00 00 00 00           .............
--


In the above test, php-fpm listens on /tmp/php-fpm.sock file, socat creates a dummy socket file "/tmp/php-fpm.sock.socat" and I pointed my NGINX to connect to this file. When "socat" receives input on the dummy socket file it relies it to the original php-fpm socket and displays the output to the console. The same behavior is for the return information (from PHP to NGINX)
Current unix file sockets:
Code:
srw-rw-rw-  1 root  wheel  0 Dec 12 10:35 /tmp/php-fpm.sock
srwxrwxrwx  1 root  wheel  0 Dec 12 11:09 /tmp/php-fpm.sock.socat


Code:
...
fastcgi_pass unix:/tmp/php-fpm.sock.socat;
...

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/