Sniff UNIX domain socket

jeckyll2hide asked:

I know that some process is writing to a certain unix domain socket (/var/run/asterisk/asterisk.ctl), but I do not known the pid of the sender. How can I find out who is writing to the socket? I have tried with:

sudo lsof /var/run/asterisk/asterisk.ctl

but it just list the owner of the socket. I would like to know who is writing / reading to this socket, and I would also like to sniff the data. Is this possible?

My answer:

Yes, you can do this. All you need is systemtap.

Consider one of the example systemtap scripts which will print the PID and process name of any program that reads or writes a specified inode (and your Unix domain socket is just such a thing).

You can trivially modify this script to print the actual data being read/written; I’ll leave doing so as an exercise to the reader.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.