A quick post because I can’t resist the “sniffing” joke.
If you do a lot of network traffic analysis, you’ve probably used wireshark,
tcpdump, and other tools of that nature. However, they only work well for
network traffic – try to use Unix domain sockets and you’re out of luck –
they don’t understand them.
Unless you proxy the traffic. Like so:
First, let the process open whatever socket you care about.
Then, move it out of the way and have
socat listen in its stead:
mv DEFAULT.socket hidden.socket socat UDP-LISTEN:6000,reuseaddr,fork UNIX-CONNECT:hidden.socket
This sets up socat to take anything from UDP port 6000 and apply it to the
(now hidden) socket, with it none the wiser.
Then we plug tcpdump in to listen on this port:
tcpdump -ni lo -s0 -f 'udp port 6000' -w /tmp/out.pcap
And set up the proxy entry where the socket was expecting to be:
socat UNIX-LISTEN:DEFAULT.socket,fork UDP-CONNECT:127.0.0.1:6000