Altough in the time, when the question was asked, it was really impossible,
but it is possible nowadays.
You can to both: UNIX=>TCP and UNIX=>UNIX forwarding.
For example:
ssh \
-R/var/run/mysql.sock:/var/run/mysql.sock \
-R127.0.0.1:3306:/var/run/mysql.sock \
somehost
It is possible since OpenSSH 6.7.
Linux auditing can help. It will at least locate users and processes making datagram network connections. UDP packets are datagrams.
First, install the auditd
framework on your platform and ensure that auditctl -l
returns something, even if it says that no rules are defined.
Then, add a rule to watch the system call socket()
and tag it for easy finding later (-k
). I need to assume that you are on a 64-bit architecture, but you can substitute b32
in place of the b64
if you aren't.
auditctl -a exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET
You have to pick through man pages and header files to build this, but what it captures is essentially this system call: socket(PF_INET, SOCK_DGRAM|X, Y)
, where the third parameter is unspecified but frequently zero. PF_INET
is 2 and SOCK_DGRAM
is 2. TCP connections would use SOCK_STREAM
which would set a1=1
. (SOCK_DGRAM
in the second parameter may be ORed with SOCK_NONBLOCK
or SOCK_CLOEXEC
, hence the &=
comparison.) The -k SOCKET
is our keyword we want to use when searching audit trails later. It can be anything, but I like to keep it simple.
Let a few moments go by and review the audit trails. Optionally, you could force a couple of packets by pinging a host out on the net, which will cause a DNS lookup to occur, which uses UDP, which should trip our audit alert.
ausearch -i -ts today -k SOCKET
And output similar to the section below will appear. I'm abbreviating it to highlight the important parts
type=SYSCALL ... arch=x86_64 syscall=socket success=yes exit=1 a0=2 a1=2 ... pid=14510 ... auid=zlagtime uid=zlagtime ... euid=zlagtime ... comm=ping exe=/usr/bin/ping key=SOCKET
In the above output, we can see that the ping
command caused the socket to be opened. I could then run strace -p 14510
on the process, if it was still running. The ppid
(parent process ID) is also listed in case it is a script that spawns the problem child a lot.
Now, if you have a lot of UDP traffic, this isn't going to be good enough and you'll have to resort to OProfile or SystemTap, both of which are currently beyond my expertise.
This should help narrow things down in the general case.
When you are done, remove the audit rule by using the same line you used to create it, only substitute -a
with -d
.
auditctl -d exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET
Best Answer
The short answers are no and not easily.
On Linux lsof relies on
/proc/net/unix
to retrieve the information regarding UNIX domain sockets. This interface lists all of the bound sockets, but it does not keep track of endpoints. So you can see what sockets exist, but you can't see what's connected to them. Somewhere this information is tracked, it must be tracked or else the sockets connections wouldn't work. I have yet to find any mechanism to retrieve the connection information.The sniffing question is slightly more interesting, but no less disappointing. What I meant by "not easily" is that there does not exist any hook to sneak in and grap that data. The closest analog is using tcpdump or Wireshark, both of which use libpcap to actually do the heavy lifting. While network (AF_INET) and UNIX domain (AF_UNIX) are both created using the
socket()
function call, both useconnect()
to connect to, both useread()
andwrite()
to process data, they are handled by different kernel subsystems. This has the unfortunate side effect that libpcap is not designed to work with UNIX domain sockets.There is a slightly less dim side to the problem. Take a look at the man page for
recv(2)
. This is a lower level system call thatread()
makes use of. There exists a flag forrecv()
calledMSG_PEEK
. This would allow you to sniff the traffic passing through a UNIX domain socket. So that's the bright side, the dark side is that to the best of my knowledge there does not exist any current application designed to do this. So you're looking at some development effort.I really wish there was a nice simple answer of F'YEAH to both parts of your question.