Snooping on sockets/file descriptors

Vimal j.vimal at gmail.com
Fri Apr 1 03:23:44 EDT 2011


>
> then, something like dtrace or systemtap? IMO you're looking for kinda
> combo of kernel mode + user land "sniffer"... the user land sniffer,
> in it's very simple form, is by using LD_PRELOAD ...
>

dtrace seems fine and is similar to ptrace.  But then, one would have
to enumerate all possible syscalls that the application can issue to
read data.  For e.g., it could use read(), recvfrom(), recvmsg(), or
even syscall(syscall#, args...)

I wonder if LD_PRELOAD can be done on a program without shutting it
down.  ptrace fits the bill here, except for the above problem.

Thanks!

-- 
Vimal



More information about the Kernelnewbies mailing list