Snooping on sockets/file descriptors
Vimal
j.vimal at gmail.com
Fri Apr 1 11:28:05 EDT 2011
Hi Javier,
>
> If you want to do it in the kernel, you can write a loadable kernel
> module to register netfilter hooks and obtain the socket buffers
> (sk_buff).
Thanks.
If you see my earlier posts, I didn't want netfilter/pcap because they
give me access to packets. I would like access to the stream of data
that is read by the application using read()/recvmsg()/etc syscalls.
@all: thanks for the help; I think I've figured out how to do it. I
manually traced the system call to see which one would be called
ultimately, for read on a socket.
It turns out that skb_copy_datagram_iovec(..) is called ultimately (fn
defn: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L1668).
I could hook onto this function using kprobes and get the data that is read.
Thanks!
--
Vimal
More information about the Kernelnewbies
mailing list