Snooping on sockets/file descriptors
j.vimal at gmail.com
Fri Apr 1 11:28:05 EDT 2011
> If you want to do it in the kernel, you can write a loadable kernel
> module to register netfilter hooks and obtain the socket buffers
If you see my earlier posts, I didn't want netfilter/pcap because they
give me access to packets. I would like access to the stream of data
that is read by the application using read()/recvmsg()/etc syscalls.
@all: thanks for the help; I think I've figured out how to do it. I
manually traced the system call to see which one would be called
ultimately, for read on a socket.
It turns out that skb_copy_datagram_iovec(..) is called ultimately (fn
I could hook onto this function using kprobes and get the data that is read.
More information about the Kernelnewbies