Snooping on sockets/file descriptors

Vimal j.vimal at
Fri Apr 1 11:28:05 EDT 2011

Hi Javier,

> If you want to do it in the kernel, you can write a loadable kernel
> module to register netfilter hooks and obtain the socket buffers
> (sk_buff).


If you see my earlier posts, I didn't want netfilter/pcap because they
give me access to packets.  I would like access to the stream of data
that is read by the application using read()/recvmsg()/etc syscalls.

@all: thanks for the help; I think I've figured out how to do it.  I
manually traced the system call to see which one would be called
ultimately, for read on a socket.

It turns out that skb_copy_datagram_iovec(..) is called ultimately (fn

I could hook onto this function using kprobes and get the data that is read.


More information about the Kernelnewbies mailing list