[tcpdump-workers] Link-layer header type for unix domain sockets (UDS)

František Kučera konference at frantovo.cz
Sat Mar 23 15:50:10 EDT 2019


I am working on an application that extensively uses unix domain sockets 
for passing messages among its components. And in such situation good 
debugging tool is crucial.

I did some research and found that people usually proxy this socket 
communication through socat and UDP, so they see it in Wireshark. I 
found also some LD_PRELOAD implementations and even one kernel module. 
So there are several ways how to capture the data. But the question is, 
how such communication should be presented in the dump files.

My idea is that my application will have some debugging output that will 
emit data in the Libpcap format. My current approach is forging ethernet 
and IP packets and putting my data inside. But I know that it is bad. It 
is just proof-of-concept. What would be a correct and clean way?

I looked at <https://www.tcpdump.org/linktypes.html> and didn't find any 
appropriate header type. Could we add some? Or is it a wrong layer?

There is no MAC or IP address, but there are other useful metadata: 
socket path (might be also abstract), direction, UID, GID, PID...

Best Regards,


More information about the tcpdump-workers mailing list