[tcpdump-workers] Link-layer header type for unix domain sockets (UDS)

Sun Mar 24 14:18:59 EDT 2019

On Mar 24, 2019, at 3:14 AM, František Kučera <konference at frantovo.cz> wrote:

> Dne 23. 03. 19 v 21:04 Guy Harris napsal(a):
>> On Mar 23, 2019, at 12:50 PM, František Kučera<konference at frantovo.cz>  wrote:
>> 
>>> There is no MAC or IP address, but there are other useful metadata: socket path (might be also abstract), direction, UID, GID, PID...
>> Stream, datagram, or sequenced-packet sockets?
> 
> In my application, it is a stream. (but it would be nice to support also datagrams over UDS, so it can be useful also in other cases)

So perhaps we need separate link-layer header types for "arbitrary segment of a stream" (which would require TCP-like processing) and "datagram"?

Information in addition to raw payload would be:

	name of the socket, if any (with Linux abstract sockets being handled);

	credentials of the peers;

	security label, on OSes supporting that;

	control message data (including but not necessarily limited to file descriptors being passed over the socket with SCM_RIGHTS).

Note that not all OSes support the same set of control-message types, and they might not use the same values for the same control-message type #define, so we'd probably want to assign our own values for control-message types.  SCM_RIGHTS *might* be 1 on all UN*Xes, but that's probably the only one that would be.  In Linux 4.20.3's socket.h, we have

	#define SCM_RIGHTS      0x01            /* rw: access rights (array of int) */
	#define SCM_CREDENTIALS 0x02            /* rw: struct ucred             */
	#define SCM_SECURITY    0x03            /* rw: security label           */

and in macOS High Sierra's we have

	#define SCM_RIGHTS              0x01    /* access rights (array of int) */
	#define SCM_TIMESTAMP           0x02    /* timestamp (struct timeval) */
	#define SCM_CREDS               0x03    /* process creds (struct cmsgcred) */
	#define SCM_TIMESTAMP_MONOTONIC 0x04    /* timestamp (uint64_t) */

and in a just-svn-updated FreeBSD checkout we have

	#define SCM_RIGHTS      0x01            /* access rights (array of int) */
	#define SCM_TIMESTAMP   0x02            /* timestamp (struct timeval) */
	#define SCM_CREDS       0x03            /* process creds (struct cmsgcred) */
	#define SCM_BINTIME     0x04            /* timestamp (struct bintime) */
	#define SCM_REALTIME    0x05            /* timestamp (struct timespec) */
	#define SCM_MONOTONIC   0x06            /* timestamp (struct timespec) */
	#define SCM_TIME_INFO   0x07            /* timestamp info */

and so on.

For SOCK_STREAM sockets and Linux SOCK_SEQPACKET sockets, some information, such as the socket name and information about the peers, would probably be provided with a special initial "packet" or "packets" at the beginning of the capture, as they're connection-oriented.  For SOCK_DGRAM sockets, that would be provided for every packet, as I don't think you need to connect to send on one of them.