On Fri, Apr 1, 2011 at 9:23 AM, Vimal <[email protected]> wrote: >> >> then, something like dtrace or systemtap? IMO you're looking for kinda >> combo of kernel mode + user land "sniffer"... the user land sniffer, >> in it's very simple form, is by using LD_PRELOAD ... >> > > dtrace seems fine and is similar to ptrace. But then, one would have > to enumerate all possible syscalls that the application can issue to > read data. For e.g., it could use read(), recvfrom(), recvmsg(), or > even syscall(syscall#, args...) > > I wonder if LD_PRELOAD can be done on a program without shutting it > down. ptrace fits the bill here, except for the above problem. >
If you want to do it in the kernel, you can write a loadable kernel module to register netfilter hooks and obtain the socket buffers (sk_buff). Look at this blog entry: http://fcns.eu/2010/02/netfilter-hooks/ Hope it helps. Regards, ----------------------------------------- Javier Martínez Canillas (+34) 682 39 81 69 PhD Student in High Performance Computing Computer Architecture and Operating System Department (CAOS) Universitat Autònoma de Barcelona Barcelona, Spain _______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
