Live socket monitoring with netlink inet_diag

Asked 30/8, 2013 at 21:10 Answered 30/12, 2021 at 11:27

My goal is to monitor sockets and relate them to the applications that created them.
I am aware of netstat, ss, lsof and so on and that they can list all sockets with their application.
And I also know that I can parse /proc/net/tcp to get the sockets and relate them to the applications with /proc/(PID), which is exactly what these tools do or they use netlink sockets.

My researches brought me to an article which explains how to get all sockets from the kernel with netlink via the inet_diag protocol. The user space program sets up a netlink socket of the inet_diag type and sends a request to the kernel. The response consists of several messages which contain the sockets and additional related information.
This is really neat, but unfortunately the kernel sends this information only once per request. So I have to "poll" continuously.

Further researches brought me to another article which monitors IP changes of interfaces with netlink route sockets continuously. The socket is bound to a multicast group and then messages are read from it in an endless loop.

So I investigated if there is the same possibility with the inet_diag sockets. Unfortunately I am not really able to understand kernel code. But as far as I can tell there are no multicast groups for this socket family.

At this point I am stuck and I need to know if this approach is somehow feasible or somebody knows any other hints.

Sternum answered 30/8, 2013 at 21:10 Comment(3)

You may need to explain why a tool like lsof does not meet your needs. – Assemblyman 30/8, 2013 at 21:31

Yeah true, I should have also mentioned that. Thx for the comment. I want to have a user-space daemon that monitors sockets on an event basis (new socket, closed socket, I think esentially the socket related system calls) and collect information like protocol, ports and the application that created the socket. Maybe I want also to collect the payload of the sockets. Thus a mechanism like in the example with the netlink_route protocol with the multicast groups would be really handy. But due to a lack of documentation I can't figure it out myself :( – Sternum 31/8, 2013 at 1:52

What about using audit in order to monitor related syscalls? By monitoring the socket syscall you can know the ports a process is using. – Nomen 26/2, 2020 at 7:20

You can try dtrace if every tools you mentioned can't meet your requirement.

Craniometer answered 31/8, 2013 at 3:23 Comment(2)

dtrace could be a possible solution to my problem. I just had a short glimpse at it and it seems like the desired informations can be extractred with it. Is there a way to run this as a daemon and communicate with other processes? Because all the examples I have seen so far print the events with their information to the console. – Sternum 31/8, 2013 at 13:11

popen() may help using it in your program, piping output to wherever you want. – Trammell 9/8, 2014 at 19:1

You can use kprobe kernel module to hook all connect system call，whichi monitor sockets and relate them to the applications that created them

just like Elkeid，Elkeid Driver hooks kernel functions via Kprobe, providing rich and accurate data collection capabilities, including kernel-level process execve probing, privilege escalation monitoring, network audition, and much more. The Driver treats Container-based monitoring as a first-class citizen as Host-based data collection by supporting Linux Namespace. Compare to User Space agents on the market, Elkeid provides more comprehensive information with massive performance improvement.

Chaille answered 30/12, 2021 at 11:27 Comment(0)

Recommended topics

Hot tags