On Fri, Apr 1, 2011 at 9:23 AM, Vimal <j.vimal@xxxxxxxxx> wrote: >> >> then, something like dtrace or systemtap? IMO you're looking for kinda >> combo of kernel mode + user land "sniffer"... the user land sniffer, >> in it's very simple form, is by using LD_PRELOAD ... >> > > dtrace seems fine and is similar to ptrace. ÂBut then, one would have > to enumerate all possible syscalls that the application can issue to > read data. ÂFor e.g., it could use read(), recvfrom(), recvmsg(), or > even syscall(syscall#, args...) > > I wonder if LD_PRELOAD can be done on a program without shutting it > down. Âptrace fits the bill here, except for the above problem. > If you want to do it in the kernel, you can write a loadable kernel module to register netfilter hooks and obtain the socket buffers (sk_buff). Look at this blog entry: http://fcns.eu/2010/02/netfilter-hooks/ Hope it helps. Regards, ----------------------------------------- Javier MartÃnez Canillas (+34) 682 39 81 69 PhD Student in High Performance Computing Computer Architecture and Operating System Department (CAOS) Universitat AutÃnoma de Barcelona Barcelona, Spain _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
