All geek questions in one place

How to run code every time a new socket is created on my Linux machine?

I need to call a function every time a new TCP socket is created on my Linux server. Circuit Code:

do { new_socket = block_until_new_socket_created(); do_something(new_socket); } while (true);

The question is, is there any library / tool / function to notify when a new tcp socket is created on the UNIX / Linux server where the code is executed?

The programming code is C.

+6
source share
5 answers

An old question, but there are at least two ways to do this:

1) Use the audit subsystem

You can configure auditd and the Linux auditing subsystem to log a message every time any system call occurs. It will include a time stamp and a call process. Something that hooks 'connect ()' and / or 'bind ()' should get you what you need for sockets. This is what has been done for the audit.

2) Use ip_conntrack (netfilter / ip_tables)

Use something like the libnetfilter-conntrack library (which uses the ip_conntrack kernel module), you will receive notifications of all new sockets with filtering as desired. However, it will only indicate the local and remote address / port and timestamp, not the inode. This means that to correlate this with pid, you first need to read the notification from conntrack and then parse the files in the / proc / net / {tcp / udp / whatever} files to find the socket and inode and then parse all the / proc files / $ pid / fd / * to find out which pid owns this inode. At each step, you should hope that the socket does not disappear by the time you read the files in this three-step process. Such a system is used by flowtop from the netsniff-ng utils package.

All systems require root, although after auditd is configured with root, the logs can be read without root authority if you want. I think you would like to use auditd whenever possible. The ip_conntrack interface seems a bit nice at first, but auditd provides you with all the information you need, including pid tracking, for free.

+3
source

I do not think you can get a notification about socket creation. What you can do is periodically check open sockets by reading /proc/net/tcp . One of the columns in this file is the "inode" of the socket.

After you find the inode, you can find the processes (there may be several) that open this socket by looking at the /proc/[pid]/fd directories.

+1
source

Well, you should be able to use nmap to view available open sockets on your Linux machine. For example, if you manage to create and bind a server to a port number, say 9999, nmap will show that the port is open.

I donโ€™t think that getting the PID is possible for the socket server ... However, you can get the PID of the program using this socket using the "top" command.

0
source

If the sockets of interest are managed by inetd, then you can modify it to trigger your events when it accepts a new connection.

If, however, you also want to get sockets and those that bypass inetd, you will need to use the approaches suggested in other answers.

0
source

I donโ€™t know if this is possible in "regular programs", but you can write your own kernel module that "intercepts" the associated system call that is called when the socket is created (I think this is sys_socket , but I'm not sure about that). But, as @Zoska points out, you need the privilege to load kernel modules.

Hooking means (basically) that you redirect the original call to your own function, which in turn can call the original system call and perform the before and after operations so that you can let your function notify your program. Here is some information about intercepting system calls.

0
source

Source: https://habr.com/ru/post/953335/

More articles:


All Articles