On May 5, 2014, at 3:26 PM, Steve Grubb <[email protected]> wrote:
> saddr is a hex encoded blob that is a struct sockaddr.
I’m writing my own parsing code to add Linux analysis to my Mac-based BSM audit
analysis tools, so I might be asking some “out of left field” questions from
time to time. I’ve been working my way through decoding things like the
sockaddr hex blob.
>> …
>
> Its a socket address structure. It may or may not be null terminated
> depending on the socket type.
>
>> ...
>
> Its other fields in struct sockaddr.
>
>> ...
>
> That would be an abstract af_unix socket.
With that info I did a little more digging and found a lot of this information
in
$ man 7 unix
Thanks!
Todd
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
