On Mar 24, 2019, at 3:14 AM, František Kučera <konfere...@frantovo.cz> wrote:
> Dne 23. 03. 19 v 21:04 Guy Harris napsal(a):
>> On Mar 23, 2019, at 12:50 PM, František Kučera<konfere...@frantovo.cz>
>> wrote:
>>
>>> There is no MAC or IP address, but there are other useful metadata: socket
>>> path (might be also abstract), direction, UID, GID, PID...
>> Stream, datagram, or sequenced-packet sockets?
>
> In my application, it is a stream. (but it would be nice to support also
> datagrams over UDS, so it can be useful also in other cases)
So perhaps we need separate link-layer header types for "arbitrary segment of a
stream" (which would require TCP-like processing) and "datagram"?
Information in addition to raw payload would be:
name of the socket, if any (with Linux abstract sockets being handled);
credentials of the peers;
security label, on OSes supporting that;
control message data (including but not necessarily limited to file
descriptors being passed over the socket with SCM_RIGHTS).
Note that not all OSes support the same set of control-message types, and they
might not use the same values for the same control-message type #define, so
we'd probably want to assign our own values for control-message types.
SCM_RIGHTS *might* be 1 on all UN*Xes, but that's probably the only one that
would be. In Linux 4.20.3's socket.h, we have
#define SCM_RIGHTS 0x01 /* rw: access rights (array of
int) */
#define SCM_CREDENTIALS 0x02 /* rw: struct ucred
*/
#define SCM_SECURITY 0x03 /* rw: security label
*/
and in macOS High Sierra's we have
#define SCM_RIGHTS 0x01 /* access rights (array of int)
*/
#define SCM_TIMESTAMP 0x02 /* timestamp (struct timeval) */
#define SCM_CREDS 0x03 /* process creds (struct
cmsgcred) */
#define SCM_TIMESTAMP_MONOTONIC 0x04 /* timestamp (uint64_t) */
and in a just-svn-updated FreeBSD checkout we have
#define SCM_RIGHTS 0x01 /* access rights (array of int)
*/
#define SCM_TIMESTAMP 0x02 /* timestamp (struct timeval) */
#define SCM_CREDS 0x03 /* process creds (struct
cmsgcred) */
#define SCM_BINTIME 0x04 /* timestamp (struct bintime) */
#define SCM_REALTIME 0x05 /* timestamp (struct timespec)
*/
#define SCM_MONOTONIC 0x06 /* timestamp (struct timespec)
*/
#define SCM_TIME_INFO 0x07 /* timestamp info */
and so on.
For SOCK_STREAM sockets and Linux SOCK_SEQPACKET sockets, some information,
such as the socket name and information about the peers, would probably be
provided with a special initial "packet" or "packets" at the beginning of the
capture, as they're connection-oriented. For SOCK_DGRAM sockets, that would be
provided for every packet, as I don't think you need to connect to send on one
of them.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
