On Mar 24, 2019, at 3:14 AM, František Kučera <konfere...@frantovo.cz> wrote:
> Dne 23. 03. 19 v 21:04 Guy Harris napsal(a): >> On Mar 23, 2019, at 12:50 PM, František Kučera<konfere...@frantovo.cz> >> wrote: >> >>> There is no MAC or IP address, but there are other useful metadata: socket >>> path (might be also abstract), direction, UID, GID, PID... >> Stream, datagram, or sequenced-packet sockets? > > In my application, it is a stream. (but it would be nice to support also > datagrams over UDS, so it can be useful also in other cases) So perhaps we need separate link-layer header types for "arbitrary segment of a stream" (which would require TCP-like processing) and "datagram"? Information in addition to raw payload would be: name of the socket, if any (with Linux abstract sockets being handled); credentials of the peers; security label, on OSes supporting that; control message data (including but not necessarily limited to file descriptors being passed over the socket with SCM_RIGHTS). Note that not all OSes support the same set of control-message types, and they might not use the same values for the same control-message type #define, so we'd probably want to assign our own values for control-message types. SCM_RIGHTS *might* be 1 on all UN*Xes, but that's probably the only one that would be. In Linux 4.20.3's socket.h, we have #define SCM_RIGHTS 0x01 /* rw: access rights (array of int) */ #define SCM_CREDENTIALS 0x02 /* rw: struct ucred */ #define SCM_SECURITY 0x03 /* rw: security label */ and in macOS High Sierra's we have #define SCM_RIGHTS 0x01 /* access rights (array of int) */ #define SCM_TIMESTAMP 0x02 /* timestamp (struct timeval) */ #define SCM_CREDS 0x03 /* process creds (struct cmsgcred) */ #define SCM_TIMESTAMP_MONOTONIC 0x04 /* timestamp (uint64_t) */ and in a just-svn-updated FreeBSD checkout we have #define SCM_RIGHTS 0x01 /* access rights (array of int) */ #define SCM_TIMESTAMP 0x02 /* timestamp (struct timeval) */ #define SCM_CREDS 0x03 /* process creds (struct cmsgcred) */ #define SCM_BINTIME 0x04 /* timestamp (struct bintime) */ #define SCM_REALTIME 0x05 /* timestamp (struct timespec) */ #define SCM_MONOTONIC 0x06 /* timestamp (struct timespec) */ #define SCM_TIME_INFO 0x07 /* timestamp info */ and so on. For SOCK_STREAM sockets and Linux SOCK_SEQPACKET sockets, some information, such as the socket name and information about the peers, would probably be provided with a special initial "packet" or "packets" at the beginning of the capture, as they're connection-oriented. For SOCK_DGRAM sockets, that would be provided for every packet, as I don't think you need to connect to send on one of them. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers