Re: [tcpdump-workers]

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 04/28/2006 09:53 PM, Jeremy Sheldon wrote:
> hello, i'm writing a little program.  this program attempts to monitor
> the linux system (via /proc) to discover if certain specified programs
> are running (just for the logged in user).  if they are, the program
> then attempts to discover if they have any external connections.
>
> for tcp this is easy.  i just use /proc and some netstat code to
> discover the remote address.  however, for udp they are sometimes these
> "unconnected" connections.  so, i'd like the program to sniff a few
> packets on the udp source port gathered and determine the remote IP/port.
>
> naturally, my first thought was libpcap.  i whipped up a quick little
> sniffer that grabs a couple packets and BAM.  it works great... as long
> as you're root.  well, this program shouldn't need root access.
>
> does anyone have suggestions for either 1. how to determine the remote
> ip/port for the udp connection without using the libpcap "sniffer"
> technique?

ptrace(2) the process and trap send and sendto calls. Naturally you
won't be able to do this if some other process is already ptracing the
target process.

> or 2. how to use libpcap without require the program to run with root
> privlidges?

AFAIK on Linux this is not possible.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.