{ "info": { "author": "Andy Olsen, Jeff Dileo", "author_email": "andy.olsen@nccgroup.com, jeff.dileo@nccgroup.com", "bugtrack_url": null, "classifiers": [ "License :: OSI Approved :: BSD License", "License :: OSI Approved :: GNU General Public License v2 (GPLv2)", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 2.7", "Topic :: Security", "Topic :: System :: Networking :: Monitoring", "Topic :: System :: Operating System Kernels :: Linux" ], "description": "# unixdump\n_\"tcpdump for unix domain sockets\"_\n\n`unixdump` is a powerful command-line Unix domain socket \"packet\" capturer. It\nis an eBPF-based kernel tracing tool that extracts, processes, and dumps all\ndata sent over unix domain sockets across an entire Linux host with support\nfor performant in-kernel filters for a wide range of filtering granularity. It\nenables manual traffic inspection of Unix socket traffic between processes,\nincluding ancillary data, such as file descriptors and Unix credentials.\n\n# Installation\n\n## BCC\n\n`unixdump` depends on the BCC eBPF tracing tool framework. See the\n[BCC install instructions](https://github.com/iovisor/bcc/blob/master/INSTALL.md)\nfor your distribution. We recommend building and installing BCC from\n[source](https://github.com/iovisor/bcc/blob/master/INSTALL.md#source).\n\n\n***Note:*** While BCC updates may result in breakages, `unixdump` is known to\nwork with versions [0.8.0](https://github.com/iovisor/bcc/releases/tag/v0.8.0)\non Ubuntu 18.04 and [0.7.0](https://github.com/iovisor/bcc/releases/tag/v0.7.0)\non Ubuntu 18.04 and Kali. If you are having issues with `unixdump`, please make\nsure you are not running an out-of-date version of BCC.\n\n\n## unixdump\n\n```\nsudo -H pip install unixdump\n```\n\n# Usage\n\n`unixdump` is best used with filters. Several of the important ones are defined\n[below](#Options), and the rest can be listed with `--help`. To dump all Unix\ndomain socket traffic of a system (sans the terminal process rendering the\noutput), run `unixdump` without any arguments:\n\n***Note:*** `unixdump` requires `CAP_SYS_ADMIN` privileges and full access to\n`sysfs`/`debugfs`.\n\n```\nsudo unixdump\n```\n\nFor an example use case, let's say we know the program creates a Unix domain\nsocket with random characters that begins with `/tmp/domain-socket-`. We can\nlimit our output to only sockets beginning with that string:\n\n```\nsudo unixdump -b '/tmp/domain-socket'\n```\n\nThe output can be further restricted using combinations of `unixdump` filter\noptions.\n\n# Options\n\n`unixdump` provides many different arguments to filter output and fine tune\nperformance. Below are some of the more notable options:\n\n- `-b, --beginswith`: One of `unixdump`'s most useful filters is to match starting\nsequences of socket paths. This proves extremely helpful when the program creates \nsocket paths ending with random characters yet the beginning is unique and constant.\nThis makes filtering possible without knowing the entire socket name ahead of time.\n\n- `-s, --socket`: When the user knows the exact name of the socket path, this is \nthe option to use. By specifying an empty string like so `-s ''`, `unixdump`\nwill filter on unnamed sockets.\n\n- `-@, --base64`: To filter on binary abstract namespace keys, this option\ninstructs `unixdump` to parse the `-b`/`-s` options as base64.\n\n- `-p, --pid`: To home in on a specific process (and anything communicating\nwith it), use this option.\n\n- `-x, --exclude`: For when the user is listening for general traffic and wants to \nhide noisy processes such as `Xorg`. This argument takes a space separated list \nof `pids` to exclude.\n\n- `-t, --excludeownterminal`: (requires `wmctrl`) Attempts to exclude the current terminal process\nfrom capture. Currently supports Wayland and X11, and the `tmux` and `screen`\nterminal multiplexers. \n***Note:*** screen is not currently supported on Wayland\n\n- `-l, --ancillarydata`: For those who want to only watch for traffic containing \nancillary data. This will provide the file descriptors or Unix credentials that\nwere sent.\n\n- `-o, --dir`: To save output into separate files based on `pid` pairs. The\noption `-c, --color` can also be set to add color like in wireshark.\n\n- `-B, --extract`: Extract the buffer contents from a file saved by `--dir`\nand output it to binary in separate client and server files.\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/nccgroup/ebpf", "keywords": "unixdump packet capture pcap unix domain sockets tcpdump ebpf", "license": "GPLv2 (Only)/BSD (2 Clause)", "maintainer": "", "maintainer_email": "", "name": "unixdump", "package_url": "https://pypi.org/project/unixdump/", "platform": "", "project_url": "https://pypi.org/project/unixdump/", "project_urls": { "Homepage": "https://github.com/nccgroup/ebpf" }, "release_url": "https://pypi.org/project/unixdump/1.0.0/", "requires_dist": [ "pybst (<2,>=1.0)", "hexdump (<4,>=3.3)", "uninstallable (>0) ; platform_system != \"Linux\"" ], "requires_python": ">=2.7.0, !=3.*", "summary": "eBPF-based tcpdump-alike for Unix domain sockets", "version": "1.0.0" }, "last_serial": 4895258, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "87469a47b8b32b69a84e5c9946e65506", "sha256": "20e6c3643431e0bc55447e9aba82100e1dd6cc6843056c35e6871c95bf0d3da2" }, "downloads": -1, "filename": "unixdump-0.0.1-py2-none-any.whl", "has_sig": false, "md5_digest": "87469a47b8b32b69a84e5c9946e65506", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": ">=2.7.0, !=3.*", "size": 14633, "upload_time": "2019-02-14T00:47:30", "url": "https://files.pythonhosted.org/packages/01/ca/9d35a99973f3d89630af9959819401a1e8a4811f0696d0744c3de9075acd/unixdump-0.0.1-py2-none-any.whl" } ], "1.0.0": [ { "comment_text": "", "digests": { "md5": "6f459c3ee4691ad3887d68a7bb6a9a9f", "sha256": "31a716d691eed616ea682c3bfe5e438517f9e5b1811ab7c9d4894dc588814346" }, "downloads": -1, "filename": "unixdump-1.0.0-py2-none-any.whl", "has_sig": false, "md5_digest": "6f459c3ee4691ad3887d68a7bb6a9a9f", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": ">=2.7.0, !=3.*", "size": 30587, "upload_time": "2019-03-04T16:33:10", "url": "https://files.pythonhosted.org/packages/a5/f5/ed2badd2c6eb8c9a8dc9ec4d165a98bd604a6236e760f5fc6185171fe587/unixdump-1.0.0-py2-none-any.whl" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "6f459c3ee4691ad3887d68a7bb6a9a9f", "sha256": "31a716d691eed616ea682c3bfe5e438517f9e5b1811ab7c9d4894dc588814346" }, "downloads": -1, "filename": "unixdump-1.0.0-py2-none-any.whl", "has_sig": false, "md5_digest": "6f459c3ee4691ad3887d68a7bb6a9a9f", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": ">=2.7.0, !=3.*", "size": 30587, "upload_time": "2019-03-04T16:33:10", "url": "https://files.pythonhosted.org/packages/a5/f5/ed2badd2c6eb8c9a8dc9ec4d165a98bd604a6236e760f5fc6185171fe587/unixdump-1.0.0-py2-none-any.whl" } ] }