Demonstrations of sofdsnoop, the Linux eBPF/bcc version.

sofdsnoop traces FDs passed through unix sockets

# ./sofdsnoop.py
ACTION TID    COMM             SOCKET                    FD    NAME
SEND   2576   Web Content      24:socket:[39763]         51    /dev/shm/org.mozilla.ipc.2576.23874
RECV   2576   Web Content      49:socket:[809997]        51
SEND   2576   Web Content      24:socket:[39763]         58    N/A
RECV   2464   Gecko_IOThread   75:socket:[39753]         55

Every file descriptor that is passed via unix sockets os displayed
on separate line together with process info (TID/COMM columns),
ACTION details (SEND/RECV), file descriptor number (FD) and its
translation to file if available (NAME).

The file descriptor (fd) value is bound to a process. The SEND
lines display the fd value within the sending process. The RECV
lines display the fd value of the sending process. That's why
there's translation to name only on SEND lines, where we are
able to find it in task proc records.

This works by tracing sendmsg/recvmsg system calls to provide
the socket fds, and scm_send_entry/scm_detach_fds to provide
the file descriptor details.

A -T option can be used to include a timestamp column,
and a -n option to match on a command name. Regular
expressions are allowed.  For example, matching commands
containing "server" with timestamps:

# ./sofdsnoop.py -T -n Web
TIME(s)       ACTION TID    COMM             SOCKET                    FD    NAME
0.000000000   SEND   2576   Web Content      24:socket:[39763]         51    /dev/shm/org.mozilla.ipc.2576.25404 (deleted)
0.000413000   RECV   2576   Web Content      49:/dev/shm/org.mozilla.ipc.2576.25404 (deleted) 51
0.000558000   SEND   2576   Web Content      24:socket:[39763]         58    N/A
0.000952000   SEND   2576   Web Content      24:socket:[39763]         58    socket:[817962]


A -p option can be used to trace only selected process:

# ./sofdsnoop.py -p 2576 -T
TIME(s)       ACTION TID    COMM             SOCKET                    FD    NAME
0.000000000   SEND   2576   Web Content      24:socket:[39763]         51    N/A
0.000138000   RECV   2576   Web Content      49:N/A                    5
0.000191000   SEND   2576   Web Content      24:socket:[39763]         58    N/A
0.000424000   RECV   2576   Web Content      51:/dev/shm/org.mozilla.ipc.2576.25319 (deleted) 49

USAGE message:
usage: sofdsnoop.py [-h] [-T] [-p PID] [-t TID] [-n NAME] [-d DURATION]

Trace file descriptors passed via socket

optional arguments:
  -h, --help            show this help message and exit
  -T, --timestamp       include timestamp on output
  -p PID, --pid PID     trace this PID only
  -t TID, --tid TID     trace this TID only
  -n NAME, --name NAME  only print process names containing this name
  -d DURATION, --duration DURATION
                        total duration of trace in seconds

examples:
    ./sofdsnoop           # trace file descriptors passes
    ./sofdsnoop -T        # include timestamps
    ./sofdsnoop -p 181    # only trace PID 181
    ./sofdsnoop -t 123    # only trace TID 123
    ./sofdsnoop -d 10     # trace for 10 seconds only
    ./sofdsnoop -n main   # only print process names containing "main"