Linux app sends UDP without socket

Question

fellow coders. I'm monitoring my outgoing traffic using libnetfilter_queue module and an iptables rule ipatbles -I OUTPUT 1 -p all -j NFQUEUE --queue-num 11220

A certain app, called Jitsi (which runs on Java) is exhibiting such a strange behaviour a haven't encountered before: My monitoring program which process NFQUEUE packets clearly shows that UDP packets are being sent out, yet when I look into: "/proc/net/udp" and "/proc/net/udp6" they are empty, moreover "/proc/net/protocols" has a column "sockets" for UDP and it is 0. But the UDP packets keep getting sent. Then after a minute or so, "/proc/net/udp" and "/proc/net/protocols" begin to show the correct information about UDP packets. And again after a while there is no information in them while the UDP packets are being sent.

My only conclusion is that somehow it is possible for an application to send UDP packets without creating a socket and/or it is possible create a socket, then delete it (so that kernel thinks there are none) and still use some obscure method to send packets outside.

Could somebody with ideas about such behaviour land a hand, please?

Answer 1

Thank you Paul Rubel for giving me a hint in the right direction. strace showed that Java app was using IPv6 sockets. I had a closer look at /proc/net/udp6 and there those sockets were. I probably had too cursory a view the first time around chiefly because I didn't even expect to find them there. This is the first time I stumbled upon IPv4 packets over IPv6 sockets. But that is what Java does. Cheers.

Answer 2

Two ideas:

Try running the app through strace and take a look at that output.

You could also try to run it through systemtap with a filter for the socket operations. From that link:

probe kernel.function("*@net/socket.c").call {
  printf ("%s -> %s\n", thread_indent(1), probefunc())
}
probe kernel.function("*@net/socket.c").return {
  printf ("%s <- %s\n", thread_indent(-1), probefunc())
}