问题
I wrote a small go script and traced it using strace though this script, I am trying to fetch audit messages from kernel using netlink protocol, just like like auditd.
Following is the strace output on my go script- http://paste.ubuntu.com/8272760/
I am trying to find the argument that auditd provide to the sendto function. When I run strace on auditd I get following output
sendto(3, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
And when I strace my go file I get the following output. I am looking to decode the second argument of this statement
sendto(3, "\21\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0\t", 17, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 17
To be specific
"\21\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0\t"
Now I want to convert this to string or bytes array, is there any way to convert this to string or byte array?
In my actual go code this argument is a byte array.
https://github.com/mozilla/Audit-Go/blob/testing/netlink_old.go#L58
回答1:
My understanding of your problem is you try to compare what auditd sends to what your program sends by comparing strace output, and you have issues to convert the string provided by strace into a Go []byte datatype.
The strace output follows the GNU C representation of string literal, whose characters can be escaped as follows:
\\ Backslash character.
\? Question mark character.
\' Single quotation mark.
\" Double quotation mark.
\a Audible alert.
\b Backspace character.
\e <ESC> character. (This is a GNU extension.)
\f Form feed.
\n Newline character.
\r Carriage return.
\t Horizontal tab.
\v Vertical tab.
\o, \oo, \ooo Octal number.
\xh, \xhh, \xhhh, ... Hexadecimal number.
Note that the number of octal or hex digits can be variable. In Go, characters can also be escaped but the rules are different - see http://golang.org/ref/spec#Rune_literals
In particular, the octal values are systematically on 3 digits to avoid any ambiguity. To declare a []byte with such a sequence of characters, you will have to write something like this:
// In strace, it was "\21\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0\t"
wb := []byte("\021\000\000\000\350\003\005\000\001\000\000\000\000\000\000\000\t")
Note that the -x option in strace will use fixed-length hex encoding for non-printable characters, which makes the direct usage of these strings easier in a Go program. The -xx option will output hex encoded bytes even for printable characters, which makes it even easier IMO.
Anyway, it is not necessarily a good style (or even a good idea) to use literal strings to initialize []byte. Strings are for UTF-8 characters, not for binary data.
回答2:
\21\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0\t
These are character escape sequences as defined in the ANSI X3.159-1989 (aka ANSI C89, check this PDF file). You can find the official draft pages at port70.net.
Here is a short brief found in man printf:
\aWrite a<bell>character.\bWrite a<backspace>character.\cIgnore remaining characters in this string.\eWrite a<escape>character.\fWrite a<form-feed>character.\rWrite a<carriage return>character.\nWrite a<new-line>character.\tWrite a<tab>character.\vWrite a<vertical tab>character.\'Write a<single quote>character.\"Write a<double quote>character.\\Write a backslash character.\num,\0numWrite an 8-bit character whose ASCII value is the 1-, 2-, or 3-digit octal number.
To interpret these characters as string, you can use printf, e.g. command in shell:
printf "%b" "\21\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0\t"
For more parsing examples, check: How to parse strace in shell into plain text?
回答3:
If you want strace to print hexadecimal string instead ASCII and escaped sequence, use -x or -xx, consult man for more details.
来源:https://stackoverflow.com/questions/25705216/how-to-decode-this-information-from-strace-output