As the title suggests, is there a way of being notified of recently opened sockets using inotify/inotify-tools? As far as I can tell inotify only works with inodes and specifically testing if those inodes are sockets isn't something that inotify is actually capable of. Further to that, I can't seem to find where sockets FD's are stored. I can only see their file descriptors which are symlinks:
# ls -l /proc/29711/fd/10
lrwx------ 1 root root 64 Mar 6 17:04 /proc/29711/fd/10 -> socket:[750728]
# stat /proc/29711/fd/10
File: `/proc/29711/fd/10' -> `socket:[750728]'
Size: 64 Blocks: 0 IO Block: 1024 symbolic link
Device: 3h/3d Inode: 759700 Links: 1
Access: (0700/lrwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-03-06 17:05:22.690411801 +1100
Modify: 2013-03-06 17:04:14.062414880 +1100
Change: 2013-03-06 17:04:14.062414880 +1100
Birth: -
Inotify is for filesystem events monitoring, so unless there is special FS representing system's sockets — no way.
I recommend looking at netlink and at its
NETLINK_INET_DIAGin particular, but I can't tell for sure whether it has corresponding facilities at all.UPDATE: I've shared this question-answer and Pavel Emelyanov — CRIU's primarily developer, confirmed my suspicions — more than likely you can't get those notifications with
netlink.Update: you can track these events with conntrack-tools.