saddr is a hex encoded blob that is a struct sockaddr.
I’m writing my own parsing code to add Linux analysis to my Mac-based BSM audit analysis tools, so I might be asking some “out of left field” questions from time to time. I’ve been working my way through decoding things like the sockaddr hex blob.
…
Its a socket address structure. It may or may not be null terminated depending on the socket type.
...
Its other fields in struct sockaddr.
...
That would be an abstract af_unix socket.
With that info I did a little more digging and found a lot of this information in