Demonstrations of tcptracer, the Linux eBPF/bcc version.


This tool traces the kernel function performing TCP connections (eg, via a
connect() or accept() syscalls) and closing them (explicitly or if the process
dies). Some example output (IP addresses are fake):

```
# ./tcptracer
Tracing TCP established connections. Ctrl-C to end.
T  PID    COMM             IP SADDR            DADDR            SPORT  DPORT
C  28943  telnet           4  192.168.1.2      192.168.1.1      59306  23
C  28818  curl             6  [::1]            [::1]            55758  80
X  28943  telnet           4  192.168.1.2      192.168.1.1      59306  23
A  28817  nc               6  [::1]            [::1]            80     55758
X  28818  curl             6  [::1]            [::1]            55758  80
X  28817  nc               6  [::1]            [::1]            80     55758
A  28978  nc               4  10.202.210.1     10.202.109.12    8080   59160
X  28978  nc               4  10.202.210.1     10.202.109.12    8080   59160
```

This output shows three connections, one outgoing from a "telnet" process, one
outgoing from "curl" to a local netcat, and one incoming received by the "nc"
process. The output details show the kind of event (C for connection, X for
close and A for accept), PID, IP version, source address, destination address,
source port and destination port.

The -t option prints a timestamp column:

```
# ./tcptracer -t
Tracing TCP established connections. Ctrl-C to end.
TIME(s)  T  PID    COMM             IP SADDR            DADDR            SPORT  DPORT
0.000    C  31002  telnet           4  192.168.1.2      192.168.1.1      42590  23
3.546    C    748  curl             6  [::1]            [::1]            42592  80
4.294    X  31002  telnet           4  192.168.1.2      192.168.1.1      42590  23
```


The --cgroupmap option filters based on a cgroup set. It is meant to be used
with an externally created map.

# ./tcptracer --cgroupmap /sys/fs/bpf/test01

For more details, see docs/special_filtering.md