tools/tcpsubnet: add time and time to output, default 0.0.0.0/0, upda…

…te doc
tkuburic · Mar 6, 2018 · efcb30f · efcb30f
1 parent ae91325
commit efcb30f
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 31 deletions.
diff --git a/man/man8/tcpsubnet.8 b/man/man8/tcpsubnet.8
@@ -41,7 +41,7 @@ Prints the BPF program.
 subnets
 Comma separated list of subnets. Traffic will be categorized
 in theses subnets. Order matters.
-(default 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16)
+(default 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,0.0.0.0/0)
 .SH EXAMPLES
 .TP
 Summarize TCP traffic by the default subnets:
@@ -63,11 +63,14 @@ Subnet
 (Standard output) Right hand side column:
 Aggregate traffic in units passed as argument
 .TP
-(JSON output) Key
-Subnet
+(JSON output) date
+Current date formatted in the system locale
 .TP
-(JSON output) Value
-Aggregate traffic in units passed as argument
+(JSON output) time
+Current time formatted in the system locale
+.TP
+(JSON output) entries
+Map of subnets to aggregates. Values will be in format passed to -f
 .SH OVERHEAD
 This traces all tcp_sendmsg function calls in the TCP/IP stack.
 It summarizes data in-kernel to reduce overhead.

diff --git a/tools/tcpsubnet.py b/tools/tcpsubnet.py
@@ -24,27 +24,30 @@
 #
 # 03-Oct-2017 Rodrigo Manyari Created this based on tcptop.
 # 13-Feb-2018 Rodrigo Manyari Fix pep8 errors, some refactoring.
+# 05-Mar-2018 Rodrigo Manyari Add date time to output.
 
 import argparse
 import json
 import logging
 import struct
 import socket
 from bcc import BPF
+from datetime import datetime as dt
 from time import sleep
 
 # arguments
 examples = """examples:
  ./tcpsubnet # Trace TCP sent to the default subnets:
  # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
- # 192.168.0.0/16
+ # 192.168.0.0/16,0.0.0.0/0
  ./tcpsubnet -f K # Trace TCP sent to the default subnets
  # aggregated in KBytes.
  ./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only
  ./tcpsubnet -J # Format the output in JSON.
 """
 
-default_subnets = "127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+default_subnets = "127.0.0.1/32,10.0.0.0/8," \
+ "172.16.0.0/12,192.168.0.0/16,0.0.0.0/0"
 
 parser = argparse.ArgumentParser(
  description="Summarize TCP send and aggregate by subnet",
@@ -235,14 +238,20 @@ def generate_bpf_subnets(subnets):
  data = {}
 
  # output
+ now = dt.now()
+ data['date'] = now.strftime('%x')
+ data['time'] = now.strftime('%X')
+ data['entries'] = {}
+ if not args.json:
+ print(now.strftime('[%x %X]'))
  for k, v in reversed(sorted(keys.items(), key=lambda keys: keys[1].value)):
  send_bytes = 0
  if k in ipv4_send_bytes:
  send_bytes = int(ipv4_send_bytes[k].value)
  subnet = subnets[k.index][0]
  send = formatFn(send_bytes)
  if args.json:
- data[subnet] = send
+ data['entries'][subnet] = send
  else:
  print("%-21s %6d" % (subnet, send))
 

diff --git a/tools/tcpsubnet_example.txt b/tools/tcpsubnet_example.txt
@@ -6,8 +6,15 @@ It works only for IPv4. Eg:
 
 # tcpsubnet
 Tracing... Output every 1 secs. Hit Ctrl-C to end
+[03/05/18 22:32:47]
 127.0.0.1/32 8
+[03/05/18 22:32:48]
+[03/05/18 22:32:49]
+[03/05/18 22:32:50]
+[03/05/18 22:32:51]
+[03/05/18 22:32:52]
 127.0.0.1/32 10
+[03/05/18 22:32:53]
 
 This example output shows the number of bytes sent to 127.0.0.1/32 (the
 loopback interface). For demo purposes, I set netcat listening on port
@@ -20,6 +27,9 @@ loopback interface). For demo purposes, I set netcat listening on port
 The first line sends 7 digits plus the null character (8 bytes)
 The second line sends 9 digits plus the null character (10 bytes)
 
+Notice also, how tcpsubnet prints a header line with the current date
+and time formatted in the current locale.
+
 Try it yourself to get a feeling of how tcpsubnet works.
 
 By default, tcpsubnet will categorize traffic in the following subnets:
@@ -28,7 +38,10 @@ By default, tcpsubnet will categorize traffic in the following subnets:
 - 10.0.0.0/8
 - 172.16.0.0/12
 - 192.168.0.0/16
+- 0.0.0.0/0
 
+The last subnet is a catch-all. In other words, anything that doesn't
+match the first 4 defaults will be categorized under 0.0.0.0/0
 You can change this default behavoir by passing a comma separated list
 of subnets. Let's say we would like to know how much traffic we
 are sending to github.com. We first find out what IPs github.com resolves
@@ -43,25 +56,35 @@ to monitor, Eg:
 
 # tcpsubnet.py 192.30.253.110/27,0.0.0.0/0
 Tracing... Output every 1 secs. Hit Ctrl-C to end
-0.0.0.0/0 3516
-192.30.253.110/27 2501
-192.30.253.110/27 37
-0.0.0.0/0 2037
-192.30.253.110/27 1146
-192.30.253.110/27 12698
+[03/05/18 22:38:58]
+0.0.0.0/0 5780
+192.30.253.110/27 2205
+[03/05/18 22:38:59]
+0.0.0.0/0 2036
+192.30.253.110/27 1183
+[03/05/18 22:39:00]
+[03/05/18 22:39:01]
+192.30.253.110/27 12537
 
 If we would like to be more accurate, we can use the two IPs returned
 by dig, Eg:
 
 # tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0
 Tracing... Output every 1 secs. Hit Ctrl-C to end
-0.0.0.0/0 4416
-192.30.253.113/32 230
-0.0.0.0/0 3138
-192.30.253.113/32 1337
-0.0.0.0/0 2537
-0.0.0.0/0 3206
-0.0.0.0/0 12736
+[03/05/18 22:42:56]
+0.0.0.0/0 1177
+192.30.253.113/32 910
+[03/05/18 22:42:57]
+0.0.0.0/0 48704
+192.30.253.113/32 892
+[03/05/18 22:42:58]
+192.30.253.113/32 891
+0.0.0.0/0 858
+[03/05/18 22:42:59]
+0.0.0.0/0 11159
+192.30.253.113/32 894
+[03/05/18 22:43:00]
+0.0.0.0/0 60601
 
 NOTE: When used in production, it is expected that you will have full
 information about your network topology. In which case you won't need
@@ -79,9 +102,12 @@ format and adds mM. When using kmKM, the output will be rounded to floor.
 Eg:
 
 # tcpsubnet -fK 0.0.0.0/0
+[03/05/18 22:44:04]
+0.0.0.0/0 1
+[03/05/18 22:44:05]
 0.0.0.0/0 5
-0.0.0.0/0 10
-0.0.0.0/0 16
+[03/05/18 22:44:06]
+0.0.0.0/0 31
 
 Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf
 
@@ -91,16 +117,17 @@ on how the subnets are evaluated and the BPF program is constructed.
 Last but not least, it supports -J [--json] to print the output in
 JSON format. This is handy if you're calling tcpsubnet from another
 program (say a nodejs server) and would like to have a structured stdout.
+The output in JSON format will also include the date and time.
 Eg:
 
 # tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0
-{}
-{"0.0.0.0/0": 3, "192.30.253.110/27": 2}
-{"192.30.253.110/27": 0}
-{"0.0.0.0/0": 1, "192.30.253.110/27": 1}
-{"0.0.0.0/0": 0}
-{"192.30.253.110/27": 13}
-{}
+{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:28"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:29"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:30"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"}
 
 
 USAGE:
@@ -126,7 +153,7 @@ optional arguments:
 examples:
  ./tcpsubnet # Trace TCP sent to the default subnets:
  # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
- # 192.168.0.0/16
+ # 192.168.0.0/16,0.0.0.0/0
  ./tcpsubnet -f K # Trace TCP sent to the default subnets
  # aggregated in KBytes.
  ./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only