forked from iovisor/bcc
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tcpconnect for IPv4 and IPv6, and make tcpv4connect a trimmed example
- Loading branch information
1 parent
8b63496
commit f06d3b4
Showing
8 changed files
with
336 additions
and
172 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
Demonstrations of tcpv4connect, the Linux eBPF/bcc version. | ||
|
||
|
||
This example traces the kernel function performing active TCP IPv4 connections | ||
(eg, via a connect() syscall; accept() are passive connections). Some example | ||
output (IP addresses changed to protect the innocent): | ||
|
||
# ./tcpv4connect | ||
PID COMM SADDR DADDR DPORT | ||
1479 telnet 127.0.0.1 127.0.0.1 23 | ||
1469 curl 10.201.219.236 54.245.105.25 80 | ||
1469 curl 10.201.219.236 54.67.101.145 80 | ||
|
||
This output shows three connections, one from a "telnet" process and two from | ||
"curl". The output details shows the source address, destination address, | ||
and destination port. This traces attempted connections: these may have failed. | ||
|
||
The overhead of this tool should be negligible, since it is only tracing the | ||
kernel function performing a connect. It is not tracing every packet and then | ||
filtering. | ||
|
||
This is provided as a basic example of TCP tracing. See tools/tcpconnect for a | ||
more featured version of this example (a tool). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
.TH tcpconnect 8 "2015-08-25" "USER COMMANDS" | ||
.SH NAME | ||
tcpconnect \- Trace TCP active connections (connect()). Uses Linux eBPF/bcc. | ||
.SH SYNOPSIS | ||
.B tcpconnect [\-h] [\-t] [\-x] [\-p PID] | ||
.SH DESCRIPTION | ||
This tool traces active TCP connections (eg, via a connect() syscall; | ||
accept() are passive connections). This can be useful for general | ||
troubleshooting to see what connections are initiated by the local server. | ||
|
||
All connection attempts are traced, even if they ultimately fail. | ||
|
||
This works by tracing the kernel tcp_v4_connect() and tcp_v6_connect() functions | ||
using dynamic tracing, and will need updating to match any changes to these | ||
functions. | ||
|
||
Since this uses BPF, only the root user can use this tool. | ||
.SH REQUIREMENTS | ||
CONFIG_BPF and bcc. | ||
.SH OPTIONS | ||
.TP | ||
\-h | ||
Print usage message. | ||
.TP | ||
\-t | ||
Include a timestamp column. | ||
.TP | ||
\-p PID | ||
Trace this process ID only (filtered in-kernel). | ||
.SH EXAMPLES | ||
.TP | ||
Trace all active TCP connections: | ||
# | ||
.B tcpconnect | ||
.TP | ||
Trace all TCP connects, and include timestamps: | ||
# | ||
.B tcpconnect \-t | ||
.TP | ||
Trace PID 181 only: | ||
# | ||
.B tcpconnect \-p 181 | ||
.SH FIELDS | ||
.TP | ||
TIME(s) | ||
Time of the call, in seconds. | ||
.TP | ||
PID | ||
Process ID | ||
.TP | ||
COMM | ||
Process name | ||
.TP | ||
IP | ||
IP address family (4 or 6) | ||
.TP | ||
SADDR | ||
Source IP address. IPv4 as a dotted quad, IPv6 shows "..." then the last 4 | ||
bytes (check for newer versions of this tool for the full address). | ||
.TP | ||
DADDR | ||
Destination IP address. IPv4 as a dotted quad, IPv6 shows "..." then the last 4 | ||
bytes (check for newer versions of this tool for the full address). | ||
.TP | ||
DPORT | ||
Destination port | ||
.SH OVERHEAD | ||
This traces the kernel tcp_v[46]_connect functions and prints output for each | ||
event. As the rate of this is generally expected to be low (< 1000/s), the | ||
overhead is also expected to be negligible. If you have an application that | ||
is calling a high rate of connects()s, such as a proxy server, then test and | ||
understand this overhead before use. | ||
.SH SOURCE | ||
This is from bcc. | ||
.IP | ||
https://github.com/iovisor/bcc | ||
.PP | ||
Also look in the bcc distribution for a companion _examples.txt file containing | ||
example usage, output, and commentary for this tool. | ||
.SH OS | ||
Linux | ||
.SH STABILITY | ||
Unstable - in development. | ||
.SH AUTHOR | ||
Brendan Gregg | ||
.SH SEE ALSO | ||
tcpaccept(8), funccount(8), tcpdump(8) |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.