| Demonstrations of tcptracer, the Linux eBPF/bcc version. |
| |
| |
| This tool traces the kernel function performing TCP connections (eg, via a |
| connect() or accept() syscalls) and closing them (explicitly or if the process |
| dies). Some example output (IP addresses are fake): |
| |
| ``` |
| # ./tcptracer |
| Tracing TCP established connections. Ctrl-C to end. |
| T PID COMM IP SADDR DADDR SPORT DPORT |
| C 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 |
| C 28818 curl 6 [::1] [::1] 55758 80 |
| X 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 |
| A 28817 nc 6 [::1] [::1] 80 55758 |
| X 28818 curl 6 [::1] [::1] 55758 80 |
| X 28817 nc 6 [::1] [::1] 80 55758 |
| A 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 |
| X 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 |
| ``` |
| |
| This output shows three conections, one outgoing from a "telnet" process, one |
| outgoing from "curl" to a local netcat, and one incoming received by the "nc" |
| process. The output details show the kind of event (C for connection, X for |
| close and A for accept), PID, IP version, source address, destination address, |
| source port and destination port. |