| Demonstrations of tcpsubnet, the Linux eBPF/bcc version. |
| |
| |
| tcpsubnet summarizes throughput by destination subnet. |
| It works only for IPv4. Eg: |
| |
| # tcpsubnet |
| Tracing... Output every 1 secs. Hit Ctrl-C to end |
| [03/05/18 22:32:47] |
| 127.0.0.1/32 8 |
| [03/05/18 22:32:48] |
| [03/05/18 22:32:49] |
| [03/05/18 22:32:50] |
| [03/05/18 22:32:51] |
| [03/05/18 22:32:52] |
| 127.0.0.1/32 10 |
| [03/05/18 22:32:53] |
| |
| This example output shows the number of bytes sent to 127.0.0.1/32 (the |
| loopback interface). For demo purposes, I set netcat listening on port |
| 8080, connected to it and sent the following payloads. |
| |
| # nc 127.0.0.1 8080 |
| 1111111 |
| 111111111 |
| |
| The first line sends 7 digits plus the null character (8 bytes) |
| The second line sends 9 digits plus the null character (10 bytes) |
| |
| Notice also, how tcpsubnet prints a header line with the current date |
| and time formatted in the current locale. |
| |
| Try it yourself to get a feeling of how tcpsubnet works. |
| |
| By default, tcpsubnet will categorize traffic in the following subnets: |
| |
| - 127.0.0.1/32 |
| - 10.0.0.0/8 |
| - 172.16.0.0/12 |
| - 192.168.0.0/16 |
| - 0.0.0.0/0 |
| |
| The last subnet is a catch-all. In other words, anything that doesn't |
| match the first 4 defaults will be categorized under 0.0.0.0/0 |
| You can change this default behavoir by passing a comma separated list |
| of subnets. Let's say we would like to know how much traffic we |
| are sending to github.com. We first find out what IPs github.com resolves |
| to, Eg: |
| |
| # dig +short github.com |
| 192.30.253.112 |
| 192.30.253.113 |
| |
| With this information, we can come up with a reasonable range of IPs |
| to monitor, Eg: |
| |
| # tcpsubnet.py 192.30.253.110/27,0.0.0.0/0 |
| Tracing... Output every 1 secs. Hit Ctrl-C to end |
| [03/05/18 22:38:58] |
| 0.0.0.0/0 5780 |
| 192.30.253.110/27 2205 |
| [03/05/18 22:38:59] |
| 0.0.0.0/0 2036 |
| 192.30.253.110/27 1183 |
| [03/05/18 22:39:00] |
| [03/05/18 22:39:01] |
| 192.30.253.110/27 12537 |
| |
| If we would like to be more accurate, we can use the two IPs returned |
| by dig, Eg: |
| |
| # tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0 |
| Tracing... Output every 1 secs. Hit Ctrl-C to end |
| [03/05/18 22:42:56] |
| 0.0.0.0/0 1177 |
| 192.30.253.113/32 910 |
| [03/05/18 22:42:57] |
| 0.0.0.0/0 48704 |
| 192.30.253.113/32 892 |
| [03/05/18 22:42:58] |
| 192.30.253.113/32 891 |
| 0.0.0.0/0 858 |
| [03/05/18 22:42:59] |
| 0.0.0.0/0 11159 |
| 192.30.253.113/32 894 |
| [03/05/18 22:43:00] |
| 0.0.0.0/0 60601 |
| |
| NOTE: When used in production, it is expected that you will have full |
| information about your network topology. In which case you won't need |
| to approximate subnets nor need to put individual IP addresses like |
| we just did. |
| |
| Notice that the order of the subnet matters. Say, we put 0.0.0.0/0 as |
| the first element of the list and 192.130.253.112/32 as the second, all the |
| traffic going to 192.130.253.112/32 will have been categorized in |
| 0.0.0.0/0 as 192.130.253.112/32 is contained in 0.0.0.0/0. |
| |
| The default ouput unit is bytes. You can change it by using the |
| -f [--format] flag. tcpsubnet uses the same flags as iperf for the unit |
| format and adds mM. When using kmKM, the output will be rounded to floor. |
| Eg: |
| |
| # tcpsubnet -fK 0.0.0.0/0 |
| [03/05/18 22:44:04] |
| 0.0.0.0/0 1 |
| [03/05/18 22:44:05] |
| 0.0.0.0/0 5 |
| [03/05/18 22:44:06] |
| 0.0.0.0/0 31 |
| |
| Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf |
| |
| It also supports -v [--verbose] which gives useful debugging information |
| on how the subnets are evaluated and the BPF program is constructed. |
| |
| Last but not least, it supports -J [--json] to print the output in |
| JSON format. This is handy if you're calling tcpsubnet from another |
| program (say a nodejs server) and would like to have a structured stdout. |
| The output in JSON format will also include the date and time. |
| Eg: |
| |
| # tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0 |
| {"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"} |
| {"date": "03/05/18", "entries": {}, "time": "22:46:28"} |
| {"date": "03/05/18", "entries": {}, "time": "22:46:29"} |
| {"date": "03/05/18", "entries": {}, "time": "22:46:30"} |
| {"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"} |
| {"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"} |
| {"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"} |
| |
| |
| USAGE: |
| |
| # ./tcpsubnet -h |
| usage: tcpsubnet.py [-h] [-v] [-J] [-f {b,k,m,B,K,M}] [-i INTERVAL] [subnets] |
| |
| Summarize TCP send and aggregate by subnet |
| |
| positional arguments: |
| subnets comma separated list of subnets |
| |
| optional arguments: |
| -h, --help show this help message and exit |
| -v, --verbose output debug statements |
| -J, --json format output in JSON |
| -f {b,k,m,B,K,M}, --format {b,k,m,B,K,M} |
| [bkmBKM] format to report: bits, Kbits, Mbits, bytes, |
| KBytes, MBytes (default B) |
| -i INTERVAL, --interval INTERVAL |
| output interval, in seconds (default 1) |
| |
| examples: |
| ./tcpsubnet # Trace TCP sent to the default subnets: |
| # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12, |
| # 192.168.0.0/16,0.0.0.0/0 |
| ./tcpsubnet -f K # Trace TCP sent to the default subnets |
| # aggregated in KBytes. |
| ./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only |
| ./tcpsubnet -J # Format the output in JSON. |
| |