| Demonstrations of solisten.py, the Linux eBPF/bcc version. |
| |
| |
| This tool traces the kernel function called when a program wants to listen |
| for TCP connections. It will not see UDP neither UNIX domain sockets. |
| |
| It can be used to dynamically update a load balancer as a program is actually |
| ready to accept connexion, hence avoiding the "downtime" while it is initializing. |
| |
| # ./solisten.py --show-netns |
| PID COMM NETNS PROTO BACKLOG ADDR PORT |
| 3643 nc 4026531957 TCPv4 1 0.0.0.0 4242 |
| 3659 nc 4026531957 TCPv6 1 2001:f0d0:1002:51::4 4242 |
| 4221 redis-server 4026532165 TCPv6 128 :: 6379 |
| 4221 redis-server 4026532165 TCPv4 128 0.0.0.0 6379 |
| 6067 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 6067 nginx 4026531957 TCPv6 128 :: 80 |
| 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 6069 nginx 4026531957 TCPv6 128 :: 80 |
| 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 6069 nginx 4026531957 TCPv6 128 :: 80 |
| |
| This output show the listen event from 3 programs. Netcat was started twice as |
| shown by the 2 different PIDs. The first time on the wilcard IPv4, the second |
| time on an IPv6. Netcat being a "one shot" program. It can accept a single |
| connection, hence the backlog of "1". |
| |
| The next program is redis-server. As the netns column shows, it is in a |
| different network namespace than netcat and nginx. In this specific case |
| it was launched in a docker container. It listens both on IPv4 and IPv4 |
| with up to 128 pending connections. |
| |
| Determining the actual container is out if the scope of this tool. It could |
| be derived by scrapping /proc/<PID>/cgroup. Note that this is racy. |
| |
| The overhead of this tool is negligeable as it traces listen() calls which are |
| invoked in the initialization path of a program. The operation part will remain |
| unaffected. In particular, accept() calls will not be affected. Neither |
| individual read() and write(). |
| |