| Iago López Galeiras | f37434b | 2017-03-30 19:07:47 +0200 | [diff] [blame] | 1 | Demonstrations of tcptracer, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel function performing TCP connections (eg, via a |
| 5 | connect() or accept() syscalls) and closing them (explicitly or if the process |
| 6 | dies). Some example output (IP addresses are fake): |
| 7 | |
| 8 | ``` |
| 9 | # ./tcptracer |
| 10 | Tracing TCP established connections. Ctrl-C to end. |
| 11 | T PID COMM IP SADDR DADDR SPORT DPORT |
| 12 | C 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 |
| 13 | C 28818 curl 6 [::1] [::1] 55758 80 |
| 14 | X 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 |
| 15 | A 28817 nc 6 [::1] [::1] 80 55758 |
| 16 | X 28818 curl 6 [::1] [::1] 55758 80 |
| 17 | X 28817 nc 6 [::1] [::1] 80 55758 |
| 18 | A 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 |
| 19 | X 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 |
| 20 | ``` |
| 21 | |
| 22 | This output shows three conections, one outgoing from a "telnet" process, one |
| 23 | outgoing from "curl" to a local netcat, and one incoming received by the "nc" |
| 24 | process. The output details show the kind of event (C for connection, X for |
| 25 | close and A for accept), PID, IP version, source address, destination address, |
| 26 | source port and destination port. |
| Iago López Galeiras | 6426cd4 | 2017-08-04 16:57:20 +0200 | [diff] [blame] | 27 | |
| 28 | The -t option prints a timestamp column: |
| 29 | |
| 30 | ``` |
| 31 | # ./tcptracer -t |
| 32 | Tracing TCP established connections. Ctrl-C to end. |
| 33 | TIME(s) T PID COMM IP SADDR DADDR SPORT DPORT |
| 34 | 0.000 C 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 |
| 35 | 3.546 C 748 curl 6 [::1] [::1] 42592 80 |
| 36 | 4.294 X 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 |
| 37 | ``` |