| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 1 | Demonstrations of tcpconnect, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel function performing active TCP connections |
| 5 | (eg, via a connect() syscall; accept() are passive connections). Some example |
| 6 | output (IP addresses changed to protect the innocent): |
| 7 | |
| Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 8 | # ./tcpconnect |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 9 | PID COMM IP SADDR DADDR DPORT |
| Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 10 | 1479 telnet 4 127.0.0.1 127.0.0.1 23 |
| 11 | 1469 curl 4 10.201.219.236 54.245.105.25 80 |
| 12 | 1469 curl 4 10.201.219.236 54.67.101.145 80 |
| 13 | 11072 ssh 6 ...fe8203ac ...fe82abcd 22 |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 14 | |
| 15 | This output shows four connections, one from a "telnet" process, two from |
| 16 | "curl", and one from "ssh". The output details shows the IP version, source |
| 17 | address, destination address, and destination port. This traces attempted |
| 18 | connections: these may have failed. |
| 19 | |
| 20 | IPv4 addresses are printed as dotted quads. Only the last 4 bytes of IPv6 |
| 21 | addresses are printed for now (check for updated versions of this tool). |
| 22 | |
| 23 | The overhead of this tool should be negligible, since it is only tracing the |
| 24 | kernel functions performing connect. It is not tracing every packet and then |
| 25 | filtering. |
| 26 | |
| 27 | |
| 28 | The -t option prints a timestamp column: |
| 29 | |
| 30 | # ./tcpconnect -t |
| 31 | TIME(s) PID COMM IP SADDR DADDR DPORT |
| 32 | 31.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 33 | 31.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001 |
| 34 | 31.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101 |
| 35 | 90.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 36 | 90.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001 |
| 37 | 90.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101 |
| 38 | |
| 39 | The output shows some periodic connections (or attempts) from a "local_agent" |
| 40 | process to various other addresses. A few connections occur every minute. |
| 41 | |
| 42 | |
| 43 | USAGE message: |
| 44 | |
| 45 | # ./tcpconnect -h |
| 46 | usage: tcpconnect [-h] [-t] [-p PID] |
| 47 | |
| 48 | Trace TCP connects |
| 49 | |
| 50 | optional arguments: |
| 51 | -h, --help show this help message and exit |
| 52 | -t, --timestamp include timestamp on output |
| 53 | -p PID, --pid PID trace this PID only |
| 54 | |
| 55 | examples: |
| 56 | ./tcpconnect # trace all TCP connect()s |
| 57 | ./tcpconnect -t # include timestamps |
| 58 | ./tcpconnect -p 181 # only trace PID 181 |