| Brendan Gregg | 553f2aa | 2016-02-14 18:15:24 -0800 | [diff] [blame] | 1 | Demonstrations of tcpretrans, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel TCP retransmit function to show details of these |
| 5 | retransmits. For example: |
| 6 | |
| 7 | # ./tcpretrans |
| 8 | TIME PID IP LADDR:LPORT T> RADDR:RPORT STATE |
| 9 | 01:55:05 0 4 10.153.223.157:22 R> 69.53.245.40:34619 ESTABLISHED |
| 10 | 01:55:05 0 4 10.153.223.157:22 R> 69.53.245.40:34619 ESTABLISHED |
| 11 | 01:55:17 0 4 10.153.223.157:22 R> 69.53.245.40:22957 ESTABLISHED |
| 12 | [...] |
| 13 | |
| 14 | This output shows three TCP retransmits, the first two were for an IPv4 |
| 15 | connection from 10.153.223.157 port 22 to 69.53.245.40 port 34619. The TCP |
| 16 | state was "ESTABLISHED" at the time of the retransmit. The on-CPU PID at the |
| 17 | time of the retransmit is printed, in this case 0 (the kernel, which will |
| 18 | be the case most of the time). |
| 19 | |
| 20 | Retransmits are usually a sign of poor network health, and this tool is |
| 21 | useful for their investigation. Unlike using tcpdump, this tool has very |
| 22 | low overhead, as it only traces the retransmit function. It also prints |
| 23 | additional kernel details: the state of the TCP session at the time of the |
| 24 | retransmit. |
| 25 | |
| 26 | |
| 27 | A -l option will include TCP tail loss probe attempts: |
| 28 | |
| 29 | # ./tcpretrans -l |
| 30 | TIME PID IP LADDR:LPORT T> RADDR:RPORT STATE |
| 31 | 01:55:45 0 4 10.153.223.157:22 R> 69.53.245.40:51601 ESTABLISHED |
| 32 | 01:55:46 0 4 10.153.223.157:22 R> 69.53.245.40:51601 ESTABLISHED |
| 33 | 01:55:46 0 4 10.153.223.157:22 R> 69.53.245.40:51601 ESTABLISHED |
| 34 | 01:55:53 0 4 10.153.223.157:22 L> 69.53.245.40:46444 ESTABLISHED |
| 35 | 01:56:06 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 36 | 01:56:06 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 37 | 01:56:08 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 38 | 01:56:08 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 39 | 01:56:08 1938 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 40 | 01:56:08 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 41 | 01:56:08 0 4 10.153.223.157:22 R> 69.53.245.40:46444 ESTABLISHED |
| 42 | [...] |
| 43 | |
| 44 | See the "L>" in the "T>" column. These are attempts: the kernel probably |
| 45 | sent a TLP, but in some cases it might not have been ultimately sent. |
| 46 | |
| 47 | |
| 48 | USAGE message: |
| 49 | |
| 50 | # ./tcpretrans -h |
| 51 | usage: tcpretrans [-h] [-l] |
| 52 | |
| 53 | Trace TCP retransmits |
| 54 | |
| 55 | optional arguments: |
| 56 | -h, --help show this help message and exit |
| 57 | -l, --lossprobe include tail loss probe attempts |
| 58 | |
| 59 | examples: |
| 60 | ./tcpretrans # trace TCP retransmits |
| 61 | ./tcpretrans -l # include TLP attempts |