Brendan Gregg | bbd9acd | 2018-03-20 18:35:12 -0700 | [diff] [blame] | 1 | Demonstrations of tcpstates, the Linux BPF/bcc version. |
| 2 | |
| 3 | |
| 4 | tcpstates prints TCP state change information, including the duration in each |
| 5 | state as milliseconds. For example, a single TCP session: |
| 6 | |
| 7 | # tcpstates |
| 8 | SKADDR C-PID C-COMM LADDR LPORT RADDR RPORT OLDSTATE -> NEWSTATE MS |
| 9 | ffff9fd7e8192000 22384 curl 100.66.100.185 0 52.33.159.26 80 CLOSE -> SYN_SENT 0.000 |
| 10 | ffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 SYN_SENT -> ESTABLISHED 1.373 |
| 11 | ffff9fd7e8192000 22384 curl 100.66.100.185 63446 52.33.159.26 80 ESTABLISHED -> FIN_WAIT1 176.042 |
| 12 | ffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 FIN_WAIT1 -> FIN_WAIT2 0.536 |
| 13 | ffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 FIN_WAIT2 -> CLOSE 0.006 |
| 14 | ^C |
| 15 | |
| 16 | This showed that the most time was spent in the ESTABLISHED state (which then |
| 17 | transitioned to FIN_WAIT1), which was 176.042 milliseconds. |
| 18 | |
| 19 | The first column is the socked address, as the output may include lines from |
| 20 | different sessions interleaved. The next two columns show the current on-CPU |
| 21 | process ID and command name: these may show the process that owns the TCP |
| 22 | session, depending on whether the state change executes synchronously in |
| 23 | process context. If that's not the case, they may show kernel details. |
| 24 | |
| 25 | |
| 26 | USAGE: |
| 27 | |
| 28 | # tcpstates -h |
Gerald Combs | abdca97 | 2018-11-26 23:37:24 -0700 | [diff] [blame^] | 29 | usage: tcpstates.py [-h] [-T] [-t] [-w] [-s] [-L LOCALPORT] [-D REMOTEPORT] |
| 30 | [-Y] |
Brendan Gregg | bbd9acd | 2018-03-20 18:35:12 -0700 | [diff] [blame] | 31 | |
| 32 | Trace TCP session state changes and durations |
| 33 | |
| 34 | optional arguments: |
| 35 | -h, --help show this help message and exit |
| 36 | -T, --time include time column on output (HH:MM:SS) |
| 37 | -t, --timestamp include timestamp on output (seconds) |
| 38 | -w, --wide wide column output (fits IPv6 addresses) |
| 39 | -s, --csv comma separated values output |
| 40 | -L LOCALPORT, --localport LOCALPORT |
| 41 | comma-separated list of local ports to trace. |
| 42 | -D REMOTEPORT, --remoteport REMOTEPORT |
| 43 | comma-separated list of remote ports to trace. |
Gerald Combs | abdca97 | 2018-11-26 23:37:24 -0700 | [diff] [blame^] | 44 | -Y, --journal log session state changes to the systemd journal |
Brendan Gregg | bbd9acd | 2018-03-20 18:35:12 -0700 | [diff] [blame] | 45 | |
| 46 | examples: |
| 47 | ./tcpstates # trace all TCP state changes |
| 48 | ./tcpstates -t # include timestamp column |
| 49 | ./tcpstates -T # include time column (HH:MM:SS) |
| 50 | ./tcpstates -w # wider colums (fit IPv6) |
| 51 | ./tcpstates -stT # csv output, with times & timestamps |
Gerald Combs | abdca97 | 2018-11-26 23:37:24 -0700 | [diff] [blame^] | 52 | ./tcpstates -Y # log events to the systemd journal |
Brendan Gregg | bbd9acd | 2018-03-20 18:35:12 -0700 | [diff] [blame] | 53 | ./tcpstates -L 80 # only trace local port 80 |
| 54 | ./tcpstates -L 80,81 # only trace local ports 80 and 81 |
| 55 | ./tcpstates -D 80 # only trace remote port 80 |