tools/tcpaccept_example.txt

Demonstrations of tcpaccept, the Linux eBPF/bcc version.


This tool traces the kernel function accepting TCP socket connections (eg, a
passive connection via accept(); not connect()). Some example output (IP
addresses changed to protect the innocent):

# ./tcpaccept
PID    COMM         IP RADDR            LADDR            LPORT
907    sshd         4  192.168.56.1     192.168.56.102   22
907    sshd         4  127.0.0.1        127.0.0.1        22
5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001

This output shows three connections, two IPv4 connections to PID 907, an "sshd"
process listening on port 22, and one IPv6 connection to a "perl" process
listening on port 7001.

The overhead of this tool should be negligible, since it is only tracing the
kernel function performing accept. It is not tracing every packet and then
filtering.

This tool only traces successful TCP accept()s. Connection attempts to closed
ports will not be shown (those can be traced via other functions).


The -t option prints a timestamp column:

# ./tcpaccept -t
TIME(s)  PID    COMM         IP RADDR            LADDR            LPORT
0.000    907    sshd         4  127.0.0.1        127.0.0.1        22
0.010    5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001
0.992    907    sshd         4  127.0.0.1        127.0.0.1        22
1.984    907    sshd         4  127.0.0.1        127.0.0.1        22


USAGE message:

# ./tcpaccept -h
usage: tcpaccept [-h] [-t] [-p PID]

Trace TCP accepts

optional arguments:
  -h, --help         show this help message and exit
  -t, --timestamp    include timestamp on output
  -p PID, --pid PID  trace this PID only

examples:
    ./tcpaccept           # trace all TCP accept()s
    ./tcpaccept -t        # include timestamps
    ./tcpaccept -p 181    # only trace PID 181