Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / refs/heads/odm/dev/qssi/13/fp5 / . / tools / tcpaccept_example.txt
blob: 245679049747c920ef148b8314abe520925f3b43 [file] [log] [blame]
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]1Demonstrations of tcpaccept, the Linux eBPF/bcc version.
2
3
4This tool traces the kernel function accepting TCP socket connections (eg, a
5passive connection via accept(); not connect()). Some example output (IP
6addresses changed to protect the innocent):
7
8# ./tcpaccept
Xiaozhou Liu701bd732019-03-08 13:46:28 +0800[diff] [blame]9PID COMM IP RADDR RPORT LADDR LPORT
10907 sshd 4 192.168.56.1 32324 192.168.56.102 22
11907 sshd 4 127.0.0.1 39866 127.0.0.1 22
125389 perl 6 1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]13
Mark Drayton11de2982016-06-26 21:14:44 +0100[diff] [blame]14This output shows three connections, two IPv4 connections to PID 907, an "sshd"
15process listening on port 22, and one IPv6 connection to a "perl" process
16listening on port 7001.
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]17
18The overhead of this tool should be negligible, since it is only tracing the
19kernel function performing accept. It is not tracing every packet and then
20filtering.
21
22This tool only traces successful TCP accept()s. Connection attempts to closed
23ports will not be shown (those can be traced via other functions).
24
25
26The -t option prints a timestamp column:
27
28# ./tcpaccept -t
Xiaozhou Liu701bd732019-03-08 13:46:28 +0800[diff] [blame]29TIME(s) PID COMM IP RADDR RPORT LADDR LPORT
300.000 907 sshd 4 127.0.0.1 53700 127.0.0.1 22
310.010 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001
320.992 907 sshd 4 127.0.0.1 32548 127.0.0.1 22
331.984 907 sshd 4 127.0.0.1 51250 127.0.0.1 22
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]34
35
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]36The --cgroupmap option filters based on a cgroup set. It is meant to be used
37with an externally created map.
38
39# ./tcpaccept --cgroupmap /sys/fs/bpf/test01
40
Alban Crequy32ab8582020-03-22 16:06:44 +0100[diff] [blame]41For more details, see docs/special_filtering.md
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]42
43
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]44USAGE message:
45
46# ./tcpaccept -h
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]47usage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 | -6] [--cgroupmap CGROUPMAP]
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]48
49Trace TCP accepts
50
51optional arguments:
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]52 -h, --help show this help message and exit
53 -T, --time include time column on output (HH:MM:SS)
54 -t, --timestamp include timestamp on output
55 -p PID, --pid PID trace this PID only
56 -P PORT, --port PORT comma-separated list of local ports to trace
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]57 -4, --ipv4 trace IPv4 family only
58 -6, --ipv6 trace IPv6 family only
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]59 --cgroupmap CGROUPMAP
60 trace cgroups in this BPF map only
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]61
62examples:
Brendan Gregg000a4e62015-10-13 15:41:46 -0700[diff] [blame]63 ./tcpaccept # trace all TCP accept()s
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]64 ./tcpaccept -t # include timestamps
Xiaozhou Liu701bd732019-03-08 13:46:28 +0800[diff] [blame]65 ./tcpaccept -P 80,81 # only trace port 80 and 81
Brendan Gregg052f89c2015-10-13 15:35:58 -0700[diff] [blame]66 ./tcpaccept -p 181 # only trace PID 181
Alban Crequy32ab8582020-03-22 16:06:44 +0100[diff] [blame]67 ./tcpaccept --cgroupmap mappath # only trace cgroups in this BPF map
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]68 ./tcpaccept --mntnsmap mappath # only trace mount namespaces in the map
69 ./tcpaccept -4 # trace IPv4 family only
70 ./tcpaccept -6 # trace IPv6 family only