| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 1 | Demonstrations of tcpconnect, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel function performing active TCP connections |
| 5 | (eg, via a connect() syscall; accept() are passive connections). Some example |
| 6 | output (IP addresses changed to protect the innocent): |
| 7 | |
| Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 8 | # ./tcpconnect |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 9 | PID COMM IP SADDR DADDR DPORT |
| Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 10 | 1479 telnet 4 127.0.0.1 127.0.0.1 23 |
| 11 | 1469 curl 4 10.201.219.236 54.245.105.25 80 |
| 12 | 1469 curl 4 10.201.219.236 54.67.101.145 80 |
| Brendan Gregg | 9e0b087 | 2016-03-28 12:11:45 -0700 | [diff] [blame] | 13 | 1991 telnet 6 ::1 ::1 23 |
| 14 | 2015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 15 | |
| 16 | This output shows four connections, one from a "telnet" process, two from |
| 17 | "curl", and one from "ssh". The output details shows the IP version, source |
| 18 | address, destination address, and destination port. This traces attempted |
| 19 | connections: these may have failed. |
| 20 | |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 21 | The overhead of this tool should be negligible, since it is only tracing the |
| 22 | kernel functions performing connect. It is not tracing every packet and then |
| 23 | filtering. |
| 24 | |
| 25 | |
| 26 | The -t option prints a timestamp column: |
| 27 | |
| 28 | # ./tcpconnect -t |
| 29 | TIME(s) PID COMM IP SADDR DADDR DPORT |
| 30 | 31.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 31 | 31.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001 |
| 32 | 31.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101 |
| 33 | 90.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 34 | 90.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001 |
| 35 | 90.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101 |
| 36 | |
| 37 | The output shows some periodic connections (or attempts) from a "local_agent" |
| 38 | process to various other addresses. A few connections occur every minute. |
| 39 | |
| 40 | |
| 41 | USAGE message: |
| 42 | |
| 43 | # ./tcpconnect -h |
| chantra | 5293805 | 2016-09-10 09:44:50 -0700 | [diff] [blame] | 44 | usage: tcpconnect [-h] [-t] [-p PID] [-P PORT] |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 45 | |
| 46 | Trace TCP connects |
| 47 | |
| 48 | optional arguments: |
| 49 | -h, --help show this help message and exit |
| 50 | -t, --timestamp include timestamp on output |
| 51 | -p PID, --pid PID trace this PID only |
| chantra | 5293805 | 2016-09-10 09:44:50 -0700 | [diff] [blame] | 52 | -P PORT, --port PORT |
| 53 | comma-separated list of destination ports to trace. |
| Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 54 | |
| 55 | examples: |
| 56 | ./tcpconnect # trace all TCP connect()s |
| 57 | ./tcpconnect -t # include timestamps |
| 58 | ./tcpconnect -p 181 # only trace PID 181 |
| chantra | 5293805 | 2016-09-10 09:44:50 -0700 | [diff] [blame] | 59 | ./tcpconnect -P 80 # only trace port 80 |
| 60 | ./tcpconnect -P 80,81 # only trace port 80 and 81 |