tools/tcpdrop_example.txt

Demonstrations of tcpdrop, the Linux BPF/bcc version.


tcpdrop prints details of TCP packets or segments that were dropped by the
kernel, including the kernel stack trace that led to the drop:

# ./tcpdrop.py
TIME     PID    IP SADDR:SPORT          > DADDR:DPORT          STATE (FLAGS)
20:49:06 0      4  10.32.119.56:443     > 10.66.65.252:22912   CLOSE (ACK)
	tcp_drop+0x1
	tcp_v4_do_rcv+0x135
	tcp_v4_rcv+0x9c7
	ip_local_deliver_finish+0x62
	ip_local_deliver+0x6f
	ip_rcv_finish+0x129
	ip_rcv+0x28f
	__netif_receive_skb_core+0x432
	__netif_receive_skb+0x18
	netif_receive_skb_internal+0x37
	napi_gro_receive+0xc5
	ena_clean_rx_irq+0x3c3
	ena_io_poll+0x33f
	net_rx_action+0x140
	__softirqentry_text_start+0xdf
	irq_exit+0xb6
	do_IRQ+0x82
	ret_from_intr+0x0
	native_safe_halt+0x6
	default_idle+0x20
	arch_cpu_idle+0x15
	default_idle_call+0x23
	do_idle+0x17f
	cpu_startup_entry+0x73
	rest_init+0xae
	start_kernel+0x4dc
	x86_64_start_reservations+0x24
	x86_64_start_kernel+0x74
	secondary_startup_64+0xa5

20:49:50 12431  4  127.0.0.1:8198       > 127.0.0.1:48280      CLOSE (RST|ACK)
	tcp_drop+0x1
	tcp_v4_do_rcv+0x135
	__release_sock+0x88
	release_sock+0x30
	inet_stream_connect+0x47
	SYSC_connect+0x9e
	sys_connect+0xe
	do_syscall_64+0x73
	entry_SYSCALL_64_after_hwframe+0x3d

[...]

The last two columns show the state of the TCP session, and the TCP flags.
These two examples show packets arriving for a session in the closed state,
that were dropped by the kernel.

This tool is useful for debugging high rates of drops, which can cause the
remote end to do timer-based retransmits, hurting performance.


USAGE:

# ./tcpdrop.py -h
usage: tcpdrop.py [-h]

Trace TCP drops by the kernel

optional arguments:
  -h, --help  show this help message and exit

examples:
    ./tcpdrop           # trace kernel TCP drops