| Pavel Dubovitsky | 8dd4b5a | 2020-02-18 19:49:11 -0800 | [diff] [blame] | 1 | Demonstrations of bindsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | This tool traces the kernel function performing socket binding and |
| 4 | print socket options set before the system call invocation that might |
| 5 | impact bind behavior and bound interface: |
| 6 | SOL_IP IP_FREEBIND F.... |
| 7 | SOL_IP IP_TRANSPARENT .T... |
| 8 | SOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. |
| 9 | SOL_SOCKET SO_REUSEADDR ...R. |
| 10 | SOL_SOCKET SO_REUSEPORT ....r |
| 11 | |
| 12 | |
| 13 | # ./bindsnoop.py |
| 14 | Tracing binds ... Hit Ctrl-C to end |
| 15 | PID COMM PROT ADDR PORT OPTS IF |
| 16 | 3941081 test_bind_op TCP 192.168.1.102 0 F.N.. 0 |
| 17 | 3940194 dig TCP :: 62087 ..... 0 |
| 18 | 3940219 dig UDP :: 48665 ..... 0 |
| 19 | 3940893 Acceptor Thr TCP :: 35343 ...R. 0 |
| 20 | |
| 21 | The output shows four bind system calls: |
| 22 | two "test_bind_op" instances, one with IP_FREEBIND and IP_BIND_ADDRESS_NO_PORT |
| 23 | options, dig process called bind for TCP and UDP sockets, |
| 24 | and Acceptor called bind for TCP with SO_REUSEADDR option set. |
| 25 | |
| 26 | |
| 27 | The -t option prints a timestamp column |
| 28 | |
| 29 | # ./bindsnoop.py -t |
| 30 | TIME(s) PID COMM PROT ADDR PORT OPTS IF |
| 31 | 0.000000 3956801 dig TCP :: 49611 ..... 0 |
| 32 | 0.011045 3956822 dig UDP :: 56343 ..... 0 |
| 33 | 2.310629 3956498 test_bind_op TCP 192.168.1.102 39609 F...r 0 |
| 34 | |
| 35 | |
| 36 | The -U option prints a UID column: |
| 37 | |
| 38 | # ./bindsnoop.py -U |
| 39 | Tracing binds ... Hit Ctrl-C to end |
| 40 | UID PID COMM PROT ADDR PORT OPTS IF |
| 41 | 127072 3956498 test_bind_op TCP 192.168.1.102 44491 F...r 0 |
| 42 | 127072 3960261 Acceptor Thr TCP :: 48869 ...R. 0 |
| 43 | 0 3960729 Acceptor Thr TCP :: 44637 ...R. 0 |
| 44 | 0 3959075 chef-client UDP :: 61722 ..... 0 |
| 45 | |
| 46 | |
| 47 | The -u option filtering UID: |
| 48 | |
| 49 | # ./bindsnoop.py -Uu 0 |
| 50 | Tracing binds ... Hit Ctrl-C to end |
| 51 | UID PID COMM PROT ADDR PORT OPTS IF |
| 52 | 0 3966330 Acceptor Thr TCP :: 39319 ...R. 0 |
| 53 | 0 3968044 python3.7 TCP ::1 59371 ..... 0 |
| 54 | 0 10224 fetch TCP 0.0.0.0 42091 ...R. 0 |
| 55 | |
| 56 | |
| 57 | The --cgroupmap option filters based on a cgroup set. |
| 58 | It is meant to be used with an externally created map. |
| 59 | |
| 60 | # ./bindsnoop.py --cgroupmap /sys/fs/bpf/test01 |
| 61 | |
| Alban Crequy | 32ab858 | 2020-03-22 16:06:44 +0100 | [diff] [blame] | 62 | For more details, see docs/special_filtering.md |
| Pavel Dubovitsky | 8dd4b5a | 2020-02-18 19:49:11 -0800 | [diff] [blame] | 63 | |
| 64 | |
| 65 | In order to track heavy bind usage one can use --count option |
| 66 | # ./bindsnoop.py --count |
| 67 | Tracing binds ... Hit Ctrl-C to end |
| 68 | LADDR LPORT BINDS |
| 69 | 0.0.0.0 6771 4 |
| 70 | 0.0.0.0 4433 4 |
| 71 | 127.0.0.1 33665 1 |
| 72 | |
| 73 | |
| 74 | Usage message: |
| 75 | # ./bindsnoop.py -h |
| 76 | usage: bindsnoop.py [-h] [-t] [-w] [-p PID] [-P PORT] [-E] [-U] [-u UID] |
| Alban Crequy | 32ab858 | 2020-03-22 16:06:44 +0100 | [diff] [blame] | 77 | [--count] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] |
| Pavel Dubovitsky | 8dd4b5a | 2020-02-18 19:49:11 -0800 | [diff] [blame] | 78 | |
| 79 | Trace TCP binds |
| 80 | |
| 81 | optional arguments: |
| 82 | -h, --help show this help message and exit |
| 83 | -t, --timestamp include timestamp on output |
| 84 | -w, --wide wide column output (fits IPv6 addresses) |
| 85 | -p PID, --pid PID trace this PID only |
| 86 | -P PORT, --port PORT comma-separated list of ports to trace. |
| 87 | -E, --errors include errors in the output. |
| 88 | -U, --print-uid include UID on output |
| 89 | -u UID, --uid UID trace this UID only |
| 90 | --count count binds per src ip and port |
| 91 | --cgroupmap CGROUPMAP |
| 92 | trace cgroups in this BPF map only |
| 93 | |
| 94 | examples: |
| 95 | ./bindsnoop # trace all TCP bind()s |
| 96 | ./bindsnoop -t # include timestamps |
| 97 | ./bindsnoop -w # wider columns (fit IPv6) |
| 98 | ./bindsnoop -p 181 # only trace PID 181 |
| 99 | ./bindsnoop -P 80 # only trace port 80 |
| 100 | ./bindsnoop -P 80,81 # only trace port 80 and 81 |
| 101 | ./bindsnoop -U # include UID |
| 102 | ./bindsnoop -u 1000 # only trace UID 1000 |
| 103 | ./bindsnoop -E # report bind errors |
| 104 | ./bindsnoop --count # count bind per src ip |
| 105 | ./bindsnoop --cgroupmap mappath # only trace cgroups in this BPF map |
| Alban Crequy | 32ab858 | 2020-03-22 16:06:44 +0100 | [diff] [blame] | 106 | ./bindsnoop --mntnsmap mappath # only trace mount namespaces in the map |
| Pavel Dubovitsky | 8dd4b5a | 2020-02-18 19:49:11 -0800 | [diff] [blame] | 107 | |
| 108 | it is reporting socket options set before the bins call |
| 109 | impacting system call behavior: |
| 110 | SOL_IP IP_FREEBIND F.... |
| 111 | SOL_IP IP_TRANSPARENT .T... |
| 112 | SOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. |
| 113 | SOL_SOCKET SO_REUSEADDR ...R. |
| 114 | SOL_SOCKET SO_REUSEPORT ....r |
| 115 | |
| 116 | SO_BINDTODEVICE interface is reported as "IF" index |