Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / refs/tags/rel/13/fp3/6.A.025.0 / . / tools / tcpconnect_example.txt
blob: 3f720c422a6e9b623b6fbf640b9b5b56c7eb5b3f [file] [log] [blame]
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]1Demonstrations of tcpconnect, the Linux eBPF/bcc version.
2
3
4This tool traces the kernel function performing active TCP connections
5(eg, via a connect() syscall; accept() are passive connections). Some example
6output (IP addresses changed to protect the innocent):
7
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800[diff] [blame]8# ./tcpconnect
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]9PID COMM IP SADDR DADDR DPORT
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800[diff] [blame]101479 telnet 4 127.0.0.1 127.0.0.1 23
111469 curl 4 10.201.219.236 54.245.105.25 80
121469 curl 4 10.201.219.236 54.67.101.145 80
Brendan Gregg9e0b0872016-03-28 12:11:45 -0700[diff] [blame]131991 telnet 6 ::1 ::1 23
142015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]15
16This output shows four connections, one from a "telnet" process, two from
17"curl", and one from "ssh". The output details shows the IP version, source
18address, destination address, and destination port. This traces attempted
19connections: these may have failed.
20
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]21The overhead of this tool should be negligible, since it is only tracing the
22kernel functions performing connect. It is not tracing every packet and then
23filtering.
24
25
26The -t option prints a timestamp column:
27
28# ./tcpconnect -t
29TIME(s) PID COMM IP SADDR DADDR DPORT
3031.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001
3131.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001
3231.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101
3390.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001
3490.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001
3590.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101
36
37The output shows some periodic connections (or attempts) from a "local_agent"
38process to various other addresses. A few connections occur every minute.
39
Nabil Schear33817e62020-10-07 21:58:07 -0700[diff] [blame]40The -d option tracks DNS responses and tries to associate each connection with
41the a previous DNS query issued before it. If a DNS response matching the IP
42is found, it will be printed. If no match was found, "No DNS Query" is printed
43in this column. Queries for 127.0.0.1 and ::1 are automatically associated with
44"localhost". If the time between when the DNS response was received and a
45connect call was traced exceeds 100ms, the tool will print the time delta
46after the query name. See below for www.domain.com for an example.
47
48# ./tcpconnect -d
49PID COMM IP SADDR DADDR DPORT QUERY
501543 amazon-ssm-a 4 10.66.75.54 176.32.119.67 443 ec2messages.us-west-1.amazonaws.com
511479 telnet 4 127.0.0.1 127.0.0.1 23 localhost
521469 curl 4 10.201.219.236 54.245.105.25 80 www.domain.com (123.342ms)
531469 curl 4 10.201.219.236 54.67.101.145 80 No DNS Query
541991 telnet 6 ::1 ::1 23 localhost
552015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 anotherhost.org
56
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]57
suresh251457cd85d2021-03-12 09:35:14 +0530[diff] [blame]58The -L option prints a LPORT column:
59
60# ./tcpconnect -L
61PID COMM IP SADDR LPORT DADDR DPORT
623706 nc 4 192.168.122.205 57266 192.168.122.150 5000
633722 ssh 4 192.168.122.205 50966 192.168.122.150 22
643779 ssh 6 fe80::1 52328 fe80::2 22
65
66
Takuma Kumeb181a8e2019-01-10 05:49:59 +0900[diff] [blame]67The -U option prints a UID column:
68
69# ./tcpconnect -U
70UID PID COMM IP SADDR DADDR DPORT
710 31333 telnet 6 ::1 ::1 23
720 31333 telnet 4 127.0.0.1 127.0.0.1 23
731000 31322 curl 4 127.0.0.1 127.0.0.1 80
741000 31322 curl 6 ::1 ::1 80
75
76
77The -u option filtering UID:
78
79# ./tcpconnect -Uu 1000
80UID PID COMM IP SADDR DADDR DPORT
811000 31338 telnet 6 ::1 ::1 23
821000 31338 telnet 4 127.0.0.1 127.0.0.1 23
83
Xiaozhou Liu9518a5b2019-08-02 01:13:53 +0800[diff] [blame]84To spot heavy outbound connections quickly one can use the -c flag. It will
85count all active connections per source ip and destination ip/port.
86
87# ./tcpconnect.py -c
88Tracing connect ... Hit Ctrl-C to end
89^C
90LADDR RADDR RPORT CONNECTS
91192.168.10.50 172.217.21.194 443 70
92192.168.10.50 172.213.11.195 443 34
93192.168.10.50 172.212.22.194 443 21
94[...]
95
Takuma Kumeb181a8e2019-01-10 05:49:59 +0900[diff] [blame]96
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]97The --cgroupmap option filters based on a cgroup set. It is meant to be used
98with an externally created map.
99
100# ./tcpconnect --cgroupmap /sys/fs/bpf/test01
101
Alban Crequy32ab8582020-03-22 16:06:44 +0100[diff] [blame]102For more details, see docs/special_filtering.md
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]103
104
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]105USAGE message:
106
107# ./tcpconnect -h
Nabil Schear33817e62020-10-07 21:58:07 -0700[diff] [blame]108
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]109usage: tcpconnect.py [-h] [-t] [-p PID] [-P PORT] [-4 | -6] [-L] [-U] [-u UID]
110 [-c] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] [-d]
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]111
112Trace TCP connects
113
114optional arguments:
Xiaozhou Liu9518a5b2019-08-02 01:13:53 +0800[diff] [blame]115 -h, --help show this help message and exit
116 -t, --timestamp include timestamp on output
117 -p PID, --pid PID trace this PID only
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]118 -P PORT, --port PORT comma-separated list of destination ports to trace.
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]119 -4, --ipv4 trace IPv4 family only
120 -6, --ipv6 trace IPv6 family only
suresh251457cd85d2021-03-12 09:35:14 +0530[diff] [blame]121 -L, --lport include LPORT on output
Xiaozhou Liu9518a5b2019-08-02 01:13:53 +0800[diff] [blame]122 -U, --print-uid include UID on output
123 -u UID, --uid UID trace this UID only
124 -c, --count count connects per src ip and dest ip/port
Alban Crequy1ce868f2020-02-19 17:07:41 +0100[diff] [blame]125 --cgroupmap CGROUPMAP
126 trace cgroups in this BPF map only
Nabil Schear33817e62020-10-07 21:58:07 -0700[diff] [blame]127 --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only
128 -d, --dns include likely DNS query associated with each connect
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]129
130examples:
131 ./tcpconnect # trace all TCP connect()s
132 ./tcpconnect -t # include timestamps
suresh251457cd85d2021-03-12 09:35:14 +0530[diff] [blame]133 ./tcpconnect -d # include DNS queries associated with connects
Brendan Greggf06d3b42015-10-15 17:21:32 -0700[diff] [blame]134 ./tcpconnect -p 181 # only trace PID 181
chantra52938052016-09-10 09:44:50 -0700[diff] [blame]135 ./tcpconnect -P 80 # only trace port 80
136 ./tcpconnect -P 80,81 # only trace port 80 and 81
Hariharan Ananthakrishnan04893e32021-08-12 05:55:21 -0700[diff] [blame]137 ./tcpconnect -4 # only trace IPv4 family
138 ./tcpconnect -6 # only trace IPv6 family
Takuma Kumeb181a8e2019-01-10 05:49:59 +0900[diff] [blame]139 ./tcpconnect -U # include UID
140 ./tcpconnect -u 1000 # only trace UID 1000
Xiaozhou Liu9518a5b2019-08-02 01:13:53 +0800[diff] [blame]141 ./tcpconnect -c # count connects per src ip and dest ip/port
suresh251457cd85d2021-03-12 09:35:14 +0530[diff] [blame]142 ./tcpconnect -L # include LPORT while printing outputs
Alban Crequy32ab8582020-03-22 16:06:44 +0100[diff] [blame]143 ./tcpconnect --cgroupmap mappath # only trace cgroups in this BPF map
suresh251457cd85d2021-03-12 09:35:14 +0530[diff] [blame]144 ./tcpconnect --mntnsmap mappath # only trace mount namespaces in the map