Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 1 | Demonstrations of tcpconnect, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel function performing active TCP connections |
| 5 | (eg, via a connect() syscall; accept() are passive connections). Some example |
| 6 | output (IP addresses changed to protect the innocent): |
| 7 | |
Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 8 | # ./tcpconnect |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 9 | PID COMM IP SADDR DADDR DPORT |
Alexei Starovoitov | bdf0773 | 2016-01-14 10:09:20 -0800 | [diff] [blame] | 10 | 1479 telnet 4 127.0.0.1 127.0.0.1 23 |
| 11 | 1469 curl 4 10.201.219.236 54.245.105.25 80 |
| 12 | 1469 curl 4 10.201.219.236 54.67.101.145 80 |
Brendan Gregg | 9e0b087 | 2016-03-28 12:11:45 -0700 | [diff] [blame] | 13 | 1991 telnet 6 ::1 ::1 23 |
| 14 | 2015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 15 | |
| 16 | This output shows four connections, one from a "telnet" process, two from |
| 17 | "curl", and one from "ssh". The output details shows the IP version, source |
| 18 | address, destination address, and destination port. This traces attempted |
| 19 | connections: these may have failed. |
| 20 | |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 21 | The overhead of this tool should be negligible, since it is only tracing the |
| 22 | kernel functions performing connect. It is not tracing every packet and then |
| 23 | filtering. |
| 24 | |
| 25 | |
| 26 | The -t option prints a timestamp column: |
| 27 | |
| 28 | # ./tcpconnect -t |
| 29 | TIME(s) PID COMM IP SADDR DADDR DPORT |
| 30 | 31.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 31 | 31.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001 |
| 32 | 31.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101 |
| 33 | 90.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 |
| 34 | 90.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001 |
| 35 | 90.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101 |
| 36 | |
| 37 | The output shows some periodic connections (or attempts) from a "local_agent" |
| 38 | process to various other addresses. A few connections occur every minute. |
| 39 | |
Nabil Schear | 33817e6 | 2020-10-07 21:58:07 -0700 | [diff] [blame] | 40 | The -d option tracks DNS responses and tries to associate each connection with |
| 41 | the a previous DNS query issued before it. If a DNS response matching the IP |
| 42 | is found, it will be printed. If no match was found, "No DNS Query" is printed |
| 43 | in this column. Queries for 127.0.0.1 and ::1 are automatically associated with |
| 44 | "localhost". If the time between when the DNS response was received and a |
| 45 | connect call was traced exceeds 100ms, the tool will print the time delta |
| 46 | after the query name. See below for www.domain.com for an example. |
| 47 | |
| 48 | # ./tcpconnect -d |
| 49 | PID COMM IP SADDR DADDR DPORT QUERY |
| 50 | 1543 amazon-ssm-a 4 10.66.75.54 176.32.119.67 443 ec2messages.us-west-1.amazonaws.com |
| 51 | 1479 telnet 4 127.0.0.1 127.0.0.1 23 localhost |
| 52 | 1469 curl 4 10.201.219.236 54.245.105.25 80 www.domain.com (123.342ms) |
| 53 | 1469 curl 4 10.201.219.236 54.67.101.145 80 No DNS Query |
| 54 | 1991 telnet 6 ::1 ::1 23 localhost |
| 55 | 2015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 anotherhost.org |
| 56 | |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 57 | |
suresh2514 | 57cd85d | 2021-03-12 09:35:14 +0530 | [diff] [blame] | 58 | The -L option prints a LPORT column: |
| 59 | |
| 60 | # ./tcpconnect -L |
| 61 | PID COMM IP SADDR LPORT DADDR DPORT |
| 62 | 3706 nc 4 192.168.122.205 57266 192.168.122.150 5000 |
| 63 | 3722 ssh 4 192.168.122.205 50966 192.168.122.150 22 |
| 64 | 3779 ssh 6 fe80::1 52328 fe80::2 22 |
| 65 | |
| 66 | |
Takuma Kume | b181a8e | 2019-01-10 05:49:59 +0900 | [diff] [blame] | 67 | The -U option prints a UID column: |
| 68 | |
| 69 | # ./tcpconnect -U |
| 70 | UID PID COMM IP SADDR DADDR DPORT |
| 71 | 0 31333 telnet 6 ::1 ::1 23 |
| 72 | 0 31333 telnet 4 127.0.0.1 127.0.0.1 23 |
| 73 | 1000 31322 curl 4 127.0.0.1 127.0.0.1 80 |
| 74 | 1000 31322 curl 6 ::1 ::1 80 |
| 75 | |
| 76 | |
| 77 | The -u option filtering UID: |
| 78 | |
| 79 | # ./tcpconnect -Uu 1000 |
| 80 | UID PID COMM IP SADDR DADDR DPORT |
| 81 | 1000 31338 telnet 6 ::1 ::1 23 |
| 82 | 1000 31338 telnet 4 127.0.0.1 127.0.0.1 23 |
| 83 | |
Xiaozhou Liu | 9518a5b | 2019-08-02 01:13:53 +0800 | [diff] [blame] | 84 | To spot heavy outbound connections quickly one can use the -c flag. It will |
| 85 | count all active connections per source ip and destination ip/port. |
| 86 | |
| 87 | # ./tcpconnect.py -c |
| 88 | Tracing connect ... Hit Ctrl-C to end |
| 89 | ^C |
| 90 | LADDR RADDR RPORT CONNECTS |
| 91 | 192.168.10.50 172.217.21.194 443 70 |
| 92 | 192.168.10.50 172.213.11.195 443 34 |
| 93 | 192.168.10.50 172.212.22.194 443 21 |
| 94 | [...] |
| 95 | |
Takuma Kume | b181a8e | 2019-01-10 05:49:59 +0900 | [diff] [blame] | 96 | |
Alban Crequy | 1ce868f | 2020-02-19 17:07:41 +0100 | [diff] [blame] | 97 | The --cgroupmap option filters based on a cgroup set. It is meant to be used |
| 98 | with an externally created map. |
| 99 | |
| 100 | # ./tcpconnect --cgroupmap /sys/fs/bpf/test01 |
| 101 | |
Alban Crequy | 32ab858 | 2020-03-22 16:06:44 +0100 | [diff] [blame] | 102 | For more details, see docs/special_filtering.md |
Alban Crequy | 1ce868f | 2020-02-19 17:07:41 +0100 | [diff] [blame] | 103 | |
| 104 | |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 105 | USAGE message: |
| 106 | |
| 107 | # ./tcpconnect -h |
Nabil Schear | 33817e6 | 2020-10-07 21:58:07 -0700 | [diff] [blame] | 108 | |
Hariharan Ananthakrishnan | 04893e3 | 2021-08-12 05:55:21 -0700 | [diff] [blame] | 109 | usage: tcpconnect.py [-h] [-t] [-p PID] [-P PORT] [-4 | -6] [-L] [-U] [-u UID] |
| 110 | [-c] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] [-d] |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 111 | |
| 112 | Trace TCP connects |
| 113 | |
| 114 | optional arguments: |
Xiaozhou Liu | 9518a5b | 2019-08-02 01:13:53 +0800 | [diff] [blame] | 115 | -h, --help show this help message and exit |
| 116 | -t, --timestamp include timestamp on output |
| 117 | -p PID, --pid PID trace this PID only |
Alban Crequy | 1ce868f | 2020-02-19 17:07:41 +0100 | [diff] [blame] | 118 | -P PORT, --port PORT comma-separated list of destination ports to trace. |
Hariharan Ananthakrishnan | 04893e3 | 2021-08-12 05:55:21 -0700 | [diff] [blame] | 119 | -4, --ipv4 trace IPv4 family only |
| 120 | -6, --ipv6 trace IPv6 family only |
suresh2514 | 57cd85d | 2021-03-12 09:35:14 +0530 | [diff] [blame] | 121 | -L, --lport include LPORT on output |
Xiaozhou Liu | 9518a5b | 2019-08-02 01:13:53 +0800 | [diff] [blame] | 122 | -U, --print-uid include UID on output |
| 123 | -u UID, --uid UID trace this UID only |
| 124 | -c, --count count connects per src ip and dest ip/port |
Alban Crequy | 1ce868f | 2020-02-19 17:07:41 +0100 | [diff] [blame] | 125 | --cgroupmap CGROUPMAP |
| 126 | trace cgroups in this BPF map only |
Nabil Schear | 33817e6 | 2020-10-07 21:58:07 -0700 | [diff] [blame] | 127 | --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only |
| 128 | -d, --dns include likely DNS query associated with each connect |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 129 | |
| 130 | examples: |
| 131 | ./tcpconnect # trace all TCP connect()s |
| 132 | ./tcpconnect -t # include timestamps |
suresh2514 | 57cd85d | 2021-03-12 09:35:14 +0530 | [diff] [blame] | 133 | ./tcpconnect -d # include DNS queries associated with connects |
Brendan Gregg | f06d3b4 | 2015-10-15 17:21:32 -0700 | [diff] [blame] | 134 | ./tcpconnect -p 181 # only trace PID 181 |
chantra | 5293805 | 2016-09-10 09:44:50 -0700 | [diff] [blame] | 135 | ./tcpconnect -P 80 # only trace port 80 |
| 136 | ./tcpconnect -P 80,81 # only trace port 80 and 81 |
Hariharan Ananthakrishnan | 04893e3 | 2021-08-12 05:55:21 -0700 | [diff] [blame] | 137 | ./tcpconnect -4 # only trace IPv4 family |
| 138 | ./tcpconnect -6 # only trace IPv6 family |
Takuma Kume | b181a8e | 2019-01-10 05:49:59 +0900 | [diff] [blame] | 139 | ./tcpconnect -U # include UID |
| 140 | ./tcpconnect -u 1000 # only trace UID 1000 |
Xiaozhou Liu | 9518a5b | 2019-08-02 01:13:53 +0800 | [diff] [blame] | 141 | ./tcpconnect -c # count connects per src ip and dest ip/port |
suresh2514 | 57cd85d | 2021-03-12 09:35:14 +0530 | [diff] [blame] | 142 | ./tcpconnect -L # include LPORT while printing outputs |
Alban Crequy | 32ab858 | 2020-03-22 16:06:44 +0100 | [diff] [blame] | 143 | ./tcpconnect --cgroupmap mappath # only trace cgroups in this BPF map |
suresh2514 | 57cd85d | 2021-03-12 09:35:14 +0530 | [diff] [blame] | 144 | ./tcpconnect --mntnsmap mappath # only trace mount namespaces in the map |