33 lines
1.3 KiB
Plaintext
33 lines
1.3 KiB
Plaintext
Demonstrations of tcpaccept, the Linux bpftrace/eBPF version.
|
|
|
|
|
|
This tool traces the kernel function accepting TCP socket connections (eg, a
|
|
passive connection via accept(); not connect()). Some example output (IP
|
|
addresses changed to protect the innocent):
|
|
|
|
# ./tcpaccept.bt
|
|
Tracing tcp accepts. Hit Ctrl-C to end.
|
|
TIME PID COMM RADDR RPORT LADDR LPORT BL
|
|
00:34:19 3949061 nginx 10.228.22.228 44226 10.229.20.169 8088 0/128
|
|
00:34:19 3951399 ruby 127.0.0.1 52422 127.0.0.1 8000 0/128
|
|
00:34:19 3949062 nginx 10.228.23.128 35408 10.229.20.169 8080 0/128
|
|
|
|
|
|
This output shows three connections, an IPv4 connections to PID 3951399, a "ruby"
|
|
process listening on port 8000, and one connection to a "nginx" process
|
|
listening on port 8080. The remote address and port are also printed, and the accept queue
|
|
current size as well as maximum size are shown.
|
|
|
|
The overhead of this tool should be negligible, since it is only tracing the
|
|
kernel function performing accept. It is not tracing every packet and then
|
|
filtering.
|
|
|
|
This tool only traces successful TCP accept()s. Connection attempts to closed
|
|
ports will not be shown (those can be traced via other functions).
|
|
|
|
There is another version of this tool in bcc: https://github.com/iovisor/bcc
|
|
|
|
USAGE message:
|
|
|
|
# ./tcpaccept.bt
|