man/man8/tcpaccept.8 - platform/external/bcc - Git at Google

 .TH tcpaccept 8  "2020-02-20" "USER COMMANDS"
 .SH NAME
 tcpaccept \- Trace TCP passive connections (accept()). Uses Linux eBPF/bcc.
 .SH SYNOPSIS
 .B tcpaccept [\-h] [\-T] [\-t] [\-p PID] [\-P PORTS] [\-\-cgroupmap MAPPATH] [\-\-mntnsmap MAPPATH]
 .SH DESCRIPTION
 This tool traces passive TCP connections (eg, via an accept() syscall;
 connect() are active connections). This can be useful for general
 troubleshooting to see what new connections the local server is accepting.

 This uses dynamic tracing of the kernel inet_csk_accept() socket function (from
 tcp_prot.accept), and will need to be modified to match kernel changes.

 This tool only traces successful TCP accept()s. Connection attempts to closed
 ports will not be shown (those can be traced via other functions).

 Since this uses BPF, only the root user can use this tool.
 .SH REQUIREMENTS
 CONFIG_BPF and bcc.
 .SH OPTIONS
 .TP
 \-h
 Print usage message.
 .TP
 \-T
 Include a time column on output (HH:MM:SS).
 .TP
 \-t
 Include a timestamp column.
 .TP
 \-p PID
 Trace this process ID only (filtered in-kernel).
 .TP
 \-P PORTS
 Comma-separated list of local ports to trace (filtered in-kernel).
 .TP
 \-\-cgroupmap MAPPATH
 Trace cgroups in this BPF map only (filtered in-kernel).
 .TP
 \-\-mntnsmap  MAPPATH
 Trace mount namespaces in this BPF map only (filtered in-kernel).
 .SH EXAMPLES
 .TP
 Trace all passive TCP connections (accept()s):
 #
 .B tcpaccept
 .TP
 Trace all TCP accepts, and include timestamps:
 #
 .B tcpaccept \-t
 .TP
 Trace connections to local ports 80 and 81 only:
 #
 .B tcpaccept \-P 80,81
 .TP
 Trace PID 181 only:
 #
 .B tcpaccept \-p 181
 .TP
 Trace a set of cgroups only (see special_filtering.md from bcc sources for more details):
 #
 .B tcpaccept \-\-cgroupmap /sys/fs/bpf/test01
 .SH FIELDS
 .TP
 TIME
 Time of the event, in HH:MM:SS format.
 .TP
 TIME(s)
 Time of the event, in seconds.
 .TP
 PID
 Process ID
 .TP
 COMM
 Process name
 .TP
 IP
 IP address family (4 or 6)
 .TP
 RADDR
 Remote IP address.
 .TP
 RPORT
 Remote port
 .TP
 LADDR
 Local IP address.
 .TP
 LPORT
 Local port
 .SH OVERHEAD
 This traces the kernel inet_csk_accept function and prints output for each event.
 The rate of this depends on your server application. If it is a web or proxy server
 accepting many tens of thousands of connections per second, then the overhead
 of this tool may be measurable (although, still a lot better than tracing
 every packet). If it is less than a thousand a second, then the overhead is
 expected to be negligible. Test and understand this overhead before use.
 .SH SOURCE
 This is from bcc.
 .IP
 https://github.com/iovisor/bcc
 .PP
 Also look in the bcc distribution for a companion _examples.txt file containing
 example usage, output, and commentary for this tool.
 .SH OS
 Linux
 .SH STABILITY
 Unstable - in development.
 .SH AUTHOR
 Brendan Gregg
 .SH SEE ALSO
 tcptracer(8), tcpconnect(8), funccount(8), tcpdump(8)
	.TH tcpaccept 8 "2020-02-20" "USER COMMANDS"
	.SH NAME
	tcpaccept \- Trace TCP passive connections (accept()). Uses Linux eBPF/bcc.
	.SH SYNOPSIS
	.B tcpaccept [\-h] [\-T] [\-t] [\-p PID] [\-P PORTS] [\-\-cgroupmap MAPPATH] [\-\-mntnsmap MAPPATH]
	.SH DESCRIPTION
	This tool traces passive TCP connections (eg, via an accept() syscall;
	connect() are active connections). This can be useful for general
	troubleshooting to see what new connections the local server is accepting.

	This uses dynamic tracing of the kernel inet_csk_accept() socket function (from
	tcp_prot.accept), and will need to be modified to match kernel changes.

	This tool only traces successful TCP accept()s. Connection attempts to closed
	ports will not be shown (those can be traced via other functions).

	Since this uses BPF, only the root user can use this tool.
	.SH REQUIREMENTS
	CONFIG_BPF and bcc.
	.SH OPTIONS
	.TP
	\-h
	Print usage message.
	.TP
	\-T
	Include a time column on output (HH:MM:SS).
	.TP
	\-t
	Include a timestamp column.
	.TP
	\-p PID
	Trace this process ID only (filtered in-kernel).
	.TP
	\-P PORTS
	Comma-separated list of local ports to trace (filtered in-kernel).
	.TP
	\-\-cgroupmap MAPPATH
	Trace cgroups in this BPF map only (filtered in-kernel).
	.TP
	\-\-mntnsmap MAPPATH
	Trace mount namespaces in this BPF map only (filtered in-kernel).
	.SH EXAMPLES
	.TP
	Trace all passive TCP connections (accept()s):
	#
	.B tcpaccept
	.TP
	Trace all TCP accepts, and include timestamps:
	#
	.B tcpaccept \-t
	.TP
	Trace connections to local ports 80 and 81 only:
	#
	.B tcpaccept \-P 80,81
	.TP
	Trace PID 181 only:
	#
	.B tcpaccept \-p 181
	.TP
	Trace a set of cgroups only (see special_filtering.md from bcc sources for more details):
	#
	.B tcpaccept \-\-cgroupmap /sys/fs/bpf/test01
	.SH FIELDS
	.TP
	TIME
	Time of the event, in HH:MM:SS format.
	.TP
	TIME(s)
	Time of the event, in seconds.
	.TP
	PID
	Process ID
	.TP
	COMM
	Process name
	.TP
	IP
	IP address family (4 or 6)
	.TP
	RADDR
	Remote IP address.
	.TP
	RPORT
	Remote port
	.TP
	LADDR
	Local IP address.
	.TP
	LPORT
	Local port
	.SH OVERHEAD
	This traces the kernel inet_csk_accept function and prints output for each event.
	The rate of this depends on your server application. If it is a web or proxy server
	accepting many tens of thousands of connections per second, then the overhead
	of this tool may be measurable (although, still a lot better than tracing
	every packet). If it is less than a thousand a second, then the overhead is
	expected to be negligible. Test and understand this overhead before use.
	.SH SOURCE
	This is from bcc.
	.IP
	https://github.com/iovisor/bcc
	.PP
	Also look in the bcc distribution for a companion _examples.txt file containing
	example usage, output, and commentary for this tool.
	.SH OS
	Linux
	.SH STABILITY
	Unstable - in development.
	.SH AUTHOR
	Brendan Gregg
	.SH SEE ALSO
	tcptracer(8), tcpconnect(8), funccount(8), tcpdump(8)