tools/tcpaccept_example.txt - platform/external/bcc - Git at Google

 Demonstrations of tcpaccept, the Linux eBPF/bcc version.


 This tool traces the kernel function accepting TCP socket connections (eg, a
 passive connection via accept(); not connect()). Some example output (IP
 addresses changed to protect the innocent):

 # ./tcpaccept
 PID    COMM         IP RADDR            RPORT  LADDR            LPORT
 907    sshd         4  192.168.56.1     32324  192.168.56.102   22
 907    sshd         4  127.0.0.1        39866  127.0.0.1        22
 5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001

 This output shows three connections, two IPv4 connections to PID 907, an "sshd"
 process listening on port 22, and one IPv6 connection to a "perl" process
 listening on port 7001.

 The overhead of this tool should be negligible, since it is only tracing the
 kernel function performing accept. It is not tracing every packet and then
 filtering.

 This tool only traces successful TCP accept()s. Connection attempts to closed
 ports will not be shown (those can be traced via other functions).


 The -t option prints a timestamp column:

 # ./tcpaccept -t
 TIME(s)  PID    COMM         IP RADDR            RPORT LADDR            LPORT
 0.000    907    sshd         4  127.0.0.1        53700 127.0.0.1        22
 0.010    5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001
 0.992    907    sshd         4  127.0.0.1        32548 127.0.0.1        22
 1.984    907    sshd         4  127.0.0.1        51250 127.0.0.1        22


 The --cgroupmap option filters based on a cgroup set. It is meant to be used
 with an externally created map.

 # ./tcpaccept --cgroupmap /sys/fs/bpf/test01

 For more details, see docs/special_filtering.md


 USAGE message:

 # ./tcpaccept -h
 usage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 | -6] [--cgroupmap CGROUPMAP]

 Trace TCP accepts

 optional arguments:
   -h, --help            show this help message and exit
   -T, --time            include time column on output (HH:MM:SS)
   -t, --timestamp       include timestamp on output
   -p PID, --pid PID     trace this PID only
   -P PORT, --port PORT  comma-separated list of local ports to trace
   -4, --ipv4            trace IPv4 family only
   -6, --ipv6            trace IPv6 family only
   --cgroupmap CGROUPMAP
                         trace cgroups in this BPF map only

 examples:
     ./tcpaccept           # trace all TCP accept()s
     ./tcpaccept -t        # include timestamps
     ./tcpaccept -P 80,81  # only trace port 80 and 81
     ./tcpaccept -p 181    # only trace PID 181
     ./tcpaccept --cgroupmap mappath  # only trace cgroups in this BPF map
     ./tcpaccept --mntnsmap mappath   # only trace mount namespaces in the map
     ./tcpaccept -4        # trace IPv4 family only
     ./tcpaccept -6        # trace IPv6 family only
	Demonstrations of tcpaccept, the Linux eBPF/bcc version.


	This tool traces the kernel function accepting TCP socket connections (eg, a
	passive connection via accept(); not connect()). Some example output (IP
	addresses changed to protect the innocent):

	# ./tcpaccept
	PID COMM IP RADDR RPORT LADDR LPORT
	907 sshd 4 192.168.56.1 32324 192.168.56.102 22
	907 sshd 4 127.0.0.1 39866 127.0.0.1 22
	5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001

	This output shows three connections, two IPv4 connections to PID 907, an "sshd"
	process listening on port 22, and one IPv6 connection to a "perl" process
	listening on port 7001.

	The overhead of this tool should be negligible, since it is only tracing the
	kernel function performing accept. It is not tracing every packet and then
	filtering.

	This tool only traces successful TCP accept()s. Connection attempts to closed
	ports will not be shown (those can be traced via other functions).


	The -t option prints a timestamp column:

	# ./tcpaccept -t
	TIME(s) PID COMM IP RADDR RPORT LADDR LPORT
	0.000 907 sshd 4 127.0.0.1 53700 127.0.0.1 22
	0.010 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001
	0.992 907 sshd 4 127.0.0.1 32548 127.0.0.1 22
	1.984 907 sshd 4 127.0.0.1 51250 127.0.0.1 22


	The --cgroupmap option filters based on a cgroup set. It is meant to be used
	with an externally created map.

	# ./tcpaccept --cgroupmap /sys/fs/bpf/test01

	For more details, see docs/special_filtering.md


	USAGE message:

	# ./tcpaccept -h
	usage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 \| -6] [--cgroupmap CGROUPMAP]

	Trace TCP accepts

	optional arguments:
	-h, --help show this help message and exit
	-T, --time include time column on output (HH:MM:SS)
	-t, --timestamp include timestamp on output
	-p PID, --pid PID trace this PID only
	-P PORT, --port PORT comma-separated list of local ports to trace
	-4, --ipv4 trace IPv4 family only
	-6, --ipv6 trace IPv6 family only
	--cgroupmap CGROUPMAP
	trace cgroups in this BPF map only

	examples:
	./tcpaccept # trace all TCP accept()s
	./tcpaccept -t # include timestamps
	./tcpaccept -P 80,81 # only trace port 80 and 81
	./tcpaccept -p 181 # only trace PID 181
	./tcpaccept --cgroupmap mappath # only trace cgroups in this BPF map
	./tcpaccept --mntnsmap mappath # only trace mount namespaces in the map
	./tcpaccept -4 # trace IPv4 family only
	./tcpaccept -6 # trace IPv6 family only