| Demonstrations of tcptop, the Linux eBPF/bcc version. |
| |
| |
| tcptop summarizes throughput by host and port. Eg: |
| |
| # tcptop |
| Tracing... Output every 1 secs. Hit Ctrl-C to end |
| <screen clears> |
| 19:46:24 loadavg: 1.86 2.67 2.91 3/362 16681 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 16648 16648 100.66.3.172:22 100.127.69.165:6684 1 0 |
| 16647 sshd 100.66.3.172:22 100.127.69.165:6684 0 2149 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| 14458 sshd 100.66.3.172:22 100.127.69.165:7165 0 0 |
| |
| PID COMM LADDR6 RADDR6 RX_KB TX_KB |
| 16681 sshd fe80::8a3:9dff:fed5:6b19:22 fe80::8a3:9dff:fed5:6b19:16606 1 1 |
| 16679 ssh fe80::8a3:9dff:fed5:6b19:16606 fe80::8a3:9dff:fed5:6b19:22 1 1 |
| 16680 sshd fe80::8a3:9dff:fed5:6b19:22 fe80::8a3:9dff:fed5:6b19:16606 0 0 |
| |
| This example output shows two listings of TCP connections, for IPv4 and IPv6. |
| If there is only traffic for one of these, then only one group is shown. |
| |
| The output in each listing is sorted by total throughput (send then receive), |
| and when printed it is rounded (floor) to the nearest Kbyte. The example output |
| shows PID 16647, sshd, transmitted 2149 Kbytes during the tracing interval. |
| The other IPv4 sessions had such low throughput they rounded to zero. |
| |
| All TCP sessions, including over loopback, are included. |
| |
| The session with the process name (COMM) of 16648 is really a short-lived |
| process with PID 16648 where we didn't catch the process name when printing |
| the output. If this behavior is a serious issue for you, you can modify the |
| tool's code to include bpf_get_current_comm() in the key structs, so that it's |
| fetched during the event and will always be seen. I did it this way to start |
| with, but it was measurably increasing the overhead of this tool, so I switched |
| to the asynchronous model. |
| |
| The overhead is relative to TCP event rate (the rate of tcp_sendmsg() and |
| tcp_recvmsg() or tcp_cleanup_rbuf()). Due to buffering, this should be lower |
| than the packet rate. You can measure the rate of these using funccount. |
| Some sample production servers tested found total rates of 4k to 15k per |
| second. The CPU overhead at these rates ranged from 0.5% to 2.0% of one CPU. |
| Maybe your workloads have higher rates and therefore higher overhead, or, |
| lower rates. |
| |
| |
| I much prefer not clearing the screen, so that historic output is in the |
| scroll-back buffer, and patterns or intermittent issues can be better seen. |
| You can do this with -C: |
| |
| # tcptop -C |
| Tracing... Output every 1 secs. Hit Ctrl-C to end |
| |
| 20:27:12 loadavg: 0.08 0.02 0.17 2/367 17342 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17287 17287 100.66.3.172:22 100.127.69.165:57585 3 1 |
| 17286 sshd 100.66.3.172:22 100.127.69.165:57585 0 1 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| |
| 20:27:13 loadavg: 0.08 0.02 0.17 1/367 17342 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17286 sshd 100.66.3.172:22 100.127.69.165:57585 1 7761 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| |
| 20:27:14 loadavg: 0.08 0.02 0.17 2/365 17347 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17286 17286 100.66.3.172:22 100.127.69.165:57585 1 2501 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| |
| 20:27:15 loadavg: 0.07 0.02 0.17 2/367 17403 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17349 17349 100.66.3.172:22 100.127.69.165:10161 3 1 |
| 17348 sshd 100.66.3.172:22 100.127.69.165:10161 0 1 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| |
| 20:27:16 loadavg: 0.07 0.02 0.17 1/367 17403 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17348 sshd 100.66.3.172:22 100.127.69.165:10161 3333 0 |
| 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 |
| |
| 20:27:17 loadavg: 0.07 0.02 0.17 2/366 17409 |
| |
| PID COMM LADDR RADDR RX_KB TX_KB |
| 17348 17348 100.66.3.172:22 100.127.69.165:10161 6909 2 |
| |
| You can disable the loadavg summary line with -S if needed. |
| |
| The --cgroupmap option filters based on a cgroup set. It is meant to be used |
| with an externally created map. |
| |
| # tcptop --cgroupmap /sys/fs/bpf/test01 |
| |
| For more details, see docs/special_filtering.md |
| |
| |
| USAGE: |
| |
| # tcptop -h |
| usage: tcptop.py [-h] [-C] [-S] [-p PID] [--cgroupmap CGROUPMAP] |
| [--mntnsmap MNTNSMAP] |
| [interval] [count] [-4 | -6] |
| |
| Summarize TCP send/recv throughput by host |
| |
| positional arguments: |
| interval output interval, in seconds (default 1) |
| count number of outputs |
| |
| optional arguments: |
| -h, --help show this help message and exit |
| -C, --noclear don't clear the screen |
| -S, --nosummary skip system summary line |
| -p PID, --pid PID trace this PID only |
| --cgroupmap CGROUPMAP |
| trace cgroups in this BPF map only |
| -4, --ipv4 trace IPv4 family only |
| -6, --ipv6 trace IPv6 family only |
| |
| examples: |
| ./tcptop # trace TCP send/recv by host |
| ./tcptop -C # don't clear the screen |
| ./tcptop -p 181 # only trace PID 181 |
| ./tcptop --cgroupmap ./mappath # only trace cgroups in this BPF map |
| ./tcptop --mntnsmap mappath # only trace mount namespaces in the map |
| ./tcptop -4 # trace IPv4 family only |
| ./tcptop -6 # trace IPv6 family only |