xref: /aosp_15_r20/external/bcc/tools/tcpaccept_example.txt (revision 387f9dfdfa2baef462e92476d413c7bc2470293e) 
1Demonstrations of tcpaccept, the Linux eBPF/bcc version.
2
3
4This tool traces the kernel function accepting TCP socket connections (eg, a
5passive connection via accept(); not connect()). Some example output (IP
6addresses changed to protect the innocent):
7
8# ./tcpaccept
9PID    COMM         IP RADDR            RPORT  LADDR            LPORT
10907    sshd         4  192.168.56.1     32324  192.168.56.102   22
11907    sshd         4  127.0.0.1        39866  127.0.0.1        22
125389   perl         6  1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001
13
14This output shows three connections, two IPv4 connections to PID 907, an "sshd"
15process listening on port 22, and one IPv6 connection to a "perl" process
16listening on port 7001.
17
18The overhead of this tool should be negligible, since it is only tracing the
19kernel function performing accept. It is not tracing every packet and then
20filtering.
21
22This tool only traces successful TCP accept()s. Connection attempts to closed
23ports will not be shown (those can be traced via other functions).
24
25
26The -t option prints a timestamp column:
27
28# ./tcpaccept -t
29TIME(s)  PID    COMM         IP RADDR            RPORT LADDR            LPORT
300.000    907    sshd         4  127.0.0.1        53700 127.0.0.1        22
310.010    5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001
320.992    907    sshd         4  127.0.0.1        32548 127.0.0.1        22
331.984    907    sshd         4  127.0.0.1        51250 127.0.0.1        22
34
35
36The --cgroupmap option filters based on a cgroup set. It is meant to be used
37with an externally created map.
38
39# ./tcpaccept --cgroupmap /sys/fs/bpf/test01
40
41For more details, see docs/special_filtering.md
42
43
44USAGE message:
45
46# ./tcpaccept -h
47usage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 | -6] [--cgroupmap CGROUPMAP]
48
49Trace TCP accepts
50
51optional arguments:
52  -h, --help            show this help message and exit
53  -T, --time            include time column on output (HH:MM:SS)
54  -t, --timestamp       include timestamp on output
55  -p PID, --pid PID     trace this PID only
56  -P PORT, --port PORT  comma-separated list of local ports to trace
57  -4, --ipv4            trace IPv4 family only
58  -6, --ipv6            trace IPv6 family only
59  --cgroupmap CGROUPMAP
60                        trace cgroups in this BPF map only
61
62examples:
63    ./tcpaccept           # trace all TCP accept()s
64    ./tcpaccept -t        # include timestamps
65    ./tcpaccept -P 80,81  # only trace port 80 and 81
66    ./tcpaccept -p 181    # only trace PID 181
67    ./tcpaccept --cgroupmap mappath  # only trace cgroups in this BPF map
68    ./tcpaccept --mntnsmap mappath   # only trace mount namespaces in the map
69    ./tcpaccept -4        # trace IPv4 family only
70    ./tcpaccept -6        # trace IPv6 family only