1Demonstrations of tcpconnect, the Linux eBPF/bcc version. 2 3 4This tool traces the kernel function performing active TCP connections 5(eg, via a connect() syscall; accept() are passive connections). Some example 6output (IP addresses changed to protect the innocent): 7 8# ./tcpconnect 9PID COMM IP SADDR DADDR DPORT 101479 telnet 4 127.0.0.1 127.0.0.1 23 111469 curl 4 10.201.219.236 54.245.105.25 80 121469 curl 4 10.201.219.236 54.67.101.145 80 131991 telnet 6 ::1 ::1 23 142015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 15 16This output shows four connections, one from a "telnet" process, two from 17"curl", and one from "ssh". The output details shows the IP version, source 18address, destination address, and destination port. This traces attempted 19connections: these may have failed. 20 21The overhead of this tool should be negligible, since it is only tracing the 22kernel functions performing connect. It is not tracing every packet and then 23filtering. 24 25 26The -t option prints a timestamp column: 27 28# ./tcpconnect -t 29TIME(s) PID COMM IP SADDR DADDR DPORT 3031.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 3131.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001 3231.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101 3390.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 3490.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001 3590.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101 36 37The output shows some periodic connections (or attempts) from a "local_agent" 38process to various other addresses. A few connections occur every minute. 39 40The -d option tracks DNS responses and tries to associate each connection with 41the a previous DNS query issued before it. If a DNS response matching the IP 42is found, it will be printed. If no match was found, "No DNS Query" is printed 43in this column. Queries for 127.0.0.1 and ::1 are automatically associated with 44"localhost". If the time between when the DNS response was received and a 45connect call was traced exceeds 100ms, the tool will print the time delta 46after the query name. See below for www.domain.com for an example. 47 48# ./tcpconnect -d 49PID COMM IP SADDR DADDR DPORT QUERY 501543 amazon-ssm-a 4 10.66.75.54 176.32.119.67 443 ec2messages.us-west-1.amazonaws.com 511479 telnet 4 127.0.0.1 127.0.0.1 23 localhost 521469 curl 4 10.201.219.236 54.245.105.25 80 www.domain.com (123.342ms) 531469 curl 4 10.201.219.236 54.67.101.145 80 No DNS Query 541991 telnet 6 ::1 ::1 23 localhost 552015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 anotherhost.org 56 57 58The -L option prints a LPORT column: 59 60# ./tcpconnect -L 61PID COMM IP SADDR LPORT DADDR DPORT 623706 nc 4 192.168.122.205 57266 192.168.122.150 5000 633722 ssh 4 192.168.122.205 50966 192.168.122.150 22 643779 ssh 6 fe80::1 52328 fe80::2 22 65 66 67The -U option prints a UID column: 68 69# ./tcpconnect -U 70UID PID COMM IP SADDR DADDR DPORT 710 31333 telnet 6 ::1 ::1 23 720 31333 telnet 4 127.0.0.1 127.0.0.1 23 731000 31322 curl 4 127.0.0.1 127.0.0.1 80 741000 31322 curl 6 ::1 ::1 80 75 76 77The -u option filtering UID: 78 79# ./tcpconnect -Uu 1000 80UID PID COMM IP SADDR DADDR DPORT 811000 31338 telnet 6 ::1 ::1 23 821000 31338 telnet 4 127.0.0.1 127.0.0.1 23 83 84To spot heavy outbound connections quickly one can use the -c flag. It will 85count all active connections per source ip and destination ip/port. 86 87# ./tcpconnect.py -c 88Tracing connect ... Hit Ctrl-C to end 89^C 90LADDR RADDR RPORT CONNECTS 91192.168.10.50 172.217.21.194 443 70 92192.168.10.50 172.213.11.195 443 34 93192.168.10.50 172.212.22.194 443 21 94[...] 95 96 97The --cgroupmap option filters based on a cgroup set. It is meant to be used 98with an externally created map. 99 100# ./tcpconnect --cgroupmap /sys/fs/bpf/test01 101 102For more details, see docs/special_filtering.md 103 104 105USAGE message: 106 107# ./tcpconnect -h 108 109usage: tcpconnect.py [-h] [-t] [-p PID] [-P PORT] [-4 | -6] [-L] [-U] [-u UID] 110 [-c] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] [-d] 111 112Trace TCP connects 113 114optional arguments: 115 -h, --help show this help message and exit 116 -t, --timestamp include timestamp on output 117 -p PID, --pid PID trace this PID only 118 -P PORT, --port PORT comma-separated list of destination ports to trace. 119 -4, --ipv4 trace IPv4 family only 120 -6, --ipv6 trace IPv6 family only 121 -L, --lport include LPORT on output 122 -U, --print-uid include UID on output 123 -u UID, --uid UID trace this UID only 124 -c, --count count connects per src ip and dest ip/port 125 --cgroupmap CGROUPMAP 126 trace cgroups in this BPF map only 127 --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only 128 -d, --dns include likely DNS query associated with each connect 129 130examples: 131 ./tcpconnect # trace all TCP connect()s 132 ./tcpconnect -t # include timestamps 133 ./tcpconnect -d # include DNS queries associated with connects 134 ./tcpconnect -p 181 # only trace PID 181 135 ./tcpconnect -P 80 # only trace port 80 136 ./tcpconnect -P 80,81 # only trace port 80 and 81 137 ./tcpconnect -4 # only trace IPv4 family 138 ./tcpconnect -6 # only trace IPv6 family 139 ./tcpconnect -U # include UID 140 ./tcpconnect -u 1000 # only trace UID 1000 141 ./tcpconnect -c # count connects per src ip and dest ip/port 142 ./tcpconnect -L # include LPORT while printing outputs 143 ./tcpconnect --cgroupmap mappath # only trace cgroups in this BPF map 144 ./tcpconnect --mntnsmap mappath # only trace mount namespaces in the map 145