1Demonstrations of tcptracer, the Linux eBPF/bcc version. 2 3 4This tool traces the kernel function performing TCP connections (eg, via a 5connect() or accept() syscalls) and closing them (explicitly or if the process 6dies). Some example output (IP addresses are fake): 7 8``` 9# ./tcptracer 10Tracing TCP established connections. Ctrl-C to end. 11T PID COMM IP SADDR DADDR SPORT DPORT 12C 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 13C 28818 curl 6 [::1] [::1] 55758 80 14X 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 15A 28817 nc 6 [::1] [::1] 80 55758 16X 28818 curl 6 [::1] [::1] 55758 80 17X 28817 nc 6 [::1] [::1] 80 55758 18A 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 19X 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 20``` 21 22This output shows three connections, one outgoing from a "telnet" process, one 23outgoing from "curl" to a local netcat, and one incoming received by the "nc" 24process. The output details show the kind of event (C for connection, X for 25close and A for accept), PID, IP version, source address, destination address, 26source port and destination port. 27 28The -t option prints a timestamp column: 29 30``` 31# ./tcptracer -t 32Tracing TCP established connections. Ctrl-C to end. 33TIME(s) T PID COMM IP SADDR DADDR SPORT DPORT 340.000 C 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 353.546 C 748 curl 6 [::1] [::1] 42592 80 364.294 X 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 37``` 38 39 40The --cgroupmap option filters based on a cgroup set. It is meant to be used 41with an externally created map. 42 43# ./tcptracer --cgroupmap /sys/fs/bpf/test01 44 45For more details, see docs/special_filtering.md 46