1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of bindsnoop, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard WorkerThis tool traces the kernel function performing socket binding and 4*387f9dfdSAndroid Build Coastguard Workerprint socket options set before the system call invocation that might 5*387f9dfdSAndroid Build Coastguard Workerimpact bind behavior and bound interface: 6*387f9dfdSAndroid Build Coastguard WorkerSOL_IP IP_FREEBIND F.... 7*387f9dfdSAndroid Build Coastguard WorkerSOL_IP IP_TRANSPARENT .T... 8*387f9dfdSAndroid Build Coastguard WorkerSOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. 9*387f9dfdSAndroid Build Coastguard WorkerSOL_SOCKET SO_REUSEADDR ...R. 10*387f9dfdSAndroid Build Coastguard WorkerSOL_SOCKET SO_REUSEPORT ....r 11*387f9dfdSAndroid Build Coastguard Worker 12*387f9dfdSAndroid Build Coastguard Worker 13*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py 14*387f9dfdSAndroid Build Coastguard WorkerTracing binds ... Hit Ctrl-C to end 15*387f9dfdSAndroid Build Coastguard WorkerPID COMM PROT ADDR PORT OPTS IF 16*387f9dfdSAndroid Build Coastguard Worker3941081 test_bind_op TCP 192.168.1.102 0 F.N.. 0 17*387f9dfdSAndroid Build Coastguard Worker3940194 dig TCP :: 62087 ..... 0 18*387f9dfdSAndroid Build Coastguard Worker3940219 dig UDP :: 48665 ..... 0 19*387f9dfdSAndroid Build Coastguard Worker3940893 Acceptor Thr TCP :: 35343 ...R. 0 20*387f9dfdSAndroid Build Coastguard Worker 21*387f9dfdSAndroid Build Coastguard WorkerThe output shows four bind system calls: 22*387f9dfdSAndroid Build Coastguard Workertwo "test_bind_op" instances, one with IP_FREEBIND and IP_BIND_ADDRESS_NO_PORT 23*387f9dfdSAndroid Build Coastguard Workeroptions, dig process called bind for TCP and UDP sockets, 24*387f9dfdSAndroid Build Coastguard Workerand Acceptor called bind for TCP with SO_REUSEADDR option set. 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard Worker 27*387f9dfdSAndroid Build Coastguard WorkerThe -t option prints a timestamp column 28*387f9dfdSAndroid Build Coastguard Worker 29*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py -t 30*387f9dfdSAndroid Build Coastguard WorkerTIME(s) PID COMM PROT ADDR PORT OPTS IF 31*387f9dfdSAndroid Build Coastguard Worker0.000000 3956801 dig TCP :: 49611 ..... 0 32*387f9dfdSAndroid Build Coastguard Worker0.011045 3956822 dig UDP :: 56343 ..... 0 33*387f9dfdSAndroid Build Coastguard Worker2.310629 3956498 test_bind_op TCP 192.168.1.102 39609 F...r 0 34*387f9dfdSAndroid Build Coastguard Worker 35*387f9dfdSAndroid Build Coastguard Worker 36*387f9dfdSAndroid Build Coastguard WorkerThe -U option prints a UID column: 37*387f9dfdSAndroid Build Coastguard Worker 38*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py -U 39*387f9dfdSAndroid Build Coastguard WorkerTracing binds ... Hit Ctrl-C to end 40*387f9dfdSAndroid Build Coastguard Worker UID PID COMM PROT ADDR PORT OPTS IF 41*387f9dfdSAndroid Build Coastguard Worker127072 3956498 test_bind_op TCP 192.168.1.102 44491 F...r 0 42*387f9dfdSAndroid Build Coastguard Worker127072 3960261 Acceptor Thr TCP :: 48869 ...R. 0 43*387f9dfdSAndroid Build Coastguard Worker 0 3960729 Acceptor Thr TCP :: 44637 ...R. 0 44*387f9dfdSAndroid Build Coastguard Worker 0 3959075 chef-client UDP :: 61722 ..... 0 45*387f9dfdSAndroid Build Coastguard Worker 46*387f9dfdSAndroid Build Coastguard Worker 47*387f9dfdSAndroid Build Coastguard WorkerThe -u option filtering UID: 48*387f9dfdSAndroid Build Coastguard Worker 49*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py -Uu 0 50*387f9dfdSAndroid Build Coastguard WorkerTracing binds ... Hit Ctrl-C to end 51*387f9dfdSAndroid Build Coastguard Worker UID PID COMM PROT ADDR PORT OPTS IF 52*387f9dfdSAndroid Build Coastguard Worker 0 3966330 Acceptor Thr TCP :: 39319 ...R. 0 53*387f9dfdSAndroid Build Coastguard Worker 0 3968044 python3.7 TCP ::1 59371 ..... 0 54*387f9dfdSAndroid Build Coastguard Worker 0 10224 fetch TCP 0.0.0.0 42091 ...R. 0 55*387f9dfdSAndroid Build Coastguard Worker 56*387f9dfdSAndroid Build Coastguard Worker 57*387f9dfdSAndroid Build Coastguard WorkerThe --cgroupmap option filters based on a cgroup set. 58*387f9dfdSAndroid Build Coastguard WorkerIt is meant to be used with an externally created map. 59*387f9dfdSAndroid Build Coastguard Worker 60*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py --cgroupmap /sys/fs/bpf/test01 61*387f9dfdSAndroid Build Coastguard Worker 62*387f9dfdSAndroid Build Coastguard WorkerFor more details, see docs/special_filtering.md 63*387f9dfdSAndroid Build Coastguard Worker 64*387f9dfdSAndroid Build Coastguard Worker 65*387f9dfdSAndroid Build Coastguard WorkerIn order to track heavy bind usage one can use --count option 66*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py --count 67*387f9dfdSAndroid Build Coastguard WorkerTracing binds ... Hit Ctrl-C to end 68*387f9dfdSAndroid Build Coastguard WorkerLADDR LPORT BINDS 69*387f9dfdSAndroid Build Coastguard Worker0.0.0.0 6771 4 70*387f9dfdSAndroid Build Coastguard Worker0.0.0.0 4433 4 71*387f9dfdSAndroid Build Coastguard Worker127.0.0.1 33665 1 72*387f9dfdSAndroid Build Coastguard Worker 73*387f9dfdSAndroid Build Coastguard Worker 74*387f9dfdSAndroid Build Coastguard WorkerUsage message: 75*387f9dfdSAndroid Build Coastguard Worker# ./bindsnoop.py -h 76*387f9dfdSAndroid Build Coastguard Workerusage: bindsnoop.py [-h] [-t] [-w] [-p PID] [-P PORT] [-E] [-U] [-u UID] 77*387f9dfdSAndroid Build Coastguard Worker [--count] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] 78*387f9dfdSAndroid Build Coastguard Worker 79*387f9dfdSAndroid Build Coastguard WorkerTrace TCP binds 80*387f9dfdSAndroid Build Coastguard Worker 81*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 82*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 83*387f9dfdSAndroid Build Coastguard Worker -t, --timestamp include timestamp on output 84*387f9dfdSAndroid Build Coastguard Worker -w, --wide wide column output (fits IPv6 addresses) 85*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only 86*387f9dfdSAndroid Build Coastguard Worker -P PORT, --port PORT comma-separated list of ports to trace. 87*387f9dfdSAndroid Build Coastguard Worker -E, --errors include errors in the output. 88*387f9dfdSAndroid Build Coastguard Worker -U, --print-uid include UID on output 89*387f9dfdSAndroid Build Coastguard Worker -u UID, --uid UID trace this UID only 90*387f9dfdSAndroid Build Coastguard Worker --count count binds per src ip and port 91*387f9dfdSAndroid Build Coastguard Worker --cgroupmap CGROUPMAP 92*387f9dfdSAndroid Build Coastguard Worker trace cgroups in this BPF map only 93*387f9dfdSAndroid Build Coastguard Worker 94*387f9dfdSAndroid Build Coastguard Workerexamples: 95*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop # trace all TCP bind()s 96*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -t # include timestamps 97*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -w # wider columns (fit IPv6) 98*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -p 181 # only trace PID 181 99*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -P 80 # only trace port 80 100*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -P 80,81 # only trace port 80 and 81 101*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -U # include UID 102*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -u 1000 # only trace UID 1000 103*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop -E # report bind errors 104*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop --count # count bind per src ip 105*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop --cgroupmap mappath # only trace cgroups in this BPF map 106*387f9dfdSAndroid Build Coastguard Worker ./bindsnoop --mntnsmap mappath # only trace mount namespaces in the map 107*387f9dfdSAndroid Build Coastguard Worker 108*387f9dfdSAndroid Build Coastguard Worker it is reporting socket options set before the bins call 109*387f9dfdSAndroid Build Coastguard Worker impacting system call behavior: 110*387f9dfdSAndroid Build Coastguard Worker SOL_IP IP_FREEBIND F.... 111*387f9dfdSAndroid Build Coastguard Worker SOL_IP IP_TRANSPARENT .T... 112*387f9dfdSAndroid Build Coastguard Worker SOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. 113*387f9dfdSAndroid Build Coastguard Worker SOL_SOCKET SO_REUSEADDR ...R. 114*387f9dfdSAndroid Build Coastguard Worker SOL_SOCKET SO_REUSEPORT ....r 115*387f9dfdSAndroid Build Coastguard Worker 116*387f9dfdSAndroid Build Coastguard Worker SO_BINDTODEVICE interface is reported as "IF" index 117