1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcpaccept, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis tool traces the kernel function accepting TCP socket connections (eg, a 5*387f9dfdSAndroid Build Coastguard Workerpassive connection via accept(); not connect()). Some example output (IP 6*387f9dfdSAndroid Build Coastguard Workeraddresses changed to protect the innocent): 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Worker# ./tcpaccept 9*387f9dfdSAndroid Build Coastguard WorkerPID COMM IP RADDR RPORT LADDR LPORT 10*387f9dfdSAndroid Build Coastguard Worker907 sshd 4 192.168.56.1 32324 192.168.56.102 22 11*387f9dfdSAndroid Build Coastguard Worker907 sshd 4 127.0.0.1 39866 127.0.0.1 22 12*387f9dfdSAndroid Build Coastguard Worker5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001 13*387f9dfdSAndroid Build Coastguard Worker 14*387f9dfdSAndroid Build Coastguard WorkerThis output shows three connections, two IPv4 connections to PID 907, an "sshd" 15*387f9dfdSAndroid Build Coastguard Workerprocess listening on port 22, and one IPv6 connection to a "perl" process 16*387f9dfdSAndroid Build Coastguard Workerlistening on port 7001. 17*387f9dfdSAndroid Build Coastguard Worker 18*387f9dfdSAndroid Build Coastguard WorkerThe overhead of this tool should be negligible, since it is only tracing the 19*387f9dfdSAndroid Build Coastguard Workerkernel function performing accept. It is not tracing every packet and then 20*387f9dfdSAndroid Build Coastguard Workerfiltering. 21*387f9dfdSAndroid Build Coastguard Worker 22*387f9dfdSAndroid Build Coastguard WorkerThis tool only traces successful TCP accept()s. Connection attempts to closed 23*387f9dfdSAndroid Build Coastguard Workerports will not be shown (those can be traced via other functions). 24*387f9dfdSAndroid Build Coastguard Worker 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard WorkerThe -t option prints a timestamp column: 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard Worker# ./tcpaccept -t 29*387f9dfdSAndroid Build Coastguard WorkerTIME(s) PID COMM IP RADDR RPORT LADDR LPORT 30*387f9dfdSAndroid Build Coastguard Worker0.000 907 sshd 4 127.0.0.1 53700 127.0.0.1 22 31*387f9dfdSAndroid Build Coastguard Worker0.010 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001 32*387f9dfdSAndroid Build Coastguard Worker0.992 907 sshd 4 127.0.0.1 32548 127.0.0.1 22 33*387f9dfdSAndroid Build Coastguard Worker1.984 907 sshd 4 127.0.0.1 51250 127.0.0.1 22 34*387f9dfdSAndroid Build Coastguard Worker 35*387f9dfdSAndroid Build Coastguard Worker 36*387f9dfdSAndroid Build Coastguard WorkerThe --cgroupmap option filters based on a cgroup set. It is meant to be used 37*387f9dfdSAndroid Build Coastguard Workerwith an externally created map. 38*387f9dfdSAndroid Build Coastguard Worker 39*387f9dfdSAndroid Build Coastguard Worker# ./tcpaccept --cgroupmap /sys/fs/bpf/test01 40*387f9dfdSAndroid Build Coastguard Worker 41*387f9dfdSAndroid Build Coastguard WorkerFor more details, see docs/special_filtering.md 42*387f9dfdSAndroid Build Coastguard Worker 43*387f9dfdSAndroid Build Coastguard Worker 44*387f9dfdSAndroid Build Coastguard WorkerUSAGE message: 45*387f9dfdSAndroid Build Coastguard Worker 46*387f9dfdSAndroid Build Coastguard Worker# ./tcpaccept -h 47*387f9dfdSAndroid Build Coastguard Workerusage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 | -6] [--cgroupmap CGROUPMAP] 48*387f9dfdSAndroid Build Coastguard Worker 49*387f9dfdSAndroid Build Coastguard WorkerTrace TCP accepts 50*387f9dfdSAndroid Build Coastguard Worker 51*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 52*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 53*387f9dfdSAndroid Build Coastguard Worker -T, --time include time column on output (HH:MM:SS) 54*387f9dfdSAndroid Build Coastguard Worker -t, --timestamp include timestamp on output 55*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only 56*387f9dfdSAndroid Build Coastguard Worker -P PORT, --port PORT comma-separated list of local ports to trace 57*387f9dfdSAndroid Build Coastguard Worker -4, --ipv4 trace IPv4 family only 58*387f9dfdSAndroid Build Coastguard Worker -6, --ipv6 trace IPv6 family only 59*387f9dfdSAndroid Build Coastguard Worker --cgroupmap CGROUPMAP 60*387f9dfdSAndroid Build Coastguard Worker trace cgroups in this BPF map only 61*387f9dfdSAndroid Build Coastguard Worker 62*387f9dfdSAndroid Build Coastguard Workerexamples: 63*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept # trace all TCP accept()s 64*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept -t # include timestamps 65*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept -P 80,81 # only trace port 80 and 81 66*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept -p 181 # only trace PID 181 67*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept --cgroupmap mappath # only trace cgroups in this BPF map 68*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept --mntnsmap mappath # only trace mount namespaces in the map 69*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept -4 # trace IPv4 family only 70*387f9dfdSAndroid Build Coastguard Worker ./tcpaccept -6 # trace IPv6 family only