1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcpconnect, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis tool traces the kernel function performing active TCP connections 5*387f9dfdSAndroid Build Coastguard Worker(eg, via a connect() syscall; accept() are passive connections). Some example 6*387f9dfdSAndroid Build Coastguard Workeroutput (IP addresses changed to protect the innocent): 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect 9*387f9dfdSAndroid Build Coastguard WorkerPID COMM IP SADDR DADDR DPORT 10*387f9dfdSAndroid Build Coastguard Worker1479 telnet 4 127.0.0.1 127.0.0.1 23 11*387f9dfdSAndroid Build Coastguard Worker1469 curl 4 10.201.219.236 54.245.105.25 80 12*387f9dfdSAndroid Build Coastguard Worker1469 curl 4 10.201.219.236 54.67.101.145 80 13*387f9dfdSAndroid Build Coastguard Worker1991 telnet 6 ::1 ::1 23 14*387f9dfdSAndroid Build Coastguard Worker2015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 15*387f9dfdSAndroid Build Coastguard Worker 16*387f9dfdSAndroid Build Coastguard WorkerThis output shows four connections, one from a "telnet" process, two from 17*387f9dfdSAndroid Build Coastguard Worker"curl", and one from "ssh". The output details shows the IP version, source 18*387f9dfdSAndroid Build Coastguard Workeraddress, destination address, and destination port. This traces attempted 19*387f9dfdSAndroid Build Coastguard Workerconnections: these may have failed. 20*387f9dfdSAndroid Build Coastguard Worker 21*387f9dfdSAndroid Build Coastguard WorkerThe overhead of this tool should be negligible, since it is only tracing the 22*387f9dfdSAndroid Build Coastguard Workerkernel functions performing connect. It is not tracing every packet and then 23*387f9dfdSAndroid Build Coastguard Workerfiltering. 24*387f9dfdSAndroid Build Coastguard Worker 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard WorkerThe -t option prints a timestamp column: 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -t 29*387f9dfdSAndroid Build Coastguard WorkerTIME(s) PID COMM IP SADDR DADDR DPORT 30*387f9dfdSAndroid Build Coastguard Worker31.871 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 31*387f9dfdSAndroid Build Coastguard Worker31.874 2482 local_agent 4 10.103.219.236 10.101.3.132 7001 32*387f9dfdSAndroid Build Coastguard Worker31.878 2482 local_agent 4 10.103.219.236 10.171.133.98 7101 33*387f9dfdSAndroid Build Coastguard Worker90.917 2482 local_agent 4 10.103.219.236 10.251.148.38 7001 34*387f9dfdSAndroid Build Coastguard Worker90.928 2482 local_agent 4 10.103.219.236 10.102.64.230 7001 35*387f9dfdSAndroid Build Coastguard Worker90.938 2482 local_agent 4 10.103.219.236 10.115.167.169 7101 36*387f9dfdSAndroid Build Coastguard Worker 37*387f9dfdSAndroid Build Coastguard WorkerThe output shows some periodic connections (or attempts) from a "local_agent" 38*387f9dfdSAndroid Build Coastguard Workerprocess to various other addresses. A few connections occur every minute. 39*387f9dfdSAndroid Build Coastguard Worker 40*387f9dfdSAndroid Build Coastguard WorkerThe -d option tracks DNS responses and tries to associate each connection with 41*387f9dfdSAndroid Build Coastguard Workerthe a previous DNS query issued before it. If a DNS response matching the IP 42*387f9dfdSAndroid Build Coastguard Workeris found, it will be printed. If no match was found, "No DNS Query" is printed 43*387f9dfdSAndroid Build Coastguard Workerin this column. Queries for 127.0.0.1 and ::1 are automatically associated with 44*387f9dfdSAndroid Build Coastguard Worker"localhost". If the time between when the DNS response was received and a 45*387f9dfdSAndroid Build Coastguard Workerconnect call was traced exceeds 100ms, the tool will print the time delta 46*387f9dfdSAndroid Build Coastguard Workerafter the query name. See below for www.domain.com for an example. 47*387f9dfdSAndroid Build Coastguard Worker 48*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -d 49*387f9dfdSAndroid Build Coastguard WorkerPID COMM IP SADDR DADDR DPORT QUERY 50*387f9dfdSAndroid Build Coastguard Worker1543 amazon-ssm-a 4 10.66.75.54 176.32.119.67 443 ec2messages.us-west-1.amazonaws.com 51*387f9dfdSAndroid Build Coastguard Worker1479 telnet 4 127.0.0.1 127.0.0.1 23 localhost 52*387f9dfdSAndroid Build Coastguard Worker1469 curl 4 10.201.219.236 54.245.105.25 80 www.domain.com (123.342ms) 53*387f9dfdSAndroid Build Coastguard Worker1469 curl 4 10.201.219.236 54.67.101.145 80 No DNS Query 54*387f9dfdSAndroid Build Coastguard Worker1991 telnet 6 ::1 ::1 23 localhost 55*387f9dfdSAndroid Build Coastguard Worker2015 ssh 6 fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22 anotherhost.org 56*387f9dfdSAndroid Build Coastguard Worker 57*387f9dfdSAndroid Build Coastguard Worker 58*387f9dfdSAndroid Build Coastguard WorkerThe -L option prints a LPORT column: 59*387f9dfdSAndroid Build Coastguard Worker 60*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -L 61*387f9dfdSAndroid Build Coastguard WorkerPID COMM IP SADDR LPORT DADDR DPORT 62*387f9dfdSAndroid Build Coastguard Worker3706 nc 4 192.168.122.205 57266 192.168.122.150 5000 63*387f9dfdSAndroid Build Coastguard Worker3722 ssh 4 192.168.122.205 50966 192.168.122.150 22 64*387f9dfdSAndroid Build Coastguard Worker3779 ssh 6 fe80::1 52328 fe80::2 22 65*387f9dfdSAndroid Build Coastguard Worker 66*387f9dfdSAndroid Build Coastguard Worker 67*387f9dfdSAndroid Build Coastguard WorkerThe -U option prints a UID column: 68*387f9dfdSAndroid Build Coastguard Worker 69*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -U 70*387f9dfdSAndroid Build Coastguard WorkerUID PID COMM IP SADDR DADDR DPORT 71*387f9dfdSAndroid Build Coastguard Worker0 31333 telnet 6 ::1 ::1 23 72*387f9dfdSAndroid Build Coastguard Worker0 31333 telnet 4 127.0.0.1 127.0.0.1 23 73*387f9dfdSAndroid Build Coastguard Worker1000 31322 curl 4 127.0.0.1 127.0.0.1 80 74*387f9dfdSAndroid Build Coastguard Worker1000 31322 curl 6 ::1 ::1 80 75*387f9dfdSAndroid Build Coastguard Worker 76*387f9dfdSAndroid Build Coastguard Worker 77*387f9dfdSAndroid Build Coastguard WorkerThe -u option filtering UID: 78*387f9dfdSAndroid Build Coastguard Worker 79*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -Uu 1000 80*387f9dfdSAndroid Build Coastguard WorkerUID PID COMM IP SADDR DADDR DPORT 81*387f9dfdSAndroid Build Coastguard Worker1000 31338 telnet 6 ::1 ::1 23 82*387f9dfdSAndroid Build Coastguard Worker1000 31338 telnet 4 127.0.0.1 127.0.0.1 23 83*387f9dfdSAndroid Build Coastguard Worker 84*387f9dfdSAndroid Build Coastguard WorkerTo spot heavy outbound connections quickly one can use the -c flag. It will 85*387f9dfdSAndroid Build Coastguard Workercount all active connections per source ip and destination ip/port. 86*387f9dfdSAndroid Build Coastguard Worker 87*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect.py -c 88*387f9dfdSAndroid Build Coastguard WorkerTracing connect ... Hit Ctrl-C to end 89*387f9dfdSAndroid Build Coastguard Worker^C 90*387f9dfdSAndroid Build Coastguard WorkerLADDR RADDR RPORT CONNECTS 91*387f9dfdSAndroid Build Coastguard Worker192.168.10.50 172.217.21.194 443 70 92*387f9dfdSAndroid Build Coastguard Worker192.168.10.50 172.213.11.195 443 34 93*387f9dfdSAndroid Build Coastguard Worker192.168.10.50 172.212.22.194 443 21 94*387f9dfdSAndroid Build Coastguard Worker[...] 95*387f9dfdSAndroid Build Coastguard Worker 96*387f9dfdSAndroid Build Coastguard Worker 97*387f9dfdSAndroid Build Coastguard WorkerThe --cgroupmap option filters based on a cgroup set. It is meant to be used 98*387f9dfdSAndroid Build Coastguard Workerwith an externally created map. 99*387f9dfdSAndroid Build Coastguard Worker 100*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect --cgroupmap /sys/fs/bpf/test01 101*387f9dfdSAndroid Build Coastguard Worker 102*387f9dfdSAndroid Build Coastguard WorkerFor more details, see docs/special_filtering.md 103*387f9dfdSAndroid Build Coastguard Worker 104*387f9dfdSAndroid Build Coastguard Worker 105*387f9dfdSAndroid Build Coastguard WorkerUSAGE message: 106*387f9dfdSAndroid Build Coastguard Worker 107*387f9dfdSAndroid Build Coastguard Worker# ./tcpconnect -h 108*387f9dfdSAndroid Build Coastguard Worker 109*387f9dfdSAndroid Build Coastguard Workerusage: tcpconnect.py [-h] [-t] [-p PID] [-P PORT] [-4 | -6] [-L] [-U] [-u UID] 110*387f9dfdSAndroid Build Coastguard Worker [-c] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] [-d] 111*387f9dfdSAndroid Build Coastguard Worker 112*387f9dfdSAndroid Build Coastguard WorkerTrace TCP connects 113*387f9dfdSAndroid Build Coastguard Worker 114*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 115*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 116*387f9dfdSAndroid Build Coastguard Worker -t, --timestamp include timestamp on output 117*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only 118*387f9dfdSAndroid Build Coastguard Worker -P PORT, --port PORT comma-separated list of destination ports to trace. 119*387f9dfdSAndroid Build Coastguard Worker -4, --ipv4 trace IPv4 family only 120*387f9dfdSAndroid Build Coastguard Worker -6, --ipv6 trace IPv6 family only 121*387f9dfdSAndroid Build Coastguard Worker -L, --lport include LPORT on output 122*387f9dfdSAndroid Build Coastguard Worker -U, --print-uid include UID on output 123*387f9dfdSAndroid Build Coastguard Worker -u UID, --uid UID trace this UID only 124*387f9dfdSAndroid Build Coastguard Worker -c, --count count connects per src ip and dest ip/port 125*387f9dfdSAndroid Build Coastguard Worker --cgroupmap CGROUPMAP 126*387f9dfdSAndroid Build Coastguard Worker trace cgroups in this BPF map only 127*387f9dfdSAndroid Build Coastguard Worker --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only 128*387f9dfdSAndroid Build Coastguard Worker -d, --dns include likely DNS query associated with each connect 129*387f9dfdSAndroid Build Coastguard Worker 130*387f9dfdSAndroid Build Coastguard Workerexamples: 131*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect # trace all TCP connect()s 132*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -t # include timestamps 133*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -d # include DNS queries associated with connects 134*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -p 181 # only trace PID 181 135*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -P 80 # only trace port 80 136*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -P 80,81 # only trace port 80 and 81 137*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -4 # only trace IPv4 family 138*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -6 # only trace IPv6 family 139*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -U # include UID 140*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -u 1000 # only trace UID 1000 141*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -c # count connects per src ip and dest ip/port 142*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect -L # include LPORT while printing outputs 143*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect --cgroupmap mappath # only trace cgroups in this BPF map 144*387f9dfdSAndroid Build Coastguard Worker ./tcpconnect --mntnsmap mappath # only trace mount namespaces in the map 145