1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcpstates, the Linux BPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard Workertcpstates prints TCP state change information, including the duration in each 5*387f9dfdSAndroid Build Coastguard Workerstate as milliseconds. For example, a single TCP session: 6*387f9dfdSAndroid Build Coastguard Worker 7*387f9dfdSAndroid Build Coastguard Worker# tcpstates 8*387f9dfdSAndroid Build Coastguard WorkerSKADDR C-PID C-COMM LADDR LPORT RADDR RPORT OLDSTATE -> NEWSTATE MS 9*387f9dfdSAndroid Build Coastguard Workerffff9fd7e8192000 22384 curl 100.66.100.185 0 52.33.159.26 80 CLOSE -> SYN_SENT 0.000 10*387f9dfdSAndroid Build Coastguard Workerffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 SYN_SENT -> ESTABLISHED 1.373 11*387f9dfdSAndroid Build Coastguard Workerffff9fd7e8192000 22384 curl 100.66.100.185 63446 52.33.159.26 80 ESTABLISHED -> FIN_WAIT1 176.042 12*387f9dfdSAndroid Build Coastguard Workerffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 FIN_WAIT1 -> FIN_WAIT2 0.536 13*387f9dfdSAndroid Build Coastguard Workerffff9fd7e8192000 0 swapper/5 100.66.100.185 63446 52.33.159.26 80 FIN_WAIT2 -> CLOSE 0.006 14*387f9dfdSAndroid Build Coastguard Worker^C 15*387f9dfdSAndroid Build Coastguard Worker 16*387f9dfdSAndroid Build Coastguard WorkerThis showed that the most time was spent in the ESTABLISHED state (which then 17*387f9dfdSAndroid Build Coastguard Workertransitioned to FIN_WAIT1), which was 176.042 milliseconds. 18*387f9dfdSAndroid Build Coastguard Worker 19*387f9dfdSAndroid Build Coastguard WorkerThe first column is the socked address, as the output may include lines from 20*387f9dfdSAndroid Build Coastguard Workerdifferent sessions interleaved. The next two columns show the current on-CPU 21*387f9dfdSAndroid Build Coastguard Workerprocess ID and command name: these may show the process that owns the TCP 22*387f9dfdSAndroid Build Coastguard Workersession, depending on whether the state change executes synchronously in 23*387f9dfdSAndroid Build Coastguard Workerprocess context. If that's not the case, they may show kernel details. 24*387f9dfdSAndroid Build Coastguard Worker 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard WorkerUSAGE: 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard Worker# tcpstates -h 29*387f9dfdSAndroid Build Coastguard Workerusage: tcpstates.py [-h] [-T] [-t] [-w] [-s] [-L LOCALPORT] [-D REMOTEPORT] 30*387f9dfdSAndroid Build Coastguard Worker [-Y] [-4 | -6] 31*387f9dfdSAndroid Build Coastguard Worker 32*387f9dfdSAndroid Build Coastguard WorkerTrace TCP session state changes and durations 33*387f9dfdSAndroid Build Coastguard Worker 34*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 35*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 36*387f9dfdSAndroid Build Coastguard Worker -T, --time include time column on output (HH:MM:SS) 37*387f9dfdSAndroid Build Coastguard Worker -t, --timestamp include timestamp on output (seconds) 38*387f9dfdSAndroid Build Coastguard Worker -w, --wide wide column output (fits IPv6 addresses) 39*387f9dfdSAndroid Build Coastguard Worker -s, --csv comma separated values output 40*387f9dfdSAndroid Build Coastguard Worker -L LOCALPORT, --localport LOCALPORT 41*387f9dfdSAndroid Build Coastguard Worker comma-separated list of local ports to trace. 42*387f9dfdSAndroid Build Coastguard Worker -D REMOTEPORT, --remoteport REMOTEPORT 43*387f9dfdSAndroid Build Coastguard Worker comma-separated list of remote ports to trace. 44*387f9dfdSAndroid Build Coastguard Worker -Y, --journal log session state changes to the systemd journal 45*387f9dfdSAndroid Build Coastguard Worker -4, --ipv4 trace IPv4 family only 46*387f9dfdSAndroid Build Coastguard Worker -6, --ipv6 trace IPv6 family only 47*387f9dfdSAndroid Build Coastguard Worker 48*387f9dfdSAndroid Build Coastguard Workerexamples: 49*387f9dfdSAndroid Build Coastguard Worker ./tcpstates # trace all TCP state changes 50*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -t # include timestamp column 51*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -T # include time column (HH:MM:SS) 52*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -w # wider columns (fit IPv6) 53*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -stT # csv output, with times & timestamps 54*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -Y # log events to the systemd journal 55*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -L 80 # only trace local port 80 56*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -L 80,81 # only trace local ports 80 and 81 57*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -D 80 # only trace remote port 80 58*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -4 # trace IPv4 family only 59*387f9dfdSAndroid Build Coastguard Worker ./tcpstates -6 # trace IPv6 family only 60