1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcpsubnet, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard Workertcpsubnet summarizes throughput by destination subnet. 5*387f9dfdSAndroid Build Coastguard WorkerIt works only for IPv4. Eg: 6*387f9dfdSAndroid Build Coastguard Worker 7*387f9dfdSAndroid Build Coastguard Worker# tcpsubnet 8*387f9dfdSAndroid Build Coastguard WorkerTracing... Output every 1 secs. Hit Ctrl-C to end 9*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:47] 10*387f9dfdSAndroid Build Coastguard Worker127.0.0.1/32 8 11*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:48] 12*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:49] 13*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:50] 14*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:51] 15*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:52] 16*387f9dfdSAndroid Build Coastguard Worker127.0.0.1/32 10 17*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:32:53] 18*387f9dfdSAndroid Build Coastguard Worker 19*387f9dfdSAndroid Build Coastguard WorkerThis example output shows the number of bytes sent to 127.0.0.1/32 (the 20*387f9dfdSAndroid Build Coastguard Workerloopback interface). For demo purposes, I set netcat listening on port 21*387f9dfdSAndroid Build Coastguard Worker8080, connected to it and sent the following payloads. 22*387f9dfdSAndroid Build Coastguard Worker 23*387f9dfdSAndroid Build Coastguard Worker# nc 127.0.0.1 8080 24*387f9dfdSAndroid Build Coastguard Worker1111111 25*387f9dfdSAndroid Build Coastguard Worker111111111 26*387f9dfdSAndroid Build Coastguard Worker 27*387f9dfdSAndroid Build Coastguard WorkerThe first line sends 7 digits plus the null character (8 bytes) 28*387f9dfdSAndroid Build Coastguard WorkerThe second line sends 9 digits plus the null character (10 bytes) 29*387f9dfdSAndroid Build Coastguard Worker 30*387f9dfdSAndroid Build Coastguard WorkerNotice also, how tcpsubnet prints a header line with the current date 31*387f9dfdSAndroid Build Coastguard Workerand time formatted in the current locale. 32*387f9dfdSAndroid Build Coastguard Worker 33*387f9dfdSAndroid Build Coastguard WorkerTry it yourself to get a feeling of how tcpsubnet works. 34*387f9dfdSAndroid Build Coastguard Worker 35*387f9dfdSAndroid Build Coastguard WorkerBy default, tcpsubnet will categorize traffic in the following subnets: 36*387f9dfdSAndroid Build Coastguard Worker 37*387f9dfdSAndroid Build Coastguard Worker- 127.0.0.1/32 38*387f9dfdSAndroid Build Coastguard Worker- 10.0.0.0/8 39*387f9dfdSAndroid Build Coastguard Worker- 172.16.0.0/12 40*387f9dfdSAndroid Build Coastguard Worker- 192.168.0.0/16 41*387f9dfdSAndroid Build Coastguard Worker- 0.0.0.0/0 42*387f9dfdSAndroid Build Coastguard Worker 43*387f9dfdSAndroid Build Coastguard WorkerThe last subnet is a catch-all. In other words, anything that doesn't 44*387f9dfdSAndroid Build Coastguard Workermatch the first 4 defaults will be categorized under 0.0.0.0/0 45*387f9dfdSAndroid Build Coastguard WorkerYou can change this default behavior by passing a comma separated list 46*387f9dfdSAndroid Build Coastguard Workerof subnets. Let's say we would like to know how much traffic we 47*387f9dfdSAndroid Build Coastguard Workerare sending to github.com. We first find out what IPs github.com resolves 48*387f9dfdSAndroid Build Coastguard Workerto, Eg: 49*387f9dfdSAndroid Build Coastguard Worker 50*387f9dfdSAndroid Build Coastguard Worker# dig +short github.com 51*387f9dfdSAndroid Build Coastguard Worker192.30.253.112 52*387f9dfdSAndroid Build Coastguard Worker192.30.253.113 53*387f9dfdSAndroid Build Coastguard Worker 54*387f9dfdSAndroid Build Coastguard WorkerWith this information, we can come up with a reasonable range of IPs 55*387f9dfdSAndroid Build Coastguard Workerto monitor, Eg: 56*387f9dfdSAndroid Build Coastguard Worker 57*387f9dfdSAndroid Build Coastguard Worker# tcpsubnet.py 192.30.253.110/27,0.0.0.0/0 58*387f9dfdSAndroid Build Coastguard WorkerTracing... Output every 1 secs. Hit Ctrl-C to end 59*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:38:58] 60*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 5780 61*387f9dfdSAndroid Build Coastguard Worker192.30.253.110/27 2205 62*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:38:59] 63*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 2036 64*387f9dfdSAndroid Build Coastguard Worker192.30.253.110/27 1183 65*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:39:00] 66*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:39:01] 67*387f9dfdSAndroid Build Coastguard Worker192.30.253.110/27 12537 68*387f9dfdSAndroid Build Coastguard Worker 69*387f9dfdSAndroid Build Coastguard WorkerIf we would like to be more accurate, we can use the two IPs returned 70*387f9dfdSAndroid Build Coastguard Workerby dig, Eg: 71*387f9dfdSAndroid Build Coastguard Worker 72*387f9dfdSAndroid Build Coastguard Worker# tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0 73*387f9dfdSAndroid Build Coastguard WorkerTracing... Output every 1 secs. Hit Ctrl-C to end 74*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:42:56] 75*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 1177 76*387f9dfdSAndroid Build Coastguard Worker192.30.253.113/32 910 77*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:42:57] 78*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 48704 79*387f9dfdSAndroid Build Coastguard Worker192.30.253.113/32 892 80*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:42:58] 81*387f9dfdSAndroid Build Coastguard Worker192.30.253.113/32 891 82*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 858 83*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:42:59] 84*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 11159 85*387f9dfdSAndroid Build Coastguard Worker192.30.253.113/32 894 86*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:43:00] 87*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 60601 88*387f9dfdSAndroid Build Coastguard Worker 89*387f9dfdSAndroid Build Coastguard WorkerNOTE: When used in production, it is expected that you will have full 90*387f9dfdSAndroid Build Coastguard Workerinformation about your network topology. In which case you won't need 91*387f9dfdSAndroid Build Coastguard Workerto approximate subnets nor need to put individual IP addresses like 92*387f9dfdSAndroid Build Coastguard Workerwe just did. 93*387f9dfdSAndroid Build Coastguard Worker 94*387f9dfdSAndroid Build Coastguard WorkerNotice that the order of the subnet matters. Say, we put 0.0.0.0/0 as 95*387f9dfdSAndroid Build Coastguard Workerthe first element of the list and 192.130.253.112/32 as the second, all the 96*387f9dfdSAndroid Build Coastguard Workertraffic going to 192.130.253.112/32 will have been categorized in 97*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 as 192.130.253.112/32 is contained in 0.0.0.0/0. 98*387f9dfdSAndroid Build Coastguard Worker 99*387f9dfdSAndroid Build Coastguard WorkerThe default output unit is bytes. You can change it by using the 100*387f9dfdSAndroid Build Coastguard Worker-f [--format] flag. tcpsubnet uses the same flags as iperf for the unit 101*387f9dfdSAndroid Build Coastguard Workerformat and adds mM. When using kmKM, the output will be rounded to floor. 102*387f9dfdSAndroid Build Coastguard WorkerEg: 103*387f9dfdSAndroid Build Coastguard Worker 104*387f9dfdSAndroid Build Coastguard Worker# tcpsubnet -fK 0.0.0.0/0 105*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:44:04] 106*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 1 107*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:44:05] 108*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 5 109*387f9dfdSAndroid Build Coastguard Worker[03/05/18 22:44:06] 110*387f9dfdSAndroid Build Coastguard Worker0.0.0.0/0 31 111*387f9dfdSAndroid Build Coastguard Worker 112*387f9dfdSAndroid Build Coastguard WorkerJust like the majority of the bcc tools, tcpsubnet supports -i and --ebpf 113*387f9dfdSAndroid Build Coastguard Worker 114*387f9dfdSAndroid Build Coastguard WorkerIt also supports -v [--verbose] which gives useful debugging information 115*387f9dfdSAndroid Build Coastguard Workeron how the subnets are evaluated and the BPF program is constructed. 116*387f9dfdSAndroid Build Coastguard Worker 117*387f9dfdSAndroid Build Coastguard WorkerLast but not least, it supports -J [--json] to print the output in 118*387f9dfdSAndroid Build Coastguard WorkerJSON format. This is handy if you're calling tcpsubnet from another 119*387f9dfdSAndroid Build Coastguard Workerprogram (say a nodejs server) and would like to have a structured stdout. 120*387f9dfdSAndroid Build Coastguard WorkerThe output in JSON format will also include the date and time. 121*387f9dfdSAndroid Build Coastguard WorkerEg: 122*387f9dfdSAndroid Build Coastguard Worker 123*387f9dfdSAndroid Build Coastguard Worker# tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0 124*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"} 125*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {}, "time": "22:46:28"} 126*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {}, "time": "22:46:29"} 127*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {}, "time": "22:46:30"} 128*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"} 129*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"} 130*387f9dfdSAndroid Build Coastguard Worker{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"} 131*387f9dfdSAndroid Build Coastguard Worker 132*387f9dfdSAndroid Build Coastguard Worker 133*387f9dfdSAndroid Build Coastguard WorkerUSAGE: 134*387f9dfdSAndroid Build Coastguard Worker 135*387f9dfdSAndroid Build Coastguard Worker# ./tcpsubnet -h 136*387f9dfdSAndroid Build Coastguard Workerusage: tcpsubnet.py [-h] [-v] [-J] [-f {b,k,m,B,K,M}] [-i INTERVAL] [subnets] 137*387f9dfdSAndroid Build Coastguard Worker 138*387f9dfdSAndroid Build Coastguard WorkerSummarize TCP send and aggregate by subnet 139*387f9dfdSAndroid Build Coastguard Worker 140*387f9dfdSAndroid Build Coastguard Workerpositional arguments: 141*387f9dfdSAndroid Build Coastguard Worker subnets comma separated list of subnets 142*387f9dfdSAndroid Build Coastguard Worker 143*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 144*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 145*387f9dfdSAndroid Build Coastguard Worker -v, --verbose output debug statements 146*387f9dfdSAndroid Build Coastguard Worker -J, --json format output in JSON 147*387f9dfdSAndroid Build Coastguard Worker -f {b,k,m,B,K,M}, --format {b,k,m,B,K,M} 148*387f9dfdSAndroid Build Coastguard Worker [bkmBKM] format to report: bits, Kbits, Mbits, bytes, 149*387f9dfdSAndroid Build Coastguard Worker KBytes, MBytes (default B) 150*387f9dfdSAndroid Build Coastguard Worker -i INTERVAL, --interval INTERVAL 151*387f9dfdSAndroid Build Coastguard Worker output interval, in seconds (default 1) 152*387f9dfdSAndroid Build Coastguard Worker 153*387f9dfdSAndroid Build Coastguard Workerexamples: 154*387f9dfdSAndroid Build Coastguard Worker ./tcpsubnet # Trace TCP sent to the default subnets: 155*387f9dfdSAndroid Build Coastguard Worker # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12, 156*387f9dfdSAndroid Build Coastguard Worker # 192.168.0.0/16,0.0.0.0/0 157*387f9dfdSAndroid Build Coastguard Worker ./tcpsubnet -f K # Trace TCP sent to the default subnets 158*387f9dfdSAndroid Build Coastguard Worker # aggregated in KBytes. 159*387f9dfdSAndroid Build Coastguard Worker ./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only 160*387f9dfdSAndroid Build Coastguard Worker ./tcpsubnet -J # Format the output in JSON. 161*387f9dfdSAndroid Build Coastguard Worker 162