1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcptracer, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis tool traces the kernel function performing TCP connections (eg, via a 5*387f9dfdSAndroid Build Coastguard Workerconnect() or accept() syscalls) and closing them (explicitly or if the process 6*387f9dfdSAndroid Build Coastguard Workerdies). Some example output (IP addresses are fake): 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Worker``` 9*387f9dfdSAndroid Build Coastguard Worker# ./tcptracer 10*387f9dfdSAndroid Build Coastguard WorkerTracing TCP established connections. Ctrl-C to end. 11*387f9dfdSAndroid Build Coastguard WorkerT PID COMM IP SADDR DADDR SPORT DPORT 12*387f9dfdSAndroid Build Coastguard WorkerC 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 13*387f9dfdSAndroid Build Coastguard WorkerC 28818 curl 6 [::1] [::1] 55758 80 14*387f9dfdSAndroid Build Coastguard WorkerX 28943 telnet 4 192.168.1.2 192.168.1.1 59306 23 15*387f9dfdSAndroid Build Coastguard WorkerA 28817 nc 6 [::1] [::1] 80 55758 16*387f9dfdSAndroid Build Coastguard WorkerX 28818 curl 6 [::1] [::1] 55758 80 17*387f9dfdSAndroid Build Coastguard WorkerX 28817 nc 6 [::1] [::1] 80 55758 18*387f9dfdSAndroid Build Coastguard WorkerA 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 19*387f9dfdSAndroid Build Coastguard WorkerX 28978 nc 4 10.202.210.1 10.202.109.12 8080 59160 20*387f9dfdSAndroid Build Coastguard Worker``` 21*387f9dfdSAndroid Build Coastguard Worker 22*387f9dfdSAndroid Build Coastguard WorkerThis output shows three connections, one outgoing from a "telnet" process, one 23*387f9dfdSAndroid Build Coastguard Workeroutgoing from "curl" to a local netcat, and one incoming received by the "nc" 24*387f9dfdSAndroid Build Coastguard Workerprocess. The output details show the kind of event (C for connection, X for 25*387f9dfdSAndroid Build Coastguard Workerclose and A for accept), PID, IP version, source address, destination address, 26*387f9dfdSAndroid Build Coastguard Workersource port and destination port. 27*387f9dfdSAndroid Build Coastguard Worker 28*387f9dfdSAndroid Build Coastguard WorkerThe -t option prints a timestamp column: 29*387f9dfdSAndroid Build Coastguard Worker 30*387f9dfdSAndroid Build Coastguard Worker``` 31*387f9dfdSAndroid Build Coastguard Worker# ./tcptracer -t 32*387f9dfdSAndroid Build Coastguard WorkerTracing TCP established connections. Ctrl-C to end. 33*387f9dfdSAndroid Build Coastguard WorkerTIME(s) T PID COMM IP SADDR DADDR SPORT DPORT 34*387f9dfdSAndroid Build Coastguard Worker0.000 C 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 35*387f9dfdSAndroid Build Coastguard Worker3.546 C 748 curl 6 [::1] [::1] 42592 80 36*387f9dfdSAndroid Build Coastguard Worker4.294 X 31002 telnet 4 192.168.1.2 192.168.1.1 42590 23 37*387f9dfdSAndroid Build Coastguard Worker``` 38*387f9dfdSAndroid Build Coastguard Worker 39*387f9dfdSAndroid Build Coastguard Worker 40*387f9dfdSAndroid Build Coastguard WorkerThe --cgroupmap option filters based on a cgroup set. It is meant to be used 41*387f9dfdSAndroid Build Coastguard Workerwith an externally created map. 42*387f9dfdSAndroid Build Coastguard Worker 43*387f9dfdSAndroid Build Coastguard Worker# ./tcptracer --cgroupmap /sys/fs/bpf/test01 44*387f9dfdSAndroid Build Coastguard Worker 45*387f9dfdSAndroid Build Coastguard WorkerFor more details, see docs/special_filtering.md 46