forked from bpftrace/bpftrace
-
Notifications
You must be signed in to change notification settings - Fork 1
/
tcpconnect_example.txt
26 lines (18 loc) · 1.06 KB
/
tcpconnect_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Demonstrations of tcpconnect, the Linux bpftrace/eBPF version.
This tool traces the kernel function performing active TCP connections
(eg, via a connect() syscall; accept() are passive connections). Some example
output (IP addresses changed to protect the innocent):
# ./tcpconnect.bt
TIME PID COMM SADDR SPORT DADDR DPORT
00:36:45 1798396 agent 127.0.0.1 5001 10.229.20.82 56114
00:36:45 1798396 curl 127.0.0.1 10255 10.229.20.82 56606
00:36:45 3949059 nginx 127.0.0.1 8000 127.0.0.1 37780
This output shows three connections, one from a "agent" process, one from
"curl", and one from "nginx". The output details shows the IP version, source
address, source socket port, destination address, and destination port. This traces attempted
connections: these may have failed.
The overhead of this tool should be negligible, since it is only tracing the
kernel functions performing connect. It is not tracing every packet and then
filtering.
USAGE message:
# ./tcpconnect.bt