tcpaccept.bt - Man Page
Trace TCP passive connections (accept()). Uses bpftrace/eBPF
Synopsis
tcpaccept.bt
Description
This tool traces passive TCP connections (eg, via an accept() syscall; connect() are active connections). This can be useful for general troubleshooting to see what new connections the local server is accepting.
This uses dynamic tracing of the kernel inet_csk_accept() socket function (from tcp_prot.accept), and will need to be modified to match kernel changes.
This tool only traces successful TCP accept()s. Connection attempts to closed ports will not be shown (those can be traced via other functions).
Since this uses BPF, only the root user can use this tool.
Requirements
CONFIG_BPF and bpftrace.
Examples
- Trace all passive TCP connections (accept()s):
# tcpaccept.bt
Fields
- TIME(s)
Time of the call, in HH:MM:SS format.
- PID
Process ID
- COMM
Process name
- RADDR
Remote IP address.
- RPORT
Remote port.
- LADDR
Local IP address.
- LPORT
Local port
- BL
Current accept backlog vs maximum backlog
Overhead
This traces the kernel inet_csk_accept function and prints output for each event. The rate of this depends on your server application. If it is a web or proxy server accepting many tens of thousands of connections per second, then the overhead of this tool may be measurable (although, still a lot better than tracing every packet). If it is less than a thousand a second, then the overhead is expected to be negligible. Test and understand this overhead before use.
Source
This is from bpftrace
https://github.com/bpftrace/bpftrace
Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
This is a bpftrace version of the bcc tool of the same name. The bcc tool may provide more options and customizations.
OS
Linux
Stability
Unstable - in development.
Author
Brendan Gregg, adapted for bpftrace by Dale Hamel
See Also
tcpconnect.bt(8), funccount(8), tcpdump(8)
Referenced By
tcpconnect.bt(8), tcpdrop.bt(8), tcpretrans.bt(8).