1Demonstrations of tcpaccept, the Linux eBPF/bcc version. 2 3 4This tool traces the kernel function accepting TCP socket connections (eg, a 5passive connection via accept(); not connect()). Some example output (IP 6addresses changed to protect the innocent): 7 8# ./tcpaccept 9PID COMM IP RADDR LADDR LPORT 10907 sshd 4 192.168.56.1 192.168.56.102 22 11907 sshd 4 127.0.0.1 127.0.0.1 22 125389 perl 6 1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001 13 14This output shows three connections, two IPv4 connections to PID 907, an "sshd" 15process listening on port 22, and one IPv6 connection to a "perl" process 16listening on port 7001. 17 18The overhead of this tool should be negligible, since it is only tracing the 19kernel function performing accept. It is not tracing every packet and then 20filtering. 21 22This tool only traces successful TCP accept()s. Connection attempts to closed 23ports will not be shown (those can be traced via other functions). 24 25 26The -t option prints a timestamp column: 27 28# ./tcpaccept -t 29TIME(s) PID COMM IP RADDR LADDR LPORT 300.000 907 sshd 4 127.0.0.1 127.0.0.1 22 310.010 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001 320.992 907 sshd 4 127.0.0.1 127.0.0.1 22 331.984 907 sshd 4 127.0.0.1 127.0.0.1 22 34 35 36USAGE message: 37 38# ./tcpaccept -h 39usage: tcpaccept [-h] [-t] [-p PID] 40 41Trace TCP accepts 42 43optional arguments: 44 -h, --help show this help message and exit 45 -t, --timestamp include timestamp on output 46 -p PID, --pid PID trace this PID only 47 48examples: 49 ./tcpaccept # trace all TCP accept()s 50 ./tcpaccept -t # include timestamps 51 ./tcpaccept -p 181 # only trace PID 181 52