• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Demonstrations of tcpconnect, the Linux eBPF/bcc version.
2
3
4This tool traces the kernel function performing active TCP connections
5(eg, via a connect() syscall; accept() are passive connections). Some example
6output (IP addresses changed to protect the innocent):
7
8# ./tcpconnect
9PID    COMM         IP SADDR            DADDR            DPORT
101479   telnet       4  127.0.0.1        127.0.0.1        23
111469   curl         4  10.201.219.236   54.245.105.25    80
121469   curl         4  10.201.219.236   54.67.101.145    80
131991   telnet       6  ::1              ::1              23
142015   ssh          6  fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22
15
16This output shows four connections, one from a "telnet" process, two from
17"curl", and one from "ssh". The output details shows the IP version, source
18address, destination address, and destination port. This traces attempted
19connections: these may have failed.
20
21The overhead of this tool should be negligible, since it is only tracing the
22kernel functions performing connect. It is not tracing every packet and then
23filtering.
24
25
26The -t option prints a timestamp column:
27
28# ./tcpconnect -t
29TIME(s)  PID    COMM         IP SADDR            DADDR            DPORT
3031.871   2482   local_agent  4  10.103.219.236   10.251.148.38    7001
3131.874   2482   local_agent  4  10.103.219.236   10.101.3.132     7001
3231.878   2482   local_agent  4  10.103.219.236   10.171.133.98    7101
3390.917   2482   local_agent  4  10.103.219.236   10.251.148.38    7001
3490.928   2482   local_agent  4  10.103.219.236   10.102.64.230    7001
3590.938   2482   local_agent  4  10.103.219.236   10.115.167.169   7101
36
37The output shows some periodic connections (or attempts) from a "local_agent"
38process to various other addresses. A few connections occur every minute.
39
40
41The -U option prints a UID column:
42
43# ./tcpconnect -U
44UID   PID    COMM         IP SADDR            DADDR            DPORT
450     31333  telnet       6  ::1              ::1              23
460     31333  telnet       4  127.0.0.1        127.0.0.1        23
471000  31322  curl         4  127.0.0.1        127.0.0.1        80
481000  31322  curl         6  ::1              ::1              80
49
50
51The -u option filtering UID:
52
53# ./tcpconnect -Uu 1000
54UID   PID    COMM         IP SADDR            DADDR            DPORT
551000  31338  telnet       6  ::1              ::1              23
561000  31338  telnet       4  127.0.0.1        127.0.0.1        23
57
58
59USAGE message:
60
61# ./tcpconnect -h
62usage: tcpconnect [-h] [-t] [-p PID] [-P PORT]
63
64Trace TCP connects
65
66optional arguments:
67  -h, --help         show this help message and exit
68  -t, --timestamp    include timestamp on output
69  -p PID, --pid PID  trace this PID only
70  -P PORT, --port PORT
71                     comma-separated list of destination ports to trace.
72  -U, --print-uid    include UID on output
73  -u UID, --uid UID  trace this UID only
74
75examples:
76    ./tcpconnect           # trace all TCP connect()s
77    ./tcpconnect -t        # include timestamps
78    ./tcpconnect -p 181    # only trace PID 181
79    ./tcpconnect -P 80     # only trace port 80
80    ./tcpconnect -P 80,81  # only trace port 80 and 81
81    ./tcpconnect -U        # include UID
82    ./tcpconnect -u 1000   # only trace UID 1000
83