1Demonstrations of tcpsubnet, the Linux eBPF/bcc version. 2 3 4tcpsubnet summarizes throughput by destination subnet. 5It works only for IPv4. Eg: 6 7# tcpsubnet 8Tracing... Output every 1 secs. Hit Ctrl-C to end 9[03/05/18 22:32:47] 10127.0.0.1/32 8 11[03/05/18 22:32:48] 12[03/05/18 22:32:49] 13[03/05/18 22:32:50] 14[03/05/18 22:32:51] 15[03/05/18 22:32:52] 16127.0.0.1/32 10 17[03/05/18 22:32:53] 18 19This example output shows the number of bytes sent to 127.0.0.1/32 (the 20loopback interface). For demo purposes, I set netcat listening on port 218080, connected to it and sent the following payloads. 22 23# nc 127.0.0.1 8080 241111111 25111111111 26 27The first line sends 7 digits plus the null character (8 bytes) 28The second line sends 9 digits plus the null character (10 bytes) 29 30Notice also, how tcpsubnet prints a header line with the current date 31and time formatted in the current locale. 32 33Try it yourself to get a feeling of how tcpsubnet works. 34 35By default, tcpsubnet will categorize traffic in the following subnets: 36 37- 127.0.0.1/32 38- 10.0.0.0/8 39- 172.16.0.0/12 40- 192.168.0.0/16 41- 0.0.0.0/0 42 43The last subnet is a catch-all. In other words, anything that doesn't 44match the first 4 defaults will be categorized under 0.0.0.0/0 45You can change this default behavior by passing a comma separated list 46of subnets. Let's say we would like to know how much traffic we 47are sending to github.com. We first find out what IPs github.com resolves 48to, Eg: 49 50# dig +short github.com 51192.30.253.112 52192.30.253.113 53 54With this information, we can come up with a reasonable range of IPs 55to monitor, Eg: 56 57# tcpsubnet.py 192.30.253.110/27,0.0.0.0/0 58Tracing... Output every 1 secs. Hit Ctrl-C to end 59[03/05/18 22:38:58] 600.0.0.0/0 5780 61192.30.253.110/27 2205 62[03/05/18 22:38:59] 630.0.0.0/0 2036 64192.30.253.110/27 1183 65[03/05/18 22:39:00] 66[03/05/18 22:39:01] 67192.30.253.110/27 12537 68 69If we would like to be more accurate, we can use the two IPs returned 70by dig, Eg: 71 72# tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0 73Tracing... Output every 1 secs. Hit Ctrl-C to end 74[03/05/18 22:42:56] 750.0.0.0/0 1177 76192.30.253.113/32 910 77[03/05/18 22:42:57] 780.0.0.0/0 48704 79192.30.253.113/32 892 80[03/05/18 22:42:58] 81192.30.253.113/32 891 820.0.0.0/0 858 83[03/05/18 22:42:59] 840.0.0.0/0 11159 85192.30.253.113/32 894 86[03/05/18 22:43:00] 870.0.0.0/0 60601 88 89NOTE: When used in production, it is expected that you will have full 90information about your network topology. In which case you won't need 91to approximate subnets nor need to put individual IP addresses like 92we just did. 93 94Notice that the order of the subnet matters. Say, we put 0.0.0.0/0 as 95the first element of the list and 192.130.253.112/32 as the second, all the 96traffic going to 192.130.253.112/32 will have been categorized in 970.0.0.0/0 as 192.130.253.112/32 is contained in 0.0.0.0/0. 98 99The default output unit is bytes. You can change it by using the 100-f [--format] flag. tcpsubnet uses the same flags as iperf for the unit 101format and adds mM. When using kmKM, the output will be rounded to floor. 102Eg: 103 104# tcpsubnet -fK 0.0.0.0/0 105[03/05/18 22:44:04] 1060.0.0.0/0 1 107[03/05/18 22:44:05] 1080.0.0.0/0 5 109[03/05/18 22:44:06] 1100.0.0.0/0 31 111 112Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf 113 114It also supports -v [--verbose] which gives useful debugging information 115on how the subnets are evaluated and the BPF program is constructed. 116 117Last but not least, it supports -J [--json] to print the output in 118JSON format. This is handy if you're calling tcpsubnet from another 119program (say a nodejs server) and would like to have a structured stdout. 120The output in JSON format will also include the date and time. 121Eg: 122 123# tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0 124{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"} 125{"date": "03/05/18", "entries": {}, "time": "22:46:28"} 126{"date": "03/05/18", "entries": {}, "time": "22:46:29"} 127{"date": "03/05/18", "entries": {}, "time": "22:46:30"} 128{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"} 129{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"} 130{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"} 131 132 133USAGE: 134 135# ./tcpsubnet -h 136usage: tcpsubnet.py [-h] [-v] [-J] [-f {b,k,m,B,K,M}] [-i INTERVAL] [subnets] 137 138Summarize TCP send and aggregate by subnet 139 140positional arguments: 141 subnets comma separated list of subnets 142 143optional arguments: 144 -h, --help show this help message and exit 145 -v, --verbose output debug statements 146 -J, --json format output in JSON 147 -f {b,k,m,B,K,M}, --format {b,k,m,B,K,M} 148 [bkmBKM] format to report: bits, Kbits, Mbits, bytes, 149 KBytes, MBytes (default B) 150 -i INTERVAL, --interval INTERVAL 151 output interval, in seconds (default 1) 152 153examples: 154 ./tcpsubnet # Trace TCP sent to the default subnets: 155 # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12, 156 # 192.168.0.0/16,0.0.0.0/0 157 ./tcpsubnet -f K # Trace TCP sent to the default subnets 158 # aggregated in KBytes. 159 ./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only 160 ./tcpsubnet -J # Format the output in JSON. 161 162