1tcpaccept(8)                System Manager's Manual               tcpaccept(8)
2
3
4

NAME

6       tcpaccept  -  Trace  TCP  passive  connections  (accept()).  Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       tcpaccept [-h] [-T] [-t] [-p PID] [-P PORTS]
11

DESCRIPTION

13       This tool traces passive TCP connections (eg, via an accept()  syscall;
14       connect() are active connections). This can be useful for general trou‐
15       bleshooting to see what new connections the local server is accepting.
16
17       This uses dynamic tracing of the kernel inet_csk_accept() socket  func‐
18       tion (from tcp_prot.accept), and will need to be modified to match ker‐
19       nel changes.
20
21       This tool only traces successful TCP accept()s. Connection attempts  to
22       closed  ports  will  not  be shown (those can be traced via other func‐
23       tions).
24
25       Since this uses BPF, only the root user can use this tool.
26

REQUIREMENTS

28       CONFIG_BPF and bcc.
29

OPTIONS

31       -h     Print usage message.
32
33       -T     Include a time column on output (HH:MM:SS).
34
35       -t     Include a timestamp column.
36
37       -p PID Trace this process ID only (filtered in-kernel).
38
39       -P PORTS
40              Comma-separated list of local ports to trace  (filtered  in-ker‐
41              nel).
42

EXAMPLES

44       Trace all passive TCP connections (accept()s):
45              # tcpaccept
46
47       Trace all TCP accepts, and include timestamps:
48              # tcpaccept -t
49
50       Trace connections to local ports 80 and 81 only:
51              # tcpaccept -P 80,81
52
53       Trace PID 181 only:
54              # tcpaccept -p 181
55

FIELDS

57       TIME   Time of the event, in HH:MM:SS format.
58
59       TIME(s)
60              Time of the event, in seconds.
61
62       PID    Process ID
63
64       COMM   Process name
65
66       IP     IP address family (4 or 6)
67
68       RADDR  Remote IP address.
69
70       RPORT  Remote port
71
72       LADDR  Local IP address.
73
74       LPORT  Local port
75

OVERHEAD

77       This  traces  the kernel inet_csk_accept function and prints output for
78       each event.  The rate of this depends on your server application. If it
79       is  a  web  or proxy server accepting many tens of thousands of connec‐
80       tions per second, then the overhead of  this  tool  may  be  measurable
81       (although, still a lot better than tracing every packet). If it is less
82       than a thousand a second, then the overhead is expected to be  negligi‐
83       ble. Test and understand this overhead before use.
84

SOURCE

86       This is from bcc.
87
88              https://github.com/iovisor/bcc
89
90       Also  look  in  the bcc distribution for a companion _examples.txt file
91       containing example usage, output, and commentary for this tool.
92

OS

94       Linux
95

STABILITY

97       Unstable - in development.
98

AUTHOR

100       Brendan Gregg
101

SEE ALSO

103       tcpconnect(8), funccount(8), tcpdump(8)
104
105
106
107USER COMMANDS                     2019-03-08                      tcpaccept(8)
Impressum