1tcpconnect(8) System Manager's Manual tcpconnect(8)
2
6 tcpconnect.bt - Trace TCP active connections (connect()). Uses Linux
7 bpftrace/eBPF
8
10 tcpconnect.bt
11
13 This tool traces active TCP connections (eg, via a connect() syscall;
14 accept() are passive connections). This can be useful for general trou‐
15 bleshooting to see what connections are initiated by the local server.
16 All connection attempts are traced, even if they ultimately fail.
18 This works by tracing the kernel tcp_v4_connect() and tcp_v6_connect()
20 functions using dynamic tracing, and will need updating to match any
21 changes to these functions.
22 Since this uses BPF, only the root user can use this tool.
24
26 CONFIG_BPF and bpftrace.
27
29 Trace all active TCP connections:
30 # tcpconnect.bt
31 FIELDS
34 TIME(s)
36 Time of the call, in HH:MM:SS format.
37 PID Process ID
39 COMM Process name
41 SADDR Source IP address.
43 SPORT Source port.
45 DADDR Destination IP address.
47 DPORT Destination port
49
51 This traces the kernel tcp_v[46]_connect functions and prints output
52 for each event. As the rate of this is generally expected to be low (<
53 1000/s), the overhead is also expected to be negligible. If you have an
54 application that is calling a high rate of connects()s, such as a proxy
55 server, then test and understand this overhead before use.
56
58 This is from bpftrace
59 https://github.com/iovisor/bpftrace
61 Also look in the bpftrace distribution for a companion _examples.txt
63 file containing example usage, output, and commentary for this tool.
64 This is a bpftrace version of the bcc tool of the same name. The bcc
66 tool may provide more options and customizations.
67 https://github.com/iovisor/bcc
69
71 Linux
72
74 Unstable - in development.
75
77 Brendan Gregg, adapted for bpftrace by Dale Hamel
78
80 tcpaccept(8), funccount(8), tcpdump(8)
81USER COMMANDS 2018-11-24 tcpconnect(8)