1tcptracer(8)                System Manager's Manual               tcptracer(8)
2
3
4

NAME

6       tcptracer - Trace TCP established connections. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       tcptracer   [-h]   [-v]  [-p  PID]  [-N  NETNS]  [--cgroupmap  MAPPATH]
10       [--mntnsmap MAPPATH]
11

DESCRIPTION

13       This tool traces established TCP connections that open and close  while
14       tracing,  and  prints  a  line  of output per connect, accept and close
15       events. This includes the type of event, PID, IP addresses and ports.
16
17       This tool works by using kernel dynamic tracing, and will  need  to  be
18       updated if the kernel implementation changes. Only established TCP con‐
19       nections are traced, so it is expected that the overhead of  this  tool
20       is rather low.
21
22       Since this uses BPF, only the root user can use this tool.
23

REQUIREMENTS

25       CONFIG_BPF and bcc.
26

OPTIONS

28       -h     Print usage message.
29
30       -v     Print  full lines, with long event type names and network names‐
31              pace numbers.
32
33       -p PID Trace this process ID only (filtered in-kernel).
34
35       -N NETNS
36              Trace this network namespace only (filtered in-kernel).
37
38       --cgroupmap MAPPATH
39              Trace cgroups in this BPF map only (filtered in-kernel).
40
41       --mntnsmap  MAPPATH
42              Trace mount namespaces in the map (filtered in-kernel).
43

EXAMPLES

45       Trace all TCP established connections:
46              # tcptracer
47
48       Trace all TCP established connections with verbose lines:
49              # tcptracer -v
50
51       Trace PID 181 only:
52              # tcptracer -p 181
53
54       Trace connections in network namespace 4026531969 only:
55              # tcptracer -N 4026531969
56
57       Trace a set of cgroups only (see special_filtering.md from bcc  sources
58       for more details):
59              # tcptracer --cgroupmap /sys/fs/bpf/test01
60

FIELDS

62       TYPE   Type of event. In non-verbose mode: C for connect, A for accept,
63              X for close.
64
65       PID    Process ID
66
67       COMM   Process name
68
69       IP     IP address family (4 or 6)
70
71       SADDR  Source IP address.
72
73       DADDR  Destination IP address.
74
75       SPORT  Source port.
76
77       DPORT  Destination port.
78
79       NETNS  Network namespace where the event originated.
80

OVERHEAD

82       This traces the kernel inet  accept  function,  and  the  TCP  connect,
83       close, and set state functions. However, it only prints information for
84       connections that are established, so it shouldn't have a huge overhead.
85
86       As always, test and understand this tools overhead for  your  types  of
87       workloads before production use.
88

SOURCE

90       This is from bcc.
91
92              https://github.com/iovisor/bcc
93
94       Also  look  in  the bcc distribution for a companion _examples.txt file
95       containing example usage, output, and commentary for this tool.
96

OS

98       Linux
99

STABILITY

101       Unstable - in development.
102

AUTHOR

104       Iago López Galeiras
105

SEE ALSO

107       tcpaccept(8), tcpconnect(8), tcptop(8), tcplife(8)
108
109
110
111USER COMMANDS                     2020-02-20                      tcptracer(8)
Impressum