1tcpaccept(8)                System Manager's Manual               tcpaccept(8)
2
3
4

NAME

6       tcpaccept  -  Trace  TCP  passive  connections  (accept()).  Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       tcpaccept [-h] [-T] [-t] [-p PID] [-P PORTS]  [-4  |  -6]  [--cgroupmap
11       MAPPATH] [--mntnsmap MAPPATH]
12

DESCRIPTION

14       This  tool traces passive TCP connections (eg, via an accept() syscall;
15       connect() are active connections). This can be useful for general trou‐
16       bleshooting to see what new connections the local server is accepting.
17
18       This  uses dynamic tracing of the kernel inet_csk_accept() socket func‐
19       tion (from tcp_prot.accept), and will need to be modified to match ker‐
20       nel changes.
21
22       This  tool only traces successful TCP accept()s. Connection attempts to
23       closed ports will not be shown (those can be  traced  via  other  func‐
24       tions).
25
26       Since this uses BPF, only the root user can use this tool.
27

REQUIREMENTS

29       CONFIG_BPF and bcc.
30

OPTIONS

32       -h     Print usage message.
33
34       -T     Include a time column on output (HH:MM:SS).
35
36       -t     Include a timestamp column.
37
38       -p PID Trace this process ID only (filtered in-kernel).
39
40       -P PORTS
41              Comma-separated  list  of local ports to trace (filtered in-ker‐
42              nel).
43
44       -4     Trace IPv4 family only.
45
46       -6     Trace IPv6 family only.
47
48       --cgroupmap MAPPATH
49              Trace cgroups in this BPF map only (filtered in-kernel).
50
51       --mntnsmap  MAPPATH
52              Trace mount namespaces in this BPF map  only  (filtered  in-ker‐
53              nel).
54

EXAMPLES

56       Trace all passive TCP connections (accept()s):
57              # tcpaccept
58
59       Trace all TCP accepts, and include timestamps:
60              # tcpaccept -t
61
62       Trace connections to local ports 80 and 81 only:
63              # tcpaccept -P 80,81
64
65       Trace PID 181 only:
66              # tcpaccept -p 181
67
68       Trace IPv4 family only:
69              # tcpaccept -4
70
71       Trace IPv6 family only:
72              # tcpaccept -6
73
74       Trace  a set of cgroups only (see special_filtering.md from bcc sources
75       for more details):
76              # tcpaccept --cgroupmap /sys/fs/bpf/test01
77

FIELDS

79       TIME   Time of the event, in HH:MM:SS format.
80
81       TIME(s)
82              Time of the event, in seconds.
83
84       PID    Process ID
85
86       COMM   Process name
87
88       IP     IP address family (4 or 6)
89
90       RADDR  Remote IP address.
91
92       RPORT  Remote port
93
94       LADDR  Local IP address.
95
96       LPORT  Local port
97

OVERHEAD

99       This traces the kernel inet_csk_accept function and prints  output  for
100       each event.  The rate of this depends on your server application. If it
101       is a web or proxy server accepting many tens of  thousands  of  connec‐
102       tions per second, then the overhead of this tool may be measurable (al‐
103       though, still a lot better than tracing every packet). If  it  is  less
104       than  a thousand a second, then the overhead is expected to be negligi‐
105       ble. Test and understand this overhead before use.
106

SOURCE

108       This is from bcc.
109
110              https://github.com/iovisor/bcc
111
112       Also look in the bcc distribution for a  companion  _examples.txt  file
113       containing example usage, output, and commentary for this tool.
114

OS

116       Linux
117

STABILITY

119       Unstable - in development.
120

AUTHOR

122       Brendan Gregg
123

SEE ALSO

125       tcptracer(8), tcpconnect(8), funccount(8), tcpdump(8)
126
127
128
129USER COMMANDS                     2020-02-20                      tcpaccept(8)
Impressum