1tcptracer(8)                System Manager's Manual               tcptracer(8)
2
3
4

NAME

6       tcptracer - Trace TCP established connections. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       tcptracer   [-h]   [-v]  [-p  PID]  [-N  NETNS]  [--cgroupmap  MAPPATH]
10       [--mntnsmap MAPPATH] [-4 | -6]
11

DESCRIPTION

13       This tool traces established TCP connections that open and close  while
14       tracing,  and  prints  a  line  of output per connect, accept and close
15       events. This includes the type of event, PID, IP addresses and ports.
16
17       This tool works by using kernel dynamic tracing, and will  need  to  be
18       updated if the kernel implementation changes. Only established TCP con‐
19       nections are traced, so it is expected that the overhead of  this  tool
20       is rather low.
21
22       Since this uses BPF, only the root user can use this tool.
23

REQUIREMENTS

25       CONFIG_BPF and bcc.
26

OPTIONS

28       -h     Print usage message.
29
30       -v     Print  full  lines, with long event type names and network name‐
31              space numbers.
32
33       -p PID Trace this process ID only (filtered in-kernel).
34
35       -N NETNS
36              Trace this network namespace only (filtered in-kernel).
37
38       --cgroupmap MAPPATH
39              Trace cgroups in this BPF map only (filtered in-kernel).
40
41       --mntnsmap  MAPPATH
42              Trace mount namespaces in the map (filtered in-kernel).
43
44       -4     Trace IPv4 family only.
45
46       -6     Trace IPv6 family only.
47

EXAMPLES

49       Trace all TCP established connections:
50              # tcptracer
51
52       Trace all TCP established connections with verbose lines:
53              # tcptracer -v
54
55       Trace PID 181 only:
56              # tcptracer -p 181
57
58       Trace connections in network namespace 4026531969 only:
59              # tcptracer -N 4026531969
60
61       Trace a set of cgroups only (see special_filtering.md from bcc  sources
62       for more details):
63              # tcptracer --cgroupmap /sys/fs/bpf/test01
64
65       Trace IPv4 family only:
66              # tcptracer -4
67
68       Trace IPv6 family only:
69              # tcptracer -6
70

FIELDS

72       TYPE   Type of event. In non-verbose mode: C for connect, A for accept,
73              X for close.
74
75       PID    Process ID
76
77       COMM   Process name
78
79       IP     IP address family (4 or 6)
80
81       SADDR  Source IP address.
82
83       DADDR  Destination IP address.
84
85       SPORT  Source port.
86
87       DPORT  Destination port.
88
89       NETNS  Network namespace where the event originated.
90

OVERHEAD

92       This traces the kernel inet  accept  function,  and  the  TCP  connect,
93       close, and set state functions. However, it only prints information for
94       connections that are established, so it shouldn't have a huge overhead.
95
96       As always, test and understand this tools overhead for  your  types  of
97       workloads before production use.
98

SOURCE

100       This is from bcc.
101
102              https://github.com/iovisor/bcc
103
104       Also  look  in  the bcc distribution for a companion _examples.txt file
105       containing example usage, output, and commentary for this tool.
106

OS

108       Linux
109

STABILITY

111       Unstable - in development.
112

AUTHOR

114       Iago López Galeiras
115

SEE ALSO

117       tcpaccept(8), tcpconnect(8), tcptop(8), tcplife(8)
118
119
120
121USER COMMANDS                     2020-02-20                      tcptracer(8)
Impressum