1tcptracer(8)                System Manager's Manual               tcptracer(8)
2
3
4

NAME

6       tcptracer - Trace TCP established connections. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       tcptracer  [-h]  [-v]  [-t]  [-p  PID] [-N NETNS] [--cgroupmap MAPPATH]
10       [--mntnsmap MAPPATH] [-4 | -6]
11

DESCRIPTION

13       This tool traces established TCP connections that open and close  while
14       tracing,  and  prints  a  line  of output per connect, accept and close
15       events. This includes the type of event, PID, IP addresses and ports.
16
17       This tool works by using kernel dynamic tracing, and will  need  to  be
18       updated if the kernel implementation changes. Only established TCP con‐
19       nections are traced, so it is expected that the overhead of  this  tool
20       is rather low.
21
22       Since this uses BPF, only the root user can use this tool.
23

REQUIREMENTS

25       CONFIG_BPF and bcc.
26

OPTIONS

28       -h     Print usage message.
29
30       -v     Print  full  lines, with long event type names and network name‐
31              space numbers.
32
33       -t     Include timestamp on output
34
35       -p PID Trace this process ID only (filtered in-kernel).
36
37       -N NETNS
38              Trace this network namespace only (filtered in-kernel).
39
40       --cgroupmap MAPPATH
41              Trace cgroups in this BPF map only (filtered in-kernel).
42
43       --mntnsmap  MAPPATH
44              Trace mount namespaces in the map (filtered in-kernel).
45
46       -4     Trace IPv4 family only.
47
48       -6     Trace IPv6 family only.
49

EXAMPLES

51       Trace all TCP established connections:
52              # tcptracer
53
54       Trace all TCP established connections with verbose lines:
55              # tcptracer -v
56
57       Trace PID 181 only:
58              # tcptracer -p 181
59
60       Trace connections in network namespace 4026531969 only:
61              # tcptracer -N 4026531969
62
63       Trace a set of cgroups only (see special_filtering.md from bcc  sources
64       for more details):
65              # tcptracer --cgroupmap /sys/fs/bpf/test01
66
67       Trace IPv4 family only:
68              # tcptracer -4
69
70       Trace IPv6 family only:
71              # tcptracer -6
72

FIELDS

74       TYPE   Type of event. In non-verbose mode: C for connect, A for accept,
75              X for close.
76
77       PID    Process ID
78
79       COMM   Process name
80
81       IP     IP address family (4 or 6)
82
83       SADDR  Source IP address.
84
85       DADDR  Destination IP address.
86
87       SPORT  Source port.
88
89       DPORT  Destination port.
90
91       NETNS  Network namespace where the event originated.
92

OVERHEAD

94       This traces the kernel inet  accept  function,  and  the  TCP  connect,
95       close, and set state functions. However, it only prints information for
96       connections that are established, so it shouldn't have a huge overhead.
97
98       As always, test and understand this tools overhead for  your  types  of
99       workloads before production use.
100

SOURCE

102       This is from bcc.
103
104              https://github.com/iovisor/bcc
105
106       Also  look  in  the bcc distribution for a companion _examples.txt file
107       containing example usage, output, and commentary for this tool.
108

OS

110       Linux
111

STABILITY

113       Unstable - in development.
114

AUTHOR

116       Iago López Galeiras
117

SEE ALSO

119       tcpaccept(8), tcpconnect(8), tcptop(8), tcplife(8)
120
121
122
123USER COMMANDS                     2020-02-20                      tcptracer(8)
Impressum