forked from bpftrace/bpftrace
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tcplife.bt
executable file
·98 lines (88 loc) · 2.69 KB
/
tcplife.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env bpftrace
/*
* tcplife - Trace TCP session lifespans with connection details.
*
* See BPF Performance Tools, Chapter 10, for an explanation of this tool.
*
* Copyright (c) 2019 Brendan Gregg.
* Licensed under the Apache License, Version 2.0 (the "License").
* This was originally created for the BPF Performance Tools book
* published by Addison Wesley. ISBN-13: 9780136554820
* When copying or porting, include this comment.
*
* 17-Apr-2019 Brendan Gregg Created this.
*/
#include <net/tcp_states.h>
#include <net/sock.h>
#include <linux/socket.h>
#include <linux/tcp.h>
BEGIN
{
printf("%-5s %-10s %-15s %-5s %-15s %-5s ", "PID", "COMM",
"LADDR", "LPORT", "RADDR", "RPORT");
printf("%5s %5s %s\n", "TX_KB", "RX_KB", "MS");
}
kprobe:tcp_set_state
{
$sk = (struct sock *)arg0;
$newstate = arg1;
/*
* This tool includes PID and comm context. From TCP this is best
* effort, and may be wrong in some situations. It does this:
* - record timestamp on any state < TCP_FIN_WAIT1
* note some state transitions may not be present via this kprobe
* - cache task context on:
* TCP_SYN_SENT: tracing from client
* TCP_LAST_ACK: client-closed from server
* - do output on TCP_CLOSE:
* fetch task context if cached, or use current task
*/
// record first timestamp seen for this socket
if ($newstate < TCP_FIN_WAIT1 && @birth[$sk] == 0) {
@birth[$sk] = nsecs;
}
// record PID & comm on SYN_SENT
if ($newstate == TCP_SYN_SENT || $newstate == TCP_LAST_ACK) {
@skpid[$sk] = pid;
@skcomm[$sk] = comm;
}
// session ended: calculate lifespan and print
if ($newstate == TCP_CLOSE && @birth[$sk]) {
$delta_ms = (nsecs - @birth[$sk]) / 1000000;
$lport = $sk->__sk_common.skc_num;
$dport = $sk->__sk_common.skc_dport;
$dport = ($dport >> 8) | (($dport << 8) & 0xff00);
$tp = (struct tcp_sock *)$sk;
$pid = @skpid[$sk];
$comm = @skcomm[$sk];
if ($comm == "") {
// not cached, use current task
$pid = pid;
$comm = comm;
}
$family = $sk->__sk_common.skc_family;
$saddr = ntop(0);
$daddr = ntop(0);
if ($family == AF_INET) {
$saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
$daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
} else {
// AF_INET6
$saddr = ntop(AF_INET6,
$sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
$daddr = ntop(AF_INET6,
$sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
}
printf("%-5d %-10.10s %-15s %-5d %-15s %-6d ", $pid,
$comm, $saddr, $lport, $daddr, $dport);
printf("%5d %5d %d\n", $tp->bytes_acked / 1024,
$tp->bytes_received / 1024, $delta_ms);
delete(@birth[$sk]);
delete(@skpid[$sk]);
delete(@skcomm[$sk]);
}
}
END
{
clear(@birth); clear(@skpid); clear(@skcomm);
}