Demonstrations of tcpaccept, the Linux eBPF/bcc version.


This tool traces the kernel function accepting TCP socket connections (eg, a
passive connection via accept(); not connect()). Some example output (IP
addresses changed to protect the innocent):

# ./tcpaccept
PID    COMM         IP RADDR            RPORT  LADDR            LPORT
907    sshd         4  192.168.56.1     32324  192.168.56.102   22
907    sshd         4  127.0.0.1        39866  127.0.0.1        22
5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 52352 1234:ab12:2040:5020:2299:0:5:0 7001

This output shows three connections, two IPv4 connections to PID 907, an "sshd"
process listening on port 22, and one IPv6 connection to a "perl" process
listening on port 7001.

The overhead of this tool should be negligible, since it is only tracing the
kernel function performing accept. It is not tracing every packet and then
filtering.

This tool only traces successful TCP accept()s. Connection attempts to closed
ports will not be shown (those can be traced via other functions).


The -t option prints a timestamp column:

# ./tcpaccept -t
TIME(s)  PID    COMM         IP RADDR            RPORT LADDR            LPORT
0.000    907    sshd         4  127.0.0.1        53700 127.0.0.1        22
0.010    5389   perl         6  1234:ab12:2040:5020:2299:0:5:0 40614 1234:ab12:2040:5020:2299:0:5:0 7001
0.992    907    sshd         4  127.0.0.1        32548 127.0.0.1        22
1.984    907    sshd         4  127.0.0.1        51250 127.0.0.1        22


The --cgroupmap option filters based on a cgroup set. It is meant to be used
with an externally created map.

# ./tcpaccept --cgroupmap /sys/fs/bpf/test01

For more details, see docs/special_filtering.md


USAGE message:

# ./tcpaccept -h
usage: tcpaccept.py [-h] [-T] [-t] [-p PID] [-P PORT] [-4 | -6] [--cgroupmap CGROUPMAP]

Trace TCP accepts

optional arguments:
  -h, --help            show this help message and exit
  -T, --time            include time column on output (HH:MM:SS)
  -t, --timestamp       include timestamp on output
  -p PID, --pid PID     trace this PID only
  -P PORT, --port PORT  comma-separated list of local ports to trace
  -4, --ipv4            trace IPv4 family only
  -6, --ipv6            trace IPv6 family only
  --cgroupmap CGROUPMAP
                        trace cgroups in this BPF map only

examples:
    ./tcpaccept           # trace all TCP accept()s
    ./tcpaccept -t        # include timestamps
    ./tcpaccept -P 80,81  # only trace port 80 and 81
    ./tcpaccept -p 181    # only trace PID 181
    ./tcpaccept --cgroupmap mappath  # only trace cgroups in this BPF map
    ./tcpaccept --mntnsmap mappath   # only trace mount namespaces in the map
    ./tcpaccept -4        # trace IPv4 family only
    ./tcpaccept -6        # trace IPv6 family only