1Demonstrations of tcptracer, the Linux eBPF/bcc version.
2
3
4This tool traces the kernel function performing TCP connections (eg, via a
5connect() or accept() syscalls) and closing them (explicitly or if the process
6dies). Some example output (IP addresses are fake):
7
8```
9# ./tcptracer
10Tracing TCP established connections. Ctrl-C to end.
11T  PID    COMM             IP SADDR            DADDR            SPORT  DPORT
12C  28943  telnet           4  192.168.1.2      192.168.1.1      59306  23
13C  28818  curl             6  [::1]            [::1]            55758  80
14X  28943  telnet           4  192.168.1.2      192.168.1.1      59306  23
15A  28817  nc               6  [::1]            [::1]            80     55758
16X  28818  curl             6  [::1]            [::1]            55758  80
17X  28817  nc               6  [::1]            [::1]            80     55758
18A  28978  nc               4  10.202.210.1     10.202.109.12    8080   59160
19X  28978  nc               4  10.202.210.1     10.202.109.12    8080   59160
20```
21
22This output shows three conections, one outgoing from a "telnet" process, one
23outgoing from "curl" to a local netcat, and one incoming received by the "nc"
24process. The output details show the kind of event (C for connection, X for
25close and A for accept), PID, IP version, source address, destination address,
26source port and destination port.
27
28The -t option prints a timestamp column:
29
30```
31# ./tcptracer -t
32Tracing TCP established connections. Ctrl-C to end.
33TIME(s)  T  PID    COMM             IP SADDR            DADDR            SPORT  DPORT
340.000    C  31002  telnet           4  192.168.1.2      192.168.1.1      42590  23
353.546    C    748  curl             6  [::1]            [::1]            42592  80
364.294    X  31002  telnet           4  192.168.1.2      192.168.1.1      42590  23
37```
38