1#!/usr/bin/python 2# @lint-avoid-python-3-compatibility-imports 3# 4# tcpconnect Trace TCP connect()s. 5# For Linux, uses BCC, eBPF. Embedded C. 6# 7# USAGE: tcpconnect [-h] [-t] [-p PID] [-P PORT [PORT ...]] 8# 9# All connection attempts are traced, even if they ultimately fail. 10# 11# This uses dynamic tracing of kernel functions, and will need to be updated 12# to match kernel changes. 13# 14# Copyright (c) 2015 Brendan Gregg. 15# Licensed under the Apache License, Version 2.0 (the "License") 16# 17# 25-Sep-2015 Brendan Gregg Created this. 18# 14-Feb-2016 " " Switch to bpf_perf_output. 19 20from __future__ import print_function 21from bcc import BPF 22import argparse 23from socket import inet_ntop, ntohs, AF_INET, AF_INET6 24from struct import pack 25import ctypes as ct 26 27# arguments 28examples = """examples: 29 ./tcpconnect # trace all TCP connect()s 30 ./tcpconnect -t # include timestamps 31 ./tcpconnect -p 181 # only trace PID 181 32 ./tcpconnect -P 80 # only trace port 80 33 ./tcpconnect -P 80,81 # only trace port 80 and 81 34""" 35parser = argparse.ArgumentParser( 36 description="Trace TCP connects", 37 formatter_class=argparse.RawDescriptionHelpFormatter, 38 epilog=examples) 39parser.add_argument("-t", "--timestamp", action="store_true", 40 help="include timestamp on output") 41parser.add_argument("-p", "--pid", 42 help="trace this PID only") 43parser.add_argument("-P", "--port", 44 help="comma-separated list of destination ports to trace.") 45parser.add_argument("--ebpf", action="store_true", 46 help=argparse.SUPPRESS) 47args = parser.parse_args() 48debug = 0 49 50# define BPF program 51bpf_text = """ 52#include <uapi/linux/ptrace.h> 53#include <net/sock.h> 54#include <bcc/proto.h> 55 56BPF_HASH(currsock, u32, struct sock *); 57 58// separate data structs for ipv4 and ipv6 59struct ipv4_data_t { 60 u64 ts_us; 61 u32 pid; 62 u32 saddr; 63 u32 daddr; 64 u64 ip; 65 u16 dport; 66 char task[TASK_COMM_LEN]; 67}; 68BPF_PERF_OUTPUT(ipv4_events); 69 70struct ipv6_data_t { 71 u64 ts_us; 72 u32 pid; 73 unsigned __int128 saddr; 74 unsigned __int128 daddr; 75 u64 ip; 76 u16 dport; 77 char task[TASK_COMM_LEN]; 78}; 79BPF_PERF_OUTPUT(ipv6_events); 80 81int trace_connect_entry(struct pt_regs *ctx, struct sock *sk) 82{ 83 u32 pid = bpf_get_current_pid_tgid(); 84 FILTER_PID 85 86 // stash the sock ptr for lookup on return 87 currsock.update(&pid, &sk); 88 89 return 0; 90}; 91 92static int trace_connect_return(struct pt_regs *ctx, short ipver) 93{ 94 int ret = PT_REGS_RC(ctx); 95 u32 pid = bpf_get_current_pid_tgid(); 96 97 struct sock **skpp; 98 skpp = currsock.lookup(&pid); 99 if (skpp == 0) { 100 return 0; // missed entry 101 } 102 103 if (ret != 0) { 104 // failed to send SYNC packet, may not have populated 105 // socket __sk_common.{skc_rcv_saddr, ...} 106 currsock.delete(&pid); 107 return 0; 108 } 109 110 // pull in details 111 struct sock *skp = *skpp; 112 u16 dport = skp->__sk_common.skc_dport; 113 114 FILTER_PORT 115 116 if (ipver == 4) { 117 struct ipv4_data_t data4 = {.pid = pid, .ip = ipver}; 118 data4.ts_us = bpf_ktime_get_ns() / 1000; 119 data4.saddr = skp->__sk_common.skc_rcv_saddr; 120 data4.daddr = skp->__sk_common.skc_daddr; 121 data4.dport = ntohs(dport); 122 bpf_get_current_comm(&data4.task, sizeof(data4.task)); 123 ipv4_events.perf_submit(ctx, &data4, sizeof(data4)); 124 125 } else /* 6 */ { 126 struct ipv6_data_t data6 = {.pid = pid, .ip = ipver}; 127 data6.ts_us = bpf_ktime_get_ns() / 1000; 128 bpf_probe_read(&data6.saddr, sizeof(data6.saddr), 129 skp->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr32); 130 bpf_probe_read(&data6.daddr, sizeof(data6.daddr), 131 skp->__sk_common.skc_v6_daddr.in6_u.u6_addr32); 132 data6.dport = ntohs(dport); 133 bpf_get_current_comm(&data6.task, sizeof(data6.task)); 134 ipv6_events.perf_submit(ctx, &data6, sizeof(data6)); 135 } 136 137 currsock.delete(&pid); 138 139 return 0; 140} 141 142int trace_connect_v4_return(struct pt_regs *ctx) 143{ 144 return trace_connect_return(ctx, 4); 145} 146 147int trace_connect_v6_return(struct pt_regs *ctx) 148{ 149 return trace_connect_return(ctx, 6); 150} 151""" 152 153# code substitutions 154if args.pid: 155 bpf_text = bpf_text.replace('FILTER_PID', 156 'if (pid != %s) { return 0; }' % args.pid) 157if args.port: 158 dports = [int(dport) for dport in args.port.split(',')] 159 dports_if = ' && '.join(['dport != %d' % ntohs(dport) for dport in dports]) 160 bpf_text = bpf_text.replace('FILTER_PORT', 161 'if (%s) { currsock.delete(&pid); return 0; }' % dports_if) 162 163bpf_text = bpf_text.replace('FILTER_PID', '') 164bpf_text = bpf_text.replace('FILTER_PORT', '') 165 166if debug or args.ebpf: 167 print(bpf_text) 168 if args.ebpf: 169 exit() 170 171# event data 172TASK_COMM_LEN = 16 # linux/sched.h 173 174class Data_ipv4(ct.Structure): 175 _fields_ = [ 176 ("ts_us", ct.c_ulonglong), 177 ("pid", ct.c_uint), 178 ("saddr", ct.c_uint), 179 ("daddr", ct.c_uint), 180 ("ip", ct.c_ulonglong), 181 ("dport", ct.c_ushort), 182 ("task", ct.c_char * TASK_COMM_LEN) 183 ] 184 185class Data_ipv6(ct.Structure): 186 _fields_ = [ 187 ("ts_us", ct.c_ulonglong), 188 ("pid", ct.c_uint), 189 ("saddr", (ct.c_ulonglong * 2)), 190 ("daddr", (ct.c_ulonglong * 2)), 191 ("ip", ct.c_ulonglong), 192 ("dport", ct.c_ushort), 193 ("task", ct.c_char * TASK_COMM_LEN) 194 ] 195 196# process event 197def print_ipv4_event(cpu, data, size): 198 event = ct.cast(data, ct.POINTER(Data_ipv4)).contents 199 global start_ts 200 if args.timestamp: 201 if start_ts == 0: 202 start_ts = event.ts_us 203 print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") 204 print("%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, 205 event.task.decode('utf-8', 'replace'), event.ip, 206 inet_ntop(AF_INET, pack("I", event.saddr)), 207 inet_ntop(AF_INET, pack("I", event.daddr)), event.dport)) 208 209def print_ipv6_event(cpu, data, size): 210 event = ct.cast(data, ct.POINTER(Data_ipv6)).contents 211 global start_ts 212 if args.timestamp: 213 if start_ts == 0: 214 start_ts = event.ts_us 215 print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") 216 print("%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, 217 event.task.decode('utf-8', 'replace'), event.ip, 218 inet_ntop(AF_INET6, event.saddr), inet_ntop(AF_INET6, event.daddr), 219 event.dport)) 220 221# initialize BPF 222b = BPF(text=bpf_text) 223b.attach_kprobe(event="tcp_v4_connect", fn_name="trace_connect_entry") 224b.attach_kprobe(event="tcp_v6_connect", fn_name="trace_connect_entry") 225b.attach_kretprobe(event="tcp_v4_connect", fn_name="trace_connect_v4_return") 226b.attach_kretprobe(event="tcp_v6_connect", fn_name="trace_connect_v6_return") 227 228# header 229if args.timestamp: 230 print("%-9s" % ("TIME(s)"), end="") 231print("%-6s %-12s %-2s %-16s %-16s %-4s" % ("PID", "COMM", "IP", "SADDR", 232 "DADDR", "DPORT")) 233 234start_ts = 0 235 236# read events 237b["ipv4_events"].open_perf_buffer(print_ipv4_event) 238b["ipv6_events"].open_perf_buffer(print_ipv6_event) 239while 1: 240 b.perf_buffer_poll() 241