1Demonstrations of tcplife, the Linux BPF/bcc version.
2
3
4tcplife summarizes TCP sessions that open and close while tracing. For example:
5
6# ./tcplife
7PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
822597 recordProg 127.0.0.1       46644 127.0.0.1       28527     0     0 0.23
93277  redis-serv 127.0.0.1       28527 127.0.0.1       46644     0     0 0.28
1022598 curl       100.66.3.172    61620 52.205.89.26    80        0     1 91.79
1122604 curl       100.66.3.172    44400 52.204.43.121   80        0     1 121.38
1222624 recordProg 127.0.0.1       46648 127.0.0.1       28527     0     0 0.22
133277  redis-serv 127.0.0.1       28527 127.0.0.1       46648     0     0 0.27
1422647 recordProg 127.0.0.1       46650 127.0.0.1       28527     0     0 0.21
153277  redis-serv 127.0.0.1       28527 127.0.0.1       46650     0     0 0.26
16[...]
17
18This caught a program, "recordProg" making a few short-lived TCP connections
19to "redis-serv", lasting about 0.25 milliseconds each connection. A couple of
20"curl" sessions were also traced, connecting to port 80, and lasting 91 and 121
21milliseconds.
22
23This tool is useful for workload characterisation and flow accounting:
24identifying what connections are happening, with the bytes transferred.
25
26
27Process names are truncated to 10 characters. By using the wide option, -w,
28the column width becomes 16 characters. The IP address columns are also wider
29to fit IPv6 addresses:
30
31# ./tcplife -w
32PID   COMM             IP LADDR                      LPORT RADDR                      RPORT  TX_KB  RX_KB MS
3326315 recordProgramSt  4  127.0.0.1                  44188 127.0.0.1                  28527      0      0 0.21
343277  redis-server     4  127.0.0.1                  28527 127.0.0.1                  44188      0      0 0.26
3526320 ssh              6  fe80::8a3:9dff:fed5:6b19   22440 fe80::8a3:9dff:fed5:6b19   22         1      1 457.52
3626321 sshd             6  fe80::8a3:9dff:fed5:6b19   22    fe80::8a3:9dff:fed5:6b19   22440      1      1 458.69
3726341 recordProgramSt  4  127.0.0.1                  44192 127.0.0.1                  28527      0      0 0.27
383277  redis-server     4  127.0.0.1                  28527 127.0.0.1                  44192      0      0 0.32
39
40
41In this example, I uploaded a 10 Mbyte file to the server, and then downloaded
42it again, using scp:
43
44# ./tcplife
45PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
467715  recordProg 127.0.0.1       50894 127.0.0.1       28527     0     0 0.25
473277  redis-serv 127.0.0.1       28527 127.0.0.1       50894     0     0 0.30
487619  sshd       100.66.3.172    22    100.127.64.230  63033     5 10255 3066.79
497770  recordProg 127.0.0.1       50896 127.0.0.1       28527     0     0 0.20
503277  redis-serv 127.0.0.1       28527 127.0.0.1       50896     0     0 0.24
517793  recordProg 127.0.0.1       50898 127.0.0.1       28527     0     0 0.23
523277  redis-serv 127.0.0.1       28527 127.0.0.1       50898     0     0 0.27
537847  recordProg 127.0.0.1       50900 127.0.0.1       28527     0     0 0.24
543277  redis-serv 127.0.0.1       28527 127.0.0.1       50900     0     0 0.29
557870  recordProg 127.0.0.1       50902 127.0.0.1       28527     0     0 0.29
563277  redis-serv 127.0.0.1       28527 127.0.0.1       50902     0     0 0.30
577798  sshd       100.66.3.172    22    100.127.64.230  64925 10265     6 2176.15
58[...]
59
60You can see the 10 Mbytes received by sshd, and then later transmitted. Looks
61like receive was slower (3.07 seconds) than transmit (2.18 seconds).
62
63
64Timestamps can be added with -t:
65
66# ./tcplife -t
67TIME(s)   PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
680.000000  5973  recordProg 127.0.0.1       47986 127.0.0.1       28527     0     0 0.25
690.000059  3277  redis-serv 127.0.0.1       28527 127.0.0.1       47986     0     0 0.29
701.022454  5996  recordProg 127.0.0.1       47988 127.0.0.1       28527     0     0 0.23
711.022513  3277  redis-serv 127.0.0.1       28527 127.0.0.1       47988     0     0 0.27
722.044868  6019  recordProg 127.0.0.1       47990 127.0.0.1       28527     0     0 0.24
732.044924  3277  redis-serv 127.0.0.1       28527 127.0.0.1       47990     0     0 0.28
743.069136  6042  recordProg 127.0.0.1       47992 127.0.0.1       28527     0     0 0.22
753.069204  3277  redis-serv 127.0.0.1       28527 127.0.0.1       47992     0     0 0.28
76
77This shows that the recordProg process was connecting once per second.
78
79There's also a -T for HH:MM:SS formatted times.
80
81
82There's a comma separated values mode, -s. Here it is with both -t and -T
83timestamps:
84
85# ./tcplife -stT
86TIME,TIME(s),PID,COMM,IP,LADDR,LPORT,RADDR,RPORT,TX_KB,RX_KB,MS
8723:39:38,0.000000,7335,recordProgramSt,4,127.0.0.1,48098,127.0.0.1,28527,0,0,0.26
8823:39:38,0.000064,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48098,0,0,0.32
8923:39:39,1.025078,7358,recordProgramSt,4,127.0.0.1,48100,127.0.0.1,28527,0,0,0.25
9023:39:39,1.025141,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48100,0,0,0.30
9123:39:41,2.040949,7381,recordProgramSt,4,127.0.0.1,48102,127.0.0.1,28527,0,0,0.24
9223:39:41,2.041011,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48102,0,0,0.29
9323:39:42,3.067848,7404,recordProgramSt,4,127.0.0.1,48104,127.0.0.1,28527,0,0,0.30
9423:39:42,3.067914,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48104,0,0,0.35
95[...]
96
97
98There are options for filtering on local and remote ports. Here is filtering
99on local ports 22 and 80:
100
101# ./tcplife.py -L 22,80
102PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
1038301  sshd       100.66.3.172    22    100.127.64.230  58671     3     3 1448.52
104[...]
105
106
107USAGE:
108
109# ./tcplife.py -h
110usage: tcplife.py [-h] [-T] [-t] [-w] [-s] [-p PID] [-L LOCALPORT]
111                  [-D REMOTEPORT]
112
113Trace the lifespan of TCP sessions and summarize
114
115optional arguments:
116  -h, --help            show this help message and exit
117  -T, --time            include time column on output (HH:MM:SS)
118  -t, --timestamp       include timestamp on output (seconds)
119  -w, --wide            wide column output (fits IPv6 addresses)
120  -s, --csv             comma separated values output
121  -p PID, --pid PID     trace this PID only
122  -L LOCALPORT, --localport LOCALPORT
123                        comma-separated list of local ports to trace.
124  -D REMOTEPORT, --remoteport REMOTEPORT
125                        comma-separated list of remote ports to trace.
126
127examples:
128    ./tcplife           # trace all TCP connect()s
129    ./tcplife -t        # include time column (HH:MM:SS)
130    ./tcplife -w        # wider colums (fit IPv6)
131    ./tcplife -stT      # csv output, with times & timestamps
132    ./tcplife -p 181    # only trace PID 181
133    ./tcplife -L 80     # only trace local port 80
134    ./tcplife -L 80,81  # only trace local ports 80 and 81
135    ./tcplife -D 80     # only trace remote port 80
136