1Demonstrations of tcpsubnet, the Linux eBPF/bcc version.
2
3
4tcpsubnet summarizes throughput by destination subnet.
5It works only for IPv4. Eg:
6
7# tcpsubnet
8Tracing... Output every 1 secs. Hit Ctrl-C to end
9[03/05/18 22:32:47]
10127.0.0.1/32               8
11[03/05/18 22:32:48]
12[03/05/18 22:32:49]
13[03/05/18 22:32:50]
14[03/05/18 22:32:51]
15[03/05/18 22:32:52]
16127.0.0.1/32              10
17[03/05/18 22:32:53]
18
19This example output shows the number of bytes sent to 127.0.0.1/32 (the
20loopback interface). For demo purposes, I set netcat listening on port
218080, connected to it and sent the following payloads.
22
23# nc 127.0.0.1 8080
241111111
25111111111
26
27The first line sends 7 digits plus the null character (8 bytes)
28The second line sends 9 digits plus the null character (10 bytes)
29
30Notice also, how tcpsubnet prints a header line with the current date
31and time formatted in the current locale.
32
33Try it yourself to get a feeling of how tcpsubnet works.
34
35By default, tcpsubnet will categorize traffic in the following subnets:
36
37- 127.0.0.1/32
38- 10.0.0.0/8
39- 172.16.0.0/12
40- 192.168.0.0/16
41- 0.0.0.0/0
42
43The last subnet is a catch-all. In other words, anything that doesn't
44match the first 4 defaults will be categorized under 0.0.0.0/0
45You can change this default behavoir by passing a comma separated list
46of subnets. Let's say we would like to know how much traffic we
47are sending to github.com. We first find out what IPs github.com resolves
48to, Eg:
49
50# dig +short github.com
51192.30.253.112
52192.30.253.113
53
54With this information, we can come up with a reasonable range of IPs
55to monitor, Eg:
56
57# tcpsubnet.py 192.30.253.110/27,0.0.0.0/0
58Tracing... Output every 1 secs. Hit Ctrl-C to end
59[03/05/18 22:38:58]
600.0.0.0/0               5780
61192.30.253.110/27       2205
62[03/05/18 22:38:59]
630.0.0.0/0               2036
64192.30.253.110/27       1183
65[03/05/18 22:39:00]
66[03/05/18 22:39:01]
67192.30.253.110/27      12537
68
69If we would like to be more accurate, we can use the two IPs returned
70by dig, Eg:
71
72# tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0
73Tracing... Output every 1 secs. Hit Ctrl-C to end
74[03/05/18 22:42:56]
750.0.0.0/0               1177
76192.30.253.113/32        910
77[03/05/18 22:42:57]
780.0.0.0/0              48704
79192.30.253.113/32        892
80[03/05/18 22:42:58]
81192.30.253.113/32        891
820.0.0.0/0                858
83[03/05/18 22:42:59]
840.0.0.0/0              11159
85192.30.253.113/32        894
86[03/05/18 22:43:00]
870.0.0.0/0              60601
88
89NOTE: When used in production, it is expected that you will have full
90information about your network topology. In which case you won't need
91to approximate subnets nor need to put individual IP addresses like
92we just did.
93
94Notice that the order of the subnet matters. Say, we put 0.0.0.0/0 as
95the first element of the list and 192.130.253.112/32 as the second, all the
96traffic going to 192.130.253.112/32 will have been categorized in
970.0.0.0/0 as 192.130.253.112/32 is contained in 0.0.0.0/0.
98
99The default ouput unit is bytes. You can change it by using the
100-f [--format] flag. tcpsubnet uses the same flags as iperf for the unit
101format and adds mM. When using kmKM, the output will be rounded to floor.
102Eg:
103
104# tcpsubnet -fK 0.0.0.0/0
105[03/05/18 22:44:04]
1060.0.0.0/0                  1
107[03/05/18 22:44:05]
1080.0.0.0/0                  5
109[03/05/18 22:44:06]
1100.0.0.0/0                 31
111
112Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf
113
114It also supports -v [--verbose] which gives useful debugging information
115on how the subnets are evaluated and the BPF program is constructed.
116
117Last but not least, it supports -J [--json] to print the output in
118JSON format. This is handy if you're calling tcpsubnet from another
119program (say a nodejs server) and would like to have a structured stdout.
120The output in JSON format will also include the date and time.
121Eg:
122
123# tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0
124{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"}
125{"date": "03/05/18", "entries": {}, "time": "22:46:28"}
126{"date": "03/05/18", "entries": {}, "time": "22:46:29"}
127{"date": "03/05/18", "entries": {}, "time": "22:46:30"}
128{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"}
129{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"}
130{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"}
131
132
133USAGE:
134
135# ./tcpsubnet -h
136usage: tcpsubnet.py [-h] [-v] [-J] [-f {b,k,m,B,K,M}] [-i INTERVAL] [subnets]
137
138Summarize TCP send and aggregate by subnet
139
140positional arguments:
141  subnets               comma separated list of subnets
142
143optional arguments:
144  -h, --help            show this help message and exit
145  -v, --verbose         output debug statements
146  -J, --json            format output in JSON
147  -f {b,k,m,B,K,M}, --format {b,k,m,B,K,M}
148                        [bkmBKM] format to report: bits, Kbits, Mbits, bytes,
149                        KBytes, MBytes (default B)
150  -i INTERVAL, --interval INTERVAL
151                        output interval, in seconds (default 1)
152
153examples:
154    ./tcpsubnet                 # Trace TCP sent to the default subnets:
155                                # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
156                                # 192.168.0.0/16,0.0.0.0/0
157    ./tcpsubnet -f K            # Trace TCP sent to the default subnets
158                                # aggregated in KBytes.
159    ./tcpsubnet 10.80.0.0/24    # Trace TCP sent to 10.80.0.0/24 only
160    ./tcpsubnet -J              # Format the output in JSON.
161
162