1 Demonstrations of solisten.py, the Linux eBPF/bcc version. 2 3 4 This tool traces the kernel function called when a program wants to listen 5 for TCP connections. It will not see UDP neither UNIX domain sockets. 6 7 It can be used to dynamically update a load balancer as a program is actually 8 ready to accept connexion, hence avoiding the "downtime" while it is initializing. 9 10 # ./solisten.py --show-netns 11 PID COMM NETNS PROTO BACKLOG ADDR PORT 12 3643 nc 4026531957 TCPv4 1 0.0.0.0 4242 13 3659 nc 4026531957 TCPv6 1 2001:f0d0:1002:51::4 4242 14 4221 redis-server 4026532165 TCPv6 128 :: 6379 15 4221 redis-server 4026532165 TCPv4 128 0.0.0.0 6379 16 6067 nginx 4026531957 TCPv4 128 0.0.0.0 80 17 6067 nginx 4026531957 TCPv6 128 :: 80 18 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 19 6069 nginx 4026531957 TCPv6 128 :: 80 20 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 21 6069 nginx 4026531957 TCPv6 128 :: 80 22 23 This output show the listen event from 3 programs. Netcat was started twice as 24 shown by the 2 different PIDs. The first time on the wilcard IPv4, the second 25 time on an IPv6. Netcat being a "one shot" program. It can accept a single 26 connection, hence the backlog of "1". 27 28 The next program is redis-server. As the netns column shows, it is in a 29 different network namespace than netcat and nginx. In this specific case 30 it was launched in a docker container. It listens both on IPv4 and IPv4 31 with up to 128 pending connections. 32 33 Determining the actual container is out if the scope of this tool. It could 34 be derived by scrapping /proc/<PID>/cgroup. Note that this is racy. 35 36 The overhead of this tool is negligeable as it traces listen() calls which are 37 invoked in the initialization path of a program. The operation part will remain 38 unaffected. In particular, accept() calls will not be affected. Neither 39 individual read() and write(). 40 41
