1 Demonstrations of tcpaccept, the Linux eBPF/bcc version. 2 3 4 This tool traces the kernel function accepting TCP socket connections (eg, a 5 passive connection via accept(); not connect()). Some example output (IP 6 addresses changed to protect the innocent): 7 8 # ./tcpaccept 9 PID COMM IP RADDR LADDR LPORT 10 907 sshd 4 192.168.56.1 192.168.56.102 22 11 907 sshd 4 127.0.0.1 127.0.0.1 22 12 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001 13 14 This output shows three connections, two IPv4 connections to PID 907, an "sshd" 15 process listening on port 22, and one IPv6 connection to a "perl" process 16 listening on port 7001. 17 18 The overhead of this tool should be negligible, since it is only tracing the 19 kernel function performing accept. It is not tracing every packet and then 20 filtering. 21 22 This tool only traces successful TCP accept()s. Connection attempts to closed 23 ports will not be shown (those can be traced via other functions). 24 25 26 The -t option prints a timestamp column: 27 28 # ./tcpaccept -t 29 TIME(s) PID COMM IP RADDR LADDR LPORT 30 0.000 907 sshd 4 127.0.0.1 127.0.0.1 22 31 0.010 5389 perl 6 1234:ab12:2040:5020:2299:0:5:0 1234:ab12:2040:5020:2299:0:5:0 7001 32 0.992 907 sshd 4 127.0.0.1 127.0.0.1 22 33 1.984 907 sshd 4 127.0.0.1 127.0.0.1 22 34 35 36 USAGE message: 37 38 # ./tcpaccept -h 39 usage: tcpaccept [-h] [-t] [-p PID] 40 41 Trace TCP accepts 42 43 optional arguments: 44 -h, --help show this help message and exit 45 -t, --timestamp include timestamp on output 46 -p PID, --pid PID trace this PID only 47 48 examples: 49 ./tcpaccept # trace all TCP accept()s 50 ./tcpaccept -t # include timestamps 51 ./tcpaccept -p 181 # only trace PID 181 52