Provided by: bpftrace_0.9.2-1_amd64
tcpaccept.bt - Trace TCP passive connections (accept()). Uses bpftrace/eBPF
This tool traces passive TCP connections (eg, via an accept() syscall; connect() are active connections). This can be useful for general troubleshooting to see what new connections the local server is accepting. This uses dynamic tracing of the kernel inet_csk_accept() socket function (from tcp_prot.accept), and will need to be modified to match kernel changes. This tool only traces successful TCP accept()s. Connection attempts to closed ports will not be shown (those can be traced via other functions). Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bpftrace.
Trace all passive TCP connections (accept()s): # tcpaccept.bt FIELDS TIME(s) Time of the call, in HH:MM:SS format. PID Process ID COMM Process name RADDR Remote IP address. RPORT Remote port. LADDR Local IP address. LPORT Local port BL Current accept backlog vs maximum backlog
This traces the kernel inet_csk_accept function and prints output for each event. The rate of this depends on your server application. If it is a web or proxy server accepting many tens of thousands of connections per second, then the overhead of this tool may be measurable (although, still a lot better than tracing every packet). If it is less than a thousand a second, then the overhead is expected to be negligible. Test and understand this overhead before use.
This is from bpftrace https://github.com/iovisor/bpftrace Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool. This is a bpftrace version of the bcc tool of the same name. The bcc tool may provide more options and customizations. https://github.com/iovisor/bcc
Unstable - in development.
Brendan Gregg, adapted for bpftrace by Dale Hamel
tcpconnect(8), funccount(8), tcpdump(8)