Provided by: bpfcc-tools_0.5.0-5ubuntu1_all 
NAME
tcpaccept - Trace TCP passive connections (accept()). Uses Linux eBPF/bcc.
SYNOPSIS
tcpaccept [-h] [-t] [-x] [-p PID]
DESCRIPTION
This tool traces passive TCP connections (eg, via an accept() syscall; connect() are
active connections). This can be useful for general troubleshooting to see what new
connections the local server is accepting.
This uses dynamic tracing of the kernel inet_csk_accept() socket function (from
tcp_prot.accept), and will need to be modified to match kernel changes.
This tool only traces successful TCP accept()s. Connection attempts to closed ports will
not be shown (those can be traced via other functions).
Since this uses BPF, only the root user can use this tool.
REQUIREMENTS
CONFIG_BPF and bcc.
OPTIONS
-h Print usage message.
-t Include a timestamp column.
-p PID Trace this process ID only (filtered in-kernel).
EXAMPLES
Trace all passive TCP connections (accept()s):
# tcpaccept
Trace all TCP accepts, and include timestamps:
# tcpconnect -t
Trace PID 181 only:
# tcpconnect -p 181
FIELDS
TIME(s)
Time of the event, in seconds.
PID Process ID
COMM Process name
IP IP address family (4 or 6)
RADDR Remote IP address.
LADDR Local IP address.
LPORT Local port
OVERHEAD
This traces the kernel inet_csk_accept function and prints output for each event. The
rate of this depends on your server application. If it is a web or proxy server accepting
many tens of thousands of connections per second, then the overhead of this tool may be
measurable (although, still a lot better than tracing every packet). If it is less than a
thousand a second, then the overhead is expected to be negligible. Test and understand
this overhead before use.
SOURCE
This is from bcc.
https://github.com/iovisor/bcc
Also look in the bcc distribution for a companion _examples.txt file containing example
usage, output, and commentary for this tool.
OS
Linux
STABILITY
Unstable - in development.
AUTHOR
Brendan Gregg
SEE ALSO
tcpconnect(8), funccount(8), tcpdump(8)