dtrace discuss - May 2007 - tcpsnoop.d

Hi everybody,

I''m trying to use the tcpsnoop.d script with my Solaris Express
Developper Edition but It doesn''t work because of a compilation error :
[b]line 202 : tcp_g_q : Unknown symbol name[/b]. What can I do to resolve this
problem?

Thanks in advance.
--
This message posted from opensolaris.org

Kate wrote:
> Hi everybody,
> 
> I''m trying to use the tcpsnoop.d script with my Solaris Express
Developper Edition but It doesn''t work
works fine for me on SXDE build 55b:
                             Solaris Nevada snv_55b X86
            Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
                         Use is subject to license terms.
                             Assembled 12 January 2007


sparvu at earth>/opt/DTT/Bin/tcpsnoop.d 

   UID    PID LADDR           LPORT DR RADDR           RPORT  SIZE CMD
   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
firefox-bin
   100  18792 192.168.1.5     56999 -> 72.5.124.61        80   558 
firefox-bin
   100  18792 192.168.1.5     56999 <- 72.5.124.61        80    66 
firefox-bin
   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
firefox-bin
   100  18792 192.168.1.5     56999 <- 72.5.124.61        80    54 
firefox-bin
   100  18792 192.168.1.5     56999 <- 72.5.124.61        80   586 
firefox-bin
   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
firefox-bin
   100  18792 192.168.1.5     56999 <- 72.5.124.61        80  1514 
firefox-bin
   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
firefox-bin

Are you using DTT version 0.96 ?

stefan

Stefan Parvu wrote:
> Kate wrote:
>> Hi everybody,
>>
>> I''m trying to use the tcpsnoop.d script with my Solaris
Express
>> Developper Edition but It doesn''t work 
> 
> works fine for me on SXDE build 55b:
The kernel symbol tcp_g_q was removed in build 57.

So it looks like the script needs to be updated.

    Erik
>                             Solaris Nevada snv_55b X86
>            Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
>                         Use is subject to license terms.
>                             Assembled 12 January 2007
> 
> 
> sparvu at earth>/opt/DTT/Bin/tcpsnoop.d
>   UID    PID LADDR           LPORT DR RADDR           RPORT  SIZE CMD
>   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
> firefox-bin
>   100  18792 192.168.1.5     56999 -> 72.5.124.61        80   558 
> firefox-bin
>   100  18792 192.168.1.5     56999 <- 72.5.124.61        80    66 
> firefox-bin
>   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
> firefox-bin
>   100  18792 192.168.1.5     56999 <- 72.5.124.61        80    54 
> firefox-bin
>   100  18792 192.168.1.5     56999 <- 72.5.124.61        80   586 
> firefox-bin
>   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
> firefox-bin
>   100  18792 192.168.1.5     56999 <- 72.5.124.61        80  1514 
> firefox-bin
>   100  18792 192.168.1.5     56999 -> 72.5.124.61        80    54 
> firefox-bin
> 
> Are you using DTT version 0.96 ?
> 
> stefan
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org

G''Day Kate,

On Thu, May 17, 2007 at 07:31:15AM -0700, Kate wrote:
> Hi everybody,
> 
> I''m trying to use the tcpsnoop.d script with my Solaris Express
Developper Edition but It doesn''t work because of a compilation error :
[b]line 202 : tcp_g_q : Unknown symbol name[/b]. What can I do to resolve this
problem?
I just tried this on a recent build of the kernel and I get the same error - 
the kernel TCP/IP stack has changed (again) causing tcpsnoop.d to break
(again). Sorry about that.

I had a quick look, and there was no easy way to fix tcpsnoop.d. There
is a workaround - if you delete the three blocks that have "port
closed"
in their top comments, then the script runs - but no longer matches
failed TCP connections to closed ports.

DTrace can still trace this activity; it just requires spending some time
(days) with the kernel source to figure out how, and to test that the fix
works under different known loads. And repeat that process for every
significant change to the TCP/IP stack (a few times a year).

The reason for all of this is that tcpsnoop.d uses the DTrace fbt provider -
which traces the raw kernel. It isn''t and can never be a
"stable" interface.
I''ve tried to muster support within Sun for the addition of a stable
network
provider (there was a long thread about this on dtrace-discuss previously),
which would allow a stable version of tcpsnoop.d to be written.

In the meantime, tracing this activity is hard, but possible. In the future
I hope this becomes both possible and easy.

Brendan

-- 
Brendan
[CA, USA]

Thanks for your responses.
--
This message posted from opensolaris.org

I am guessing that this just gets worse as Sun changes things in the kernel.
This was such a useful tool. I am finding that even with the workaround, the
only data I see is PID/RADDRsize and command.

                       Solaris 10 8/07 s10s_u4wos_12b SPARC
           Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                            Assembled 16 August 2007

SunOS utilserv 5.10 Generic_127111-06 sun4v sparc SUNW,Sun-Fire-T200

utilserv> ./tcpsnoop.d
  UID    PID LADDR           LPORT DR RADDR           RPORT  SIZE CMD
    0   9284 0.0.0.0             0 <- 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 <- 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0    74 sshd
    0   9284 0.0.0.0             0 <- 172.25.24.79        0    82 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 <- 172.25.24.79        0   566 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 <- 172.25.24.79        0   158 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0    54 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0   486 sshd
    0   9284 0.0.0.0             0 -> 172.25.24.79        0   206 sshd


--
This message posted from opensolaris.org

> I am guessing that this just gets worse as Sun changes things in the
> kernel. This was such a useful tool. I am finding that even with the
> workaround, the only data I see is PID/RADDRsize and command.
I believe that we will have something better. Network Provider.

http://opensolaris.org/os/community/dtrace/NetworkProvider/

-- 
	Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 193 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20080703/49e90cc9/attachment.bin>

The Network provider is only availabe on opensolaris, not SPARC based
solaris 10. According to the comment in tcpsnoop.d, new solaris 10 release
changes the fbt provider, which is not back compatible.

It is a pity that tcpsnoop is not supported in  new solaris release. Is
there anyone providing the guide line that what kind of changes in fbt could
make it working?

Thanks,

carl


On 7/3/08 9:41 AM, "Vladimir Marek" <Vladimir.Marek at Sun.COM>
wrote:
>> I am guessing that this just gets worse as Sun changes things in the
>> kernel. This was such a useful tool. I am finding that even with the
>> workaround, the only data I see is PID/RADDRsize and command.
> 
> I believe that we will have something better. Network Provider.
> 
> http://opensolaris.org/os/community/dtrace/NetworkProvider/

G''Day Folks,

On Sun, Jul 06, 2008 at 11:59:34AM -0400, Carl Ma wrote:
> The Network provider is only availabe on opensolaris, not SPARC based
> solaris 10. According to the comment in tcpsnoop.d, new solaris 10 release
> changes the fbt provider, which is not back compatible.
Yes, the network providers will ultimately provide tcpsnoop/tcptop style
capability (either directly supported, or indirectly - as a step-up from fbt);
however there is still some work to go.

It looks like I need to update tcpsnoop/tcptop again until these exist in a
stable manner based on the network providers.
> It is a pity that tcpsnoop is not supported in  new solaris release. Is
> there anyone providing the guide line that what kind of changes in fbt
could
> make it working?
tcpsnoop/tcptop were never supported by Sun anyway, I wrote them as a
customer and made them available as CDDL''d opensource, and continue to
maintain them and the DTraceToolkit in my spare time.  I''m sorry they
keep
breaking - when I moved to the US I left behind my test servers, and
haven''t
had anything to run Sol 10u5 ... until recently - I installed Sol 10u5 on a
home PC last week - now I can see and fix this issue.

A couple of people had sent me fixes for tcpsnoop/tcptop (which is
appreciated since I have limited time and servers to develop them on) but
those fixes looked equal to tcpsnoop_snv, which is already available.

I''m wondering if it would be more useful for me to write a guide to how
tcpsnoop was written, which people could then follow to not only update the
scripts for Solaris 10 x86 and sparc, but also port the scripts to MacOS X
and other OSes with DTrace...

Brendan

-- 
Brendan
[CA, USA]