thr3ads.net - dtrace discuss - [dtrace-discuss] tcptop, tcpsnoop [Jul 2005]

If this information is useful, please help other people find it:
Share via:
Brendan Gregg
2005-Jul-04 19:36 UTC
[dtrace-discuss] tcptop, tcpsnoop

G''Day Folks,

... and welcome to the DTrace interest folks!


I''ve just uploaded the latest versions of my TCP based tools - only to
my
website @ http://www.brendangregg.com/dtrace.html, after I''ve tested
them
on different platforms (and no doubt fixed up some niggling bugs) I''ll
put
them in the DTraceToolkit.


"tcptop" gives a summary of TCP by process,

# tcptop -C 30
Sampling... Please wait.
2005 Jul  5 05:18:56,  load: 1.07,  TCPin:      3 Kb,  TCPout:    112 Kb

 UID    PID LADDR           LPORT RADDR           RPORT      SIZE NAME
   0    242 192.168.1.5        79 192.168.1.1     54283       272 inetd
   0    242 192.168.1.5        23 192.168.1.1     54284       294 inetd
   0  20929 192.168.1.5        79 192.168.1.1     54283       714 in.fingerd
 100  20926 192.168.1.5     36409 192.168.1.1        79      1160 finger
 100  20927 192.168.1.5     36410 192.168.1.1        79      1160 finger
 100  20928 192.168.1.5     36411 192.168.1.1        23      1627 telnet
   0  20313 192.168.1.5        22 192.168.1.1     54285      2798 sshd
   0  20931 192.168.1.5        23 192.168.1.1     54284      4622 in.telnetd
 100  20941 192.168.1.5       858 192.168.1.1       514    115712 rcp

2005 Jul  5 05:19:26,  load: 1.04,  TCPin:      0 Kb,  TCPout:      4 Kb

 UID    PID LADDR           LPORT RADDR           RPORT      SIZE NAME
 100  20942 192.168.1.5     36412 192.168.1.1        79      1160 finger
   0  20931 192.168.1.5        23 192.168.1.1     54284      7411 in.telnetd
[...]


And "tcpsnoop" gives a packet based output,

# tcpsnoop
  UID    PID LADDR           LPORT DR RADDR           RPORT  SIZE CMD
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 <- 192.168.1.1        79    66 finger
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    56 finger
  100  20968 192.168.1.5     36418 <- 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 <- 192.168.1.1        79   606 finger
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 <- 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 -> 192.168.1.1        79    54 finger
  100  20968 192.168.1.5     36418 <- 192.168.1.1        79    54 finger
    0    242 192.168.1.5        23 <- 192.168.1.1     54302    54 inetd
    0    242 192.168.1.5        23 -> 192.168.1.1     54302    54 inetd
    0    242 192.168.1.5        23 <- 192.168.1.1     54302    54 inetd
    0    242 192.168.1.5        23 <- 192.168.1.1     54302    78 inetd
    0    242 192.168.1.5        23 -> 192.168.1.1     54302    54 inetd
    0  20969 192.168.1.5        23 -> 192.168.1.1     54302    57 in.telnetd
    0  20969 192.168.1.5        23 <- 192.168.1.1     54302    54 in.telnetd
[...]


Over the past year I''ve had various solutions to TCP by process on my
website, however nothing that has covered all traffic in a sensible
manner (most traffic, but never all traffic). To do every last packet
properly turns out to be quite a challeng. Since the OS code was made
public 2 weeks ago I''ve made a strong effort to read the tcp code and
get
it right.

The above programs act sensibly for all traffic I''ve thrown at it on my
Solaris 10 3/05 x86 server. Now I have to test everything else (just
noticed a header parsing problem on SPARC in fact ... :) you''d better
check for updates ;)

Enjoy,

Brendan Gregg

[Sydney, Australia]
dtrace discuss - Jul 2005 - tcptop, tcpsnoop

[dtrace-discuss] tcptop, tcpsnoop
