Permalink
Cannot retrieve contributors at this time
Fetching contributors…
Cannot retrieve contributors at this time
| .TH tcplife 8 "2016-10-19" "USER COMMANDS" | |
| .SH NAME | |
| tcplife \- Trace TCP sessions and summarize lifespan. Uses Linux eBPF/bcc. | |
| .SH SYNOPSIS | |
| .B tcplife [\-h] [\-T] [\-t] [\-w] [\-s] [\-p PID] [\-D PORTS] [\-L PORTS] | |
| .SH DESCRIPTION | |
| This tool traces TCP sessions that open and close while tracing, and prints | |
| a line of output to summarize each one. This includes the IP addresses, ports, | |
| duration, and throughput for the session. This is useful for workload | |
| characterisation and flow accounting: identifying what connections are | |
| happening, with the bytes transferred. | |
| This tool works by using kernel dynamic tracing, and will need to be updated | |
| if the kernel implementation changes. Only TCP state changes are traced, so | |
| it is expected that the overhead of this tool is much lower than typical | |
| send/receive tracing. | |
| Since this uses BPF, only the root user can use this tool. | |
| .SH REQUIREMENTS | |
| CONFIG_BPF and bcc. | |
| .SH OPTIONS | |
| .TP | |
| \-h | |
| Print usage message. | |
| .TP | |
| \-s | |
| Comma separated values output (parseable). | |
| .TP | |
| \-t | |
| Include a timestamp column (seconds). | |
| .TP | |
| \-T | |
| Include a time column (HH:MM:SS). | |
| .TP | |
| \-w | |
| Wide column output (fits IPv6 addresses). | |
| .TP | |
| \-p PID | |
| Trace this process ID only (filtered in-kernel). | |
| .TP | |
| \-L PORTS | |
| Comma-separated list of local ports to trace (filtered in-kernel). | |
| .TP | |
| \-D PORTS | |
| Comma-separated list of destination ports to trace (filtered in-kernel). | |
| .SH EXAMPLES | |
| .TP | |
| Trace all TCP sessions, and summarize lifespan and throughput: | |
| # | |
| .B tcplife | |
| .TP | |
| Include a timestamp column, and wide column output: | |
| # | |
| .B tcplife \-tw | |
| .TP | |
| Trace PID 181 only: | |
| # | |
| .B tcplife \-p 181 | |
| .TP | |
| Trace connections to local ports 80 and 81 only: | |
| # | |
| .B tcplife \-L 80,81 | |
| .TP | |
| Trace connections to remote port 80 only: | |
| # | |
| .B tcplife \-D 80 | |
| .SH FIELDS | |
| .TP | |
| TIME | |
| Time of the call, in HH:MM:SS format. | |
| .TP | |
| TIME(s) | |
| Time of the call, in seconds. | |
| .TP | |
| PID | |
| Process ID | |
| .TP | |
| COMM | |
| Process name | |
| .TP | |
| IP | |
| IP address family (4 or 6) | |
| .TP | |
| LADDR | |
| Local IP address. | |
| .TP | |
| DADDR | |
| Remote IP address. | |
| .TP | |
| LPORT | |
| Local port. | |
| .TP | |
| DPORT | |
| Destination port. | |
| .TP | |
| TX_KB | |
| Total transmitted Kbytes. | |
| .TP | |
| RX_KB | |
| Total received Kbytes. | |
| .TP | |
| MS | |
| Lifespan of the session, in milliseconds. | |
| .SH OVERHEAD | |
| This traces the kernel TCP set state function, which should be called much | |
| less often than send/receive tracing, and therefore have lower overhead. The | |
| overhead of the tool is relative to the rate of new TCP sessions: if this is | |
| high, over 10,000 per second, then there may be noticable overhead just to | |
| print out 10k lines of formatted output per second. | |
| You can find out the rate of new TCP sessions using "sar \-n TCP 1", and | |
| adding the active/s and passive/s columns. | |
| As always, test and understand this tools overhead for your types of | |
| workloads before production use. | |
| .SH SOURCE | |
| This is from bcc. | |
| .IP | |
| https://github.com/iovisor/bcc | |
| .PP | |
| Also look in the bcc distribution for a companion _examples.txt file containing | |
| example usage, output, and commentary for this tool. | |
| .SH OS | |
| Linux | |
| .SH STABILITY | |
| Unstable - in development. | |
| .SH AUTHOR | |
| Brendan Gregg | |
| .SH SEE ALSO | |
| tcpaccept(8), tcpconnect(8), tcptop(8) |