tcpaccept - Trace TCP passive connections (accept()). Uses Linux eBPF/bcc.
tcpaccept [-h] [-t] [-x] [-p PID]
This tool traces passive TCP connections (eg, via an accept() syscall; connect()
are active connections). This can be useful for general troubleshooting to see
what new connections the local server is accepting.
This uses dynamic tracing of the kernel inet_csk_accept() socket function (from
tcp_prot.accept), and will need to be modified to match kernel changes.
This tool only traces successful TCP accept()s. Connection attempts to closed
ports will not be shown (those can be traced via other functions).
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Print usage message.
- Include a timestamp column.
- -p PID
- Trace this process ID only (filtered in-kernel).
- Trace all passive TCP connections (accept()s):
- # tcpaccept
- Trace all TCP accepts, and include timestamps:
- # tcpconnect -t
- Trace PID 181 only:
- # tcpconnect -p 181
- Time of the event, in seconds.
- Process ID
- Process name
- IP address family (4 or 6)
- Remote IP address.
- Local IP address.
- Local port
This traces the kernel inet_csk_accept function and prints output for each
event. The rate of this depends on your server application. If it is a web or
proxy server accepting many tens of thousands of connections per second, then
the overhead of this tool may be measurable (although, still a lot better than
tracing every packet). If it is less than a thousand a second, then the
overhead is expected to be negligible. Test and understand this overhead
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.
tcpconnect(8), funccount(8), tcpdump(8)