-
Notifications
You must be signed in to change notification settings - Fork 286
/
soaccept.bt
executable file
·79 lines (72 loc) · 2.22 KB
/
soaccept.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/local/bin/bpftrace
/*
* soaccept - Trace socket IP-protocol accepts with details.
*
* See BPF Performance Tools, Chapter 10, for an explanation of this tool.
*
* Copyright (c) 2019 Brendan Gregg.
* Licensed under the Apache License, Version 2.0 (the "License").
* This was originally created for the BPF Performance Tools book
* published by Addison Wesley. ISBN-13: 9780136554820
* When copying or porting, include this comment.
*
* 13-Apr-2019 Brendan Gregg Created this.
*/
#include <linux/in.h>
#include <linux/in6.h>
BEGIN
{
printf("%-6s %-16s FAM %-16s %-5s %s\n", "PID", "PROCESS",
"ADDRESS", "PORT", "RESULT");
// accept(2) has more details:
@err2str[0] = "Success";
@err2str[EPERM] = "Permission denied";
@err2str[EINTR] = "Interrupted";
@err2str[EBADF] = "Invalid sockfd";
@err2str[EAGAIN] = "None to accept";
@err2str[ENOMEM] = "Out of memory";
@err2str[EFAULT] = "Sock struct addr invalid";
@err2str[EINVAL] = "Args invalid";
@err2str[ENFILE] = "System FD limit";
@err2str[EMFILE] = "Process FD limit";
@err2str[EPROTO] = "Protocol error";
@err2str[ENOTSOCK] = "FD not a socket";
@err2str[EOPNOTSUPP] = "Not SOCK_STREAM";
@err2str[ECONNABORTED] = "Aborted";
@err2str[ENOBUFS] = "Memory (ENOBUFS)";
}
tracepoint:syscalls:sys_enter_accept,
tracepoint:syscalls:sys_enter_accept4
{
@sockaddr[tid] = args->upeer_sockaddr;
}
tracepoint:syscalls:sys_exit_accept,
tracepoint:syscalls:sys_exit_accept4
/@sockaddr[tid]/
{
$sa = (struct sockaddr *)@sockaddr[tid];
if ($sa->sa_family == AF_INET || $sa->sa_family == AF_INET6) {
printf("%-6d %-16s %-3d ", pid, comm, $sa->sa_family);
$error = args->ret > 0 ? 0 : - args->ret;
if ($sa->sa_family == AF_INET) {
$s = (struct sockaddr_in *)@sockaddr[tid];
$port = ($s->sin_port >> 8) |
(($s->sin_port << 8) & 0xff00);
printf("%-16s %-5d %s\n",
ntop(AF_INET, $s->sin_addr.s_addr),
$port, @err2str[$error]);
} else {
$s6 = (struct sockaddr_in6 *)@sockaddr[tid];
$port = ($s6->sin6_port >> 8) |
(($s6->sin6_port << 8) & 0xff00);
printf("%-16s %-5d %s\n",
ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
$port, @err2str[$error]);
}
}
delete(@sockaddr[tid]);
}
END
{
clear(@err2str); clear(@sockaddr);
}