You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
5.4 KiB
162 lines
5.4 KiB
Demonstrations of tcpsubnet, the Linux eBPF/bcc version.
|
|
|
|
|
|
tcpsubnet summarizes throughput by destination subnet.
|
|
It works only for IPv4. Eg:
|
|
|
|
# tcpsubnet
|
|
Tracing... Output every 1 secs. Hit Ctrl-C to end
|
|
[03/05/18 22:32:47]
|
|
127.0.0.1/32 8
|
|
[03/05/18 22:32:48]
|
|
[03/05/18 22:32:49]
|
|
[03/05/18 22:32:50]
|
|
[03/05/18 22:32:51]
|
|
[03/05/18 22:32:52]
|
|
127.0.0.1/32 10
|
|
[03/05/18 22:32:53]
|
|
|
|
This example output shows the number of bytes sent to 127.0.0.1/32 (the
|
|
loopback interface). For demo purposes, I set netcat listening on port
|
|
8080, connected to it and sent the following payloads.
|
|
|
|
# nc 127.0.0.1 8080
|
|
1111111
|
|
111111111
|
|
|
|
The first line sends 7 digits plus the null character (8 bytes)
|
|
The second line sends 9 digits plus the null character (10 bytes)
|
|
|
|
Notice also, how tcpsubnet prints a header line with the current date
|
|
and time formatted in the current locale.
|
|
|
|
Try it yourself to get a feeling of how tcpsubnet works.
|
|
|
|
By default, tcpsubnet will categorize traffic in the following subnets:
|
|
|
|
- 127.0.0.1/32
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
- 0.0.0.0/0
|
|
|
|
The last subnet is a catch-all. In other words, anything that doesn't
|
|
match the first 4 defaults will be categorized under 0.0.0.0/0
|
|
You can change this default behavoir by passing a comma separated list
|
|
of subnets. Let's say we would like to know how much traffic we
|
|
are sending to github.com. We first find out what IPs github.com resolves
|
|
to, Eg:
|
|
|
|
# dig +short github.com
|
|
192.30.253.112
|
|
192.30.253.113
|
|
|
|
With this information, we can come up with a reasonable range of IPs
|
|
to monitor, Eg:
|
|
|
|
# tcpsubnet.py 192.30.253.110/27,0.0.0.0/0
|
|
Tracing... Output every 1 secs. Hit Ctrl-C to end
|
|
[03/05/18 22:38:58]
|
|
0.0.0.0/0 5780
|
|
192.30.253.110/27 2205
|
|
[03/05/18 22:38:59]
|
|
0.0.0.0/0 2036
|
|
192.30.253.110/27 1183
|
|
[03/05/18 22:39:00]
|
|
[03/05/18 22:39:01]
|
|
192.30.253.110/27 12537
|
|
|
|
If we would like to be more accurate, we can use the two IPs returned
|
|
by dig, Eg:
|
|
|
|
# tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0
|
|
Tracing... Output every 1 secs. Hit Ctrl-C to end
|
|
[03/05/18 22:42:56]
|
|
0.0.0.0/0 1177
|
|
192.30.253.113/32 910
|
|
[03/05/18 22:42:57]
|
|
0.0.0.0/0 48704
|
|
192.30.253.113/32 892
|
|
[03/05/18 22:42:58]
|
|
192.30.253.113/32 891
|
|
0.0.0.0/0 858
|
|
[03/05/18 22:42:59]
|
|
0.0.0.0/0 11159
|
|
192.30.253.113/32 894
|
|
[03/05/18 22:43:00]
|
|
0.0.0.0/0 60601
|
|
|
|
NOTE: When used in production, it is expected that you will have full
|
|
information about your network topology. In which case you won't need
|
|
to approximate subnets nor need to put individual IP addresses like
|
|
we just did.
|
|
|
|
Notice that the order of the subnet matters. Say, we put 0.0.0.0/0 as
|
|
the first element of the list and 192.130.253.112/32 as the second, all the
|
|
traffic going to 192.130.253.112/32 will have been categorized in
|
|
0.0.0.0/0 as 192.130.253.112/32 is contained in 0.0.0.0/0.
|
|
|
|
The default ouput unit is bytes. You can change it by using the
|
|
-f [--format] flag. tcpsubnet uses the same flags as iperf for the unit
|
|
format and adds mM. When using kmKM, the output will be rounded to floor.
|
|
Eg:
|
|
|
|
# tcpsubnet -fK 0.0.0.0/0
|
|
[03/05/18 22:44:04]
|
|
0.0.0.0/0 1
|
|
[03/05/18 22:44:05]
|
|
0.0.0.0/0 5
|
|
[03/05/18 22:44:06]
|
|
0.0.0.0/0 31
|
|
|
|
Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf
|
|
|
|
It also supports -v [--verbose] which gives useful debugging information
|
|
on how the subnets are evaluated and the BPF program is constructed.
|
|
|
|
Last but not least, it supports -J [--json] to print the output in
|
|
JSON format. This is handy if you're calling tcpsubnet from another
|
|
program (say a nodejs server) and would like to have a structured stdout.
|
|
The output in JSON format will also include the date and time.
|
|
Eg:
|
|
|
|
# tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0
|
|
{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"}
|
|
{"date": "03/05/18", "entries": {}, "time": "22:46:28"}
|
|
{"date": "03/05/18", "entries": {}, "time": "22:46:29"}
|
|
{"date": "03/05/18", "entries": {}, "time": "22:46:30"}
|
|
{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"}
|
|
{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"}
|
|
{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"}
|
|
|
|
|
|
USAGE:
|
|
|
|
# ./tcpsubnet -h
|
|
usage: tcpsubnet.py [-h] [-v] [-J] [-f {b,k,m,B,K,M}] [-i INTERVAL] [subnets]
|
|
|
|
Summarize TCP send and aggregate by subnet
|
|
|
|
positional arguments:
|
|
subnets comma separated list of subnets
|
|
|
|
optional arguments:
|
|
-h, --help show this help message and exit
|
|
-v, --verbose output debug statements
|
|
-J, --json format output in JSON
|
|
-f {b,k,m,B,K,M}, --format {b,k,m,B,K,M}
|
|
[bkmBKM] format to report: bits, Kbits, Mbits, bytes,
|
|
KBytes, MBytes (default B)
|
|
-i INTERVAL, --interval INTERVAL
|
|
output interval, in seconds (default 1)
|
|
|
|
examples:
|
|
./tcpsubnet # Trace TCP sent to the default subnets:
|
|
# 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
|
|
# 192.168.0.0/16,0.0.0.0/0
|
|
./tcpsubnet -f K # Trace TCP sent to the default subnets
|
|
# aggregated in KBytes.
|
|
./tcpsubnet 10.80.0.0/24 # Trace TCP sent to 10.80.0.0/24 only
|
|
./tcpsubnet -J # Format the output in JSON.
|
|
|