Current File : //usr/share/doc/bpfcc-tools/examples/doc/solisten_example.txt
Demonstrations of solisten.py, the Linux eBPF/bcc version.
This tool traces the kernel function called when a program wants to listen
for TCP connections. It will not see UDP neither UNIX domain sockets.
It can be used to dynamically update a load balancer as a program is actually
ready to accept connexion, hence avoiding the "downtime" while it is initializing.
# ./solisten.py --show-netns
PID COMM NETNS PROTO BACKLOG ADDR PORT
3643 nc 4026531957 TCPv4 1 0.0.0.0 4242
3659 nc 4026531957 TCPv6 1 2001:f0d0:1002:51::4 4242
4221 redis-server 4026532165 TCPv6 128 :: 6379
4221 redis-server 4026532165 TCPv4 128 0.0.0.0 6379
6067 nginx 4026531957 TCPv4 128 0.0.0.0 80
6067 nginx 4026531957 TCPv6 128 :: 80
6069 nginx 4026531957 TCPv4 128 0.0.0.0 80
6069 nginx 4026531957 TCPv6 128 :: 80
6069 nginx 4026531957 TCPv4 128 0.0.0.0 80
6069 nginx 4026531957 TCPv6 128 :: 80
This output show the listen event from 3 programs. Netcat was started twice as
shown by the 2 different PIDs. The first time on the wildcard IPv4, the second
time on an IPv6. Netcat being a "one shot" program. It can accept a single
connection, hence the backlog of "1".
The next program is redis-server. As the netns column shows, it is in a
different network namespace than netcat and nginx. In this specific case
it was launched in a docker container. It listens both on IPv4 and IPv4
with up to 128 pending connections.
Determining the actual container is out if the scope of this tool. It could
be derived by scrapping /proc/<PID>/cgroup. Note that this is racy.
The overhead of this tool is negligeable as it traces listen() calls which are
invoked in the initialization path of a program. The operation part will remain
unaffected. In particular, accept() calls will not be affected. Neither
individual read() and write().
Mini Shell