Continuing from the previous article: Overview of BCC source code content (2)
This article refers to the introduction in the Contents section of the official website.
The files in the BCC source code root directory, some of which are single files containing both C and Python, others are paired files of .c and .py, and some are directories.
Tracing
Files in the examples directory:
- examples/tracing/task_switch.py
Count of task switches to and from PIDs.
- examples/tracing/tcpv4connect.py
Track TCP IPv4 active connections.
The contents of the bcc/examples/tracing/tcpv4connect_example.txt file are as follows:
Demonstrations of tcpv4connect.py, the Linux eBPF/bcc version.
This example traces the kernel function performing active TCP IPv4 connections
(eg, via a connect() syscall; accept() are passive connections). Some example
output (IP addresses changed to protect the innocent):
# ./tcpv4connect.py
PID COMM SADDR DADDR DPORT
1479 telnet 127.0.0.1 127.0.0.1 23
1469 curl 10.201.219.236 54.245.105.25 80
1469 curl 10.201.219.236 54.67.101.145 80
This output shows three connections, one from a "telnet" process and two from
"curl". The output details shows the source address, destination address,
and destination port. This traces attempted connections: these may have failed.
The overhead of this tool should be negligible, since it is only tracing the
kernel function performing a connect. It is not tracing every packet and then
filtering.
This is provided as a basic example of TCP tracing. See tools/tcpconnect for a
more featured version of this example (a tool).
- examples/tracing/trace_fields.py
Simple example of printing fields from a tracking event.
- examples/tracing/undump.py
Dump UNIX socket packages.
The contents of the bcc/examples/tracing/tundump_example.txt file are as follows:
Demonstrations of undump.py, the Linux eBPF/bcc version.
This example trace the kernel function performing receive AP_UNIX socket
packet. Some example output:
Terminal 1, UNIX Socket Server:
```
$ nc -lU /var/tmp/dsocket
# receive from Client
Hello, World
abcdefg
```
Terminal 2, UNIX socket Client:
```
$ nc -U /var/tmp/dsocket
# Input some lines
Hello, World
abcdefg
```
Terminal 3, receive tracing:
```
$ sudo python undump.py -p 49264
Tracing PID=49264 UNIX socket packets ... Hit Ctrl-C to end
# Here print bytes of receive
PID 49264 Recv 13 bytes
48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 0a
PID 49264 Recv 8 bytes
61 62 63 64 65 66 67 0a
```
This output shows two packet received by PID 49264(nc -lU /var/tmp/dsocket),
`Hello, World` will be parsed as `48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 0a`, the
`0a` is `Enter`. `abcdefg` will be parsed as `61 62 63 64 65 66 67 0a`.