blob: dfd3fac833db3d3e20f80dee177694f0873a8ae1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
<?xml version='1.0'?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
<section id="tcpdumplikesect">
<title>Monitoring TCP Packets</title>
<indexterm>
<primary>script examples</primary>
<secondary>monitoring TCP packets</secondary>
</indexterm>
<indexterm>
<primary>examples of SystemTap scripts</primary>
<secondary>monitoring TCP packets</secondary>
</indexterm>
<indexterm>
<primary>monitoring TCP packets</primary>
<secondary>examples of SystemTap scripts</secondary>
</indexterm>
<indexterm>
<primary>TCP packets, monitoring</primary>
<secondary>examples of SystemTap scripts</secondary>
</indexterm>
<indexterm>
<primary>TCP packets, monitoring</primary>
<secondary>examples of SystemTap scripts</secondary>
</indexterm>
<!--
<indexterm>
<primary>script examples</primary>
<secondary>net/socket.c, tracing functions from</secondary>
</indexterm>
<indexterm>
<primary>examples of SystemTap scripts</primary>
<secondary>net/socket.c, tracing functions from</secondary>
</indexterm>
<indexterm>
<primary>net/socket.c, tracing functions from</primary>
<secondary>examples of SystemTap scripts</secondary>
</indexterm>
-->
<para>
This section illustrates how to monitor TCP packets received by the system. This is useful in
analyzing network traffic generated by applications running on the system.
</para>
<formalpara id="tcpdumplike">
<title>tcpdumplike.stp</title>
<para>
<programlisting>
<xi:include parse="text" href="../testsuite/systemtap.examples/network/tcpdumplike.stp" xmlns:xi="http://www.w3.org/2001/XInclude" />
</programlisting>
</para>
</formalpara>
<para>
While <xref linkend="tcpdumplike"/> is running, it will print out the following information
about any received TCP packets in real time:
</para>
<itemizedlist>
<listitem><para>Source and destination IP address (<command>saddr</command>,
<command>daddr</command>, respectively)</para></listitem>
<listitem><para>Source and destination ports (<command>sport</command>, <command>dport</command>,
respectively)</para></listitem>
<listitem><para>Packet flags</para></listitem>
</itemizedlist>
<para>
To determine the flags used by the packet, <xref linkend="tcpdumplike"/> uses the following
functions:
</para>
<itemizedlist>
<listitem><para><command>urg</command> - urgent</para></listitem>
<listitem><para><command>ack</command> - acknowledgement</para></listitem>
<listitem><para><command>psh</command> - push</para></listitem>
<listitem><para><command>rst</command> - reset</para></listitem>
<listitem><para><command>syn</command> - synchronize</para></listitem>
<listitem><para><command>fin</command> - finished</para></listitem>
</itemizedlist>
<para>
The aforementioned functions return <command>1</command> or <command>0</command> to
specify whether the packet uses the corresponding flag.
</para>
<example id="tcpdumplikeoutput">
<title><xref linkend="tcpdumplike"/> Sample Output</title>
<screen>
-----------------------------------------------------------------
Source IP Dest IP SPort DPort U A P R S F
-----------------------------------------------------------------
209.85.229.147 10.0.2.15 80 20373 0 1 1 0 0 0
92.122.126.240 10.0.2.15 80 53214 0 1 0 0 1 0
92.122.126.240 10.0.2.15 80 53214 0 1 0 0 0 0
209.85.229.118 10.0.2.15 80 63433 0 1 0 0 1 0
209.85.229.118 10.0.2.15 80 63433 0 1 0 0 0 0
209.85.229.147 10.0.2.15 80 21141 0 1 1 0 0 0
209.85.229.147 10.0.2.15 80 21141 0 1 1 0 0 0
209.85.229.147 10.0.2.15 80 21141 0 1 1 0 0 0
209.85.229.147 10.0.2.15 80 21141 0 1 1 0 0 0
209.85.229.147 10.0.2.15 80 21141 0 1 1 0 0 0
209.85.229.118 10.0.2.15 80 63433 0 1 1 0 0 0
[...]
</screen>
</example>
</section>
|
