Network Lower Level Protocols

From DTraceBook

Jump to: navigation, search

This chapter uses DTrace for analyzing the lower levels of the network stack, including sockets, IP, TCP, UDP, ICMP, XDR and Ethernet.

Contents

Sample One-Liners

See the DTrace book for more one-liners.

Socket

Socket accepts by process name:
dtrace -n 'syscall::accept*:entry { @[execname] = count(); }'

Socket connections by process and user stack trace:
dtrace -n 'syscall::connect*:entry { trace(execname); ustack(); }'

mib Provider

IP event statistics:
dtrace -n 'mib:::ip* { @[probename] = sum(arg0); }'

TCP event statistics with kernel function:
dtrace -n 'mib:::tcp* { @[strjoin(probefunc, strjoin("() -> ", probename))] = sum(arg0);}'

ip Provider

Received IP packets by host address:
dtrace -n 'ip:::receive { @[args[2]->ip_saddr] = count(); }'

IP send payload size distribution by destination:
dtrace -n 'ip:::send { @[args[2]->ip_daddr] = quantize(args[2]->ip_plength); }'

tcp Provider

Who is connecting to what:
dtrace -n 'tcp:::accept-established { @[args[3]->tcps_raddr, args[3]->tcps_lport] = count(); }'

Who isn't connecting to what:
dtrace -n 'tcp:::accept-refused { @[args[2]->ip_daddr, args[4]->tcp_sport] = count(); }'

What am I connecting to?
dtrace -n 'tcp:::connect-established { @[args[3]->tcps_raddr , args[3]->tcps_rport] = count(); }'

IP payload bytes for TCP send, size distribution by destination address:
dtrace -n 'tcp:::send { @[args[2]->ip_daddr] = quantize(args[2]->ip_plength); }'

Scripts

Errata

Links

Retrieved from "http://www.dtracebook.com/index.php/Network_Lower_Level_Protocols"
Personal tools