1*9cd928feSAlan Maguire #!/usr/sbin/dtrace -s 2*9cd928feSAlan Maguire /* 3*9cd928feSAlan Maguire * tcpsnoop - snoop TCP network packets by process. 4*9cd928feSAlan Maguire * Written using DTrace tcp Provider. 5*9cd928feSAlan Maguire * 6*9cd928feSAlan Maguire * This analyses TCP network packets and prints the responsible PID plus 7*9cd928feSAlan Maguire * standard details such as IP address and port. This captures traffic 8*9cd928feSAlan Maguire * from existing and newly created TCP connections. It can help identify 9*9cd928feSAlan Maguire * which processes are causing TCP traffic. 10*9cd928feSAlan Maguire * 11*9cd928feSAlan Maguire * SEE ALSO: snoop -rS 12*9cd928feSAlan Maguire * 13*9cd928feSAlan Maguire * CDDL HEADER START 14*9cd928feSAlan Maguire * 15*9cd928feSAlan Maguire * The contents of this file are subject to the terms of the 16*9cd928feSAlan Maguire * Common Development and Distribution License (the "License"). 17*9cd928feSAlan Maguire * You may not use this file except in compliance with the License. 18*9cd928feSAlan Maguire * 19*9cd928feSAlan Maguire * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 20*9cd928feSAlan Maguire * or http://www.opensolaris.org/os/licensing. 21*9cd928feSAlan Maguire * See the License for the specific language governing permissions 22*9cd928feSAlan Maguire * and limitations under the License. 23*9cd928feSAlan Maguire * 24*9cd928feSAlan Maguire * When distributing Covered Code, include this CDDL HEADER in each 25*9cd928feSAlan Maguire * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 26*9cd928feSAlan Maguire * If applicable, add the following below this CDDL HEADER, with the 27*9cd928feSAlan Maguire * fields enclosed by brackets "[]" replaced with your own identifying 28*9cd928feSAlan Maguire * information: Portions Copyright [yyyy] [name of copyright owner] 29*9cd928feSAlan Maguire * 30*9cd928feSAlan Maguire * CDDL HEADER END 31*9cd928feSAlan Maguire */ 32*9cd928feSAlan Maguire /* 33*9cd928feSAlan Maguire * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 34*9cd928feSAlan Maguire * 35*9cd928feSAlan Maguire * Portions Copyright 2010 Brendan Gregg 36*9cd928feSAlan Maguire */ 37*9cd928feSAlan Maguire 38*9cd928feSAlan Maguire #pragma D option quiet 39*9cd928feSAlan Maguire #pragma D option switchrate=10hz 40*9cd928feSAlan Maguire 41*9cd928feSAlan Maguire dtrace:::BEGIN 42*9cd928feSAlan Maguire { 43*9cd928feSAlan Maguire printf("%6s %6s %15s:%-5s %15s:%-5s %6s %s\n", 44*9cd928feSAlan Maguire "TIME", "PID", "LADDR", "PORT", "RADDR", "PORT", "BYTES", "FLAGS"); 45*9cd928feSAlan Maguire } 46*9cd928feSAlan Maguire 47*9cd928feSAlan Maguire tcp:::send 48*9cd928feSAlan Maguire { 49*9cd928feSAlan Maguire this->length = args[2]->ip_plength - args[4]->tcp_offset; 50*9cd928feSAlan Maguire printf("%6d %6d %15s:%-5d -> %15s:%-5d %6d (", 51*9cd928feSAlan Maguire timestamp/1000, args[1]->cs_pid, args[2]->ip_saddr, 52*9cd928feSAlan Maguire args[4]->tcp_sport, args[2]->ip_daddr, args[4]->tcp_dport, 53*9cd928feSAlan Maguire this->length); 54*9cd928feSAlan Maguire } 55*9cd928feSAlan Maguire 56*9cd928feSAlan Maguire tcp:::receive 57*9cd928feSAlan Maguire { 58*9cd928feSAlan Maguire this->length = args[2]->ip_plength - args[4]->tcp_offset; 59*9cd928feSAlan Maguire printf("%6d %6d %15s:%-5d <- %15s:%-5d %6d (", 60*9cd928feSAlan Maguire timestamp/1000, args[1]->cs_pid, args[2]->ip_daddr, 61*9cd928feSAlan Maguire args[4]->tcp_dport, args[2]->ip_saddr, args[4]->tcp_sport, 62*9cd928feSAlan Maguire this->length); 63*9cd928feSAlan Maguire } 64*9cd928feSAlan Maguire 65*9cd928feSAlan Maguire tcp:::send, 66*9cd928feSAlan Maguire tcp:::receive 67*9cd928feSAlan Maguire { 68*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_FIN ? "FIN|" : ""); 69*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_SYN ? "SYN|" : ""); 70*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_RST ? "RST|" : ""); 71*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_PUSH ? "PUSH|" : ""); 72*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_ACK ? "ACK|" : ""); 73*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_URG ? "URG|" : ""); 74*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_ECE ? "ECE|" : ""); 75*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags & TH_CWR ? "CWR|" : ""); 76*9cd928feSAlan Maguire printf("%s", args[4]->tcp_flags == 0 ? "null " : ""); 77*9cd928feSAlan Maguire printf("\b)\n"); 78*9cd928feSAlan Maguire } 79