-
Notifications
You must be signed in to change notification settings - Fork 290
/
Copy pathsofamily.bt
executable file
·55 lines (49 loc) · 1.3 KB
/
sofamily.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/local/bin/bpftrace
/*
* sofamily - Count address families for new sockets by process.
*
* See BPF Performance Tools, Chapter 10, for an explanation of this tool.
*
* Copyright (c) 2019 Brendan Gregg.
* Licensed under the Apache License, Version 2.0 (the "License").
* This was originally created for the BPF Performance Tools book
* published by Addison Wesley. ISBN-13: 9780136554820
* When copying or porting, include this comment.
*
* 10-Apr-2019 Brendan Gregg Created this.
*/
#include <linux/socket.h>
BEGIN
{
printf("Tracing socket connect/accepts. Ctrl-C to end.\n");
// from linux/socket.h:
@fam2str[AF_UNSPEC] = "AF_UNSPEC";
@fam2str[AF_UNIX] = "AF_UNIX";
@fam2str[AF_INET] = "AF_INET";
@fam2str[AF_INET6] = "AF_INET6";
}
tracepoint:syscalls:sys_enter_connect
{
@connect[comm, args->uservaddr->sa_family,
@fam2str[args->uservaddr->sa_family]] = count();
}
tracepoint:syscalls:sys_enter_accept,
tracepoint:syscalls:sys_enter_accept4
{
@sockaddr[tid] = args->upeer_sockaddr;
}
tracepoint:syscalls:sys_exit_accept,
tracepoint:syscalls:sys_exit_accept4
/@sockaddr[tid]/
{
if (args->ret > 0) {
$sa = (struct sockaddr *)@sockaddr[tid];
@accept[comm, $sa->sa_family, @fam2str[$sa->sa_family]] =
count();
}
delete(@sockaddr[tid]);
}
END
{
clear(@sockaddr); clear(@fam2str);
}