I originally posted this at http://blogs.sun.com/brendan/entry/dtrace_tcp_provider_at_cec_2006.
Yesterday at the CEC 2006 conference, Bryan Cantrill and I gave a demonstration of a prototype DTrace tcp provider that I've been developing, which is one of a suggested collection of DTrace network providers. I've just put together a website to list the demonstrations performed: CEC 2006 DTrace TCP.
Below are a couple of examples from the website. My tcpio2.d tool traces TCP traffic and provides IP address, TCP port, TCP payload size and TCP flag information:
# ./tcpio2.d LADDR:PORT RADDR:PORT BYTES FLAGS 192.168.1.185:79 <- 192.168.1.109:56145 0 (SYN) 192.168.1.185:79 -> 192.168.1.109:56145 0 (SYN|ACK) 192.168.1.185:79 <- 192.168.1.109:56145 0 (ACK) 192.168.1.185:79 <- 192.168.1.109:56145 2 (PUSH|ACK) 192.168.1.185:79 -> 192.168.1.109:56145 0 (ACK) 192.168.1.185:79 -> 192.168.1.109:56145 126 (PUSH|ACK) 192.168.1.185:79 <- 192.168.1.109:56145 0 (ACK) 192.168.1.185:79 -> 192.168.1.109:56145 0 (FIN|ACK) 192.168.1.185:79 <- 192.168.1.109:56145 0 (ACK) 192.168.1.185:79 <- 192.168.1.109:56145 0 (FIN|ACK) 192.168.1.185:79 -> 192.168.1.109:56145 0 (ACK) ^C
And tcpaccept2.d aggregates inbound connections by hostname and service name:
# ./tcpaccept2.d dtrace: script './tcpaccept2.d' matched 1 probe Tracing... Hit Ctrl-C to end. ^C HOSTNAME PORT COUNT marlin6 finger 1 bass login 2 marlin ssh 2 marlin telnet 2 marlin finger 3
The source to these scripts and numerous other demonstrations are on the website. Check DTrace discuss for discussions about this prototype provider.