http://blog.163.com/digoal@126/blog/static/16387704020131014104256627/
 
例子来自tcpdumplike.stp脚本, 当tcp.receive事件触发后, 取出类似tcpdump输出的源ip, 目的ip, 源端口, 目的端口, 以及6个tcp包的控制比特位信息.
tcp.receive alias实际上包含2个内核函数, 分别代表ipv4和ipv6. 
kernel.function("tcp_v4_rcv")
kernel.function("tcp_v6_rcv")!, module("ipv6").function("tcp_v6_rcv")
// !表示有限匹配kernel.function("tcp_v6_rcv"), 匹配后下面的module就不触发了.
 
脚本内容以及注解
[root@db-172-16-3-150 network]# cd /usr/share/systemtap/testsuite/systemtap.examples/network
[root@db-172-16-3-150 network]# cat tcpdumplike.stp
#!/usr/bin/stap
 
// A TCP dump like example
 
probe begin, timer.s(1) {
  printf("-----------------------------------------------------------------\n")
  printf("       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F \n")
  printf("-----------------------------------------------------------------\n")
}
// stap脚本开始, 并且以后每秒输出一次头信息. 方便阅读.
 
probe tcp.receive {
  printf(" %15s %15s  %5d  %5d  %d  %d  %d  %d  %d  %d\n",
         saddr, daddr, sport, dport, urg, ack, psh, rst, syn, fin)
}
// 跟踪tcp.receive事件, 事件出发时, 输出
// saddr 源IP
// daddr 目的IP
// sport 源端口
// dport 目的端口
// urg, ack, psh, rst syn, fin 6个tcp包的控制比特位信息
 
执行输出举例
[root@db-172-16-3-150 network]# stap ./tcpdumplike.stp 
-----------------------------------------------------------------
       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F 
-----------------------------------------------------------------
     172.16.8.31    172.16.3.150  51167     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  51167     22  0  1  1  0  0  0
     172.16.3.40    172.16.3.150  51927   9000  0  0  0  0  1  0
最后一行的A=0, S=1, 表示这个包是从172.16.3.40发过来的建立三次握手的第一个包.
U=1的话, 表示重要的包, 接收到后不要放到缓冲区, 直接处理.
 
本文用到的tcp.receive probe alias原型.
/usr/share/systemtap/tapset/tcp.stp
/**
 * probe tcp.receive - Called when a TCP packet is received
 * @name: Name of the probe point
 * @iphdr: IP header address
 * @protocol: Packet protocol from driver
 * @family: IP address family
 * @saddr: A string representing the source IP address
 * @daddr: A string representing the destination IP address
 * @sport: TCP source port
 * @dport: TCP destination port
 * @urg: TCP URG flag
 * @ack: TCP ACK flag
 * @psh: TCP PSH flag
 * @rst: TCP RST flag
 * @syn: TCP SYN flag
 * @fin: TCP FIN flag
 */
probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
{
}
// tcp.receive包含ipv4和ipv6的alias.
 
probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
{
        name = "tcp.ipv4.receive"
        iphdr = __get_skb_iphdr($skb)
        # If we're here, by definition we're doing AF_INET, not AF_INET6.
        family = %{ /* pure */ AF_INET %}
        saddr = format_ipaddr(__ip_skb_saddr(iphdr), %{ /* pure */ AF_INET %})
        daddr = format_ipaddr(__ip_skb_daddr(iphdr), %{ /* pure */ AF_INET %})
        protocol = __ip_skb_proto(iphdr)
 
        tcphdr = __get_skb_tcphdr($skb)
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
 
probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
        module("ipv6").function("tcp_v6_rcv")
{
        name = "tcp.ipv6.receive"
        iphdr = __get_skb_iphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        # If we're here, by definition we're doing AF_INET6, not AF_INET.
        family = %{ /* pure */ AF_INET6 %}
        saddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->saddr,
                              %{ /* pure */ AF_INET6 %})
        daddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->daddr,
                              %{ /* pure */ AF_INET6 %})
        # If we're here, by definition we're doing IPPROTO_TCP.  There
        # isn't a protocol field in 'struct ipv6hdr'.  There is one in
        # 'struct sk_buff', but that protocol field is an Ethernet
        # Procol ID (ETH_P_*), not an IP protocol ID (IPPROTO_*).
        protocol = %{ /* pure */ IPPROTO_TCP %}
 
        tcphdr = __get_skb_tcphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
// 一些tcp常用的函数
//
//Definitions of the TCP protocol sk_state field listed below.
//
//     TCP_ESTABLISHED = 1,   Normal data transfer
//     TCP_SYN_SENT   = 2,   App. has started to open a connection
//     TCP_SYN_RECV   = 3,   A connection request has arrived; wait for ACK
//     TCP_FIN_WAIT1  = 4,   App. has said it is finished
//     TCP_FIN_WAIT2  = 5,   The other side has agreed to close
//     TCP_TIME_WAIT  = 6,   Wait for all packets to die off
//     TCP_CLOSE      = 7,   No connection is active or pending 
//     TCP_CLOSE_WAIT = 8,   The other side has initiated a release
//     TCP_LAST_ACK   = 9,   Last ACK, wait for all packets to die off
//     TCP_LISTEN     = 10,  Waiting for incoming call
//     TCP_CLOSING    = 11,  Both sides have tried to close simultaneously
//     TCP_MAX_STATES = 12   Max states number
// 
function tcp_ts_get_info_state:long(sock:long)
%{ /* pure */
        struct sock *sk = (struct sock *)(long) STAP_ARG_sock;
        STAP_RETVALUE = (int64_t) kread(&(sk->sk_state));
        CATCH_DEREF_FAULT();
%}
 
/* return the TCP destination port for a given sock */
function __tcp_sock_dport:long (sock:long)
{
    return (@defined(@cast(sock, "inet_sock")->inet_dport)
            ? @cast(sock, "inet_sock")->inet_dport # kernel >= 2.6.33
            : (@defined(@cast(sock, "inet_sock")->dport)
               ? @cast(sock, "inet_sock", "kernel")->dport # kernel >= 2.6.11
               : @cast(sock, "inet_sock", "kernel<net/ip.h>")->inet->dport))
}
// 内嵌了C代码, 为了取出sock的值.
 
TCP 包头信息

TCP Header Format

  1.     0                   1                   2                   3
  2.     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  3.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  4.    |          Source Port          |       Destination Port        |
  5.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  6.    |                        Sequence Number                        |
  7.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  8.    |                    Acknowledgment Number                      |
  9.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  10.    |  Data |           |U|A|P|R|S|F|                               |
  11.    | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
  12.    |       |           |G|K|H|T|N|N|                               |
  13.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  14.    |           Checksum            |         Urgent Pointer        |
  15.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  16.    |                    Options                    |    Padding    |
  17.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  18.    |                             data                              |
  19.    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  20.  
  21.                             TCP Header Format
  22.  
  23.           Note that one tick mark represents one bit position.
  24.  
  25.                                Figure 3.
控制比特信息 : 

Control Bits: 6 bits (from left to right):

  1.     URG:  Urgent Pointer field significant
  2.     ACK:  Acknowledgment field significant
  3.     PSH:  Push Function
  4.     RST:  Reset the connection
  5.     SYN:  Synchronize sequence numbers
  6.     FIN:  No more data from sender
 
[参考]
1. /usr/share/systemtap/testsuite/systemtap.examples
3. systemtap-testsuite
5. /usr/share/systemtap/testsuite/systemtap.examples/index.txt
6. /usr/share/systemtap/testsuite/systemtap.examples/keyword-index.txt
7. /usr/share/systemtap/tapset

Systemtap examples, Network - 4 Monitoring TCP Packets的更多相关文章

  1. computer network layers architecture (TCP/IP)

    computer network layers architecture (TCP/IP) 计算机网络分层架构 TCP/IP 协议簇 OSI 模型(7 层) TCP/IP (4 层) Applicat ...

  2. Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

    There are lots of free tools available online to get easy access to the WiFi networks intended to he ...

  3. Language-Directed Hardware Design for Network Performance Monitoring——Marple

    网络监控困难 1.仅仅通过去增加特定的监控功能到交换机是不能满足运营商不断变化的需求的.(交换机需要支持网络性能问题的表达语言) 2.他们缺乏对网络深处的性能问题进行本地化的可见性,间接推断网络问题的 ...

  4. SystemTap Beginners Guide

    SystemTap 3.0 SystemTap Beginners Guide Introduction to SystemTap Edition 3.0   Red Hat, Inc. Don Do ...

  5. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  6. TCP/UDP端口列表

    http://zh.wikipedia.org/wiki/TCP/UDP%E7%AB%AF%E5%8F%A3%E5%88%97%E8%A1%A8 TCP/UDP端口列表     本条目可通过翻译外语维 ...

  7. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

  8. How Network Load Balancing Technology Works--reference

    http://technet.microsoft.com/en-us/library/cc756878(v=ws.10).aspx In this section Network Load Balan ...

  9. 内核调试神器SystemTap — 简介与使用(一)

    a linux trace/probe tool. 官网:https://sourceware.org/systemtap/ 简介 SystemTap是我目前所知的最强大的内核调试工具,有些家伙甚至说 ...

随机推荐

  1. (27)zabbix自定义图表Graph

    zabbix提供了一个自定义图表的功能,这不是废话么?呵呵~前面文章 讲到的<zabbix简易图表>只能显示单个item的数据图表.如果我们想显示多个信息到一个图表上,那必须使用zabbi ...

  2. free指令的说明

    CentOS 6.x系统中的freefree [-b|-k|-m|-g|-h] [-l] [-o] [-t] [-s delay] [-c count] [-V] -b #-k,-m,-g 以单位by ...

  3. Kali入门配置使用(一)

    一.Kali简介 1.1.相关连接 Kali百度百科:https://baike.baidu.com/item/Kali%20linux/8305689?fr=aladdin Kali wiki:ht ...

  4. perl学习之argument

    Arguments are the values you pass to a Perl script. Each value on the command line after the name of ...

  5. Python9-面对对象2-day23

    #计算正方形的周长和面积 class Square: def __init__(self,side_len): self.side_len = side_len def perimeter(self) ...

  6. "javac不是内部或外部命令"的解决办法

    “javac不是内部或外部命令”,而此时的java环境是好用的: 1.先检查 JAVA_HOME  =   C:\Program Files\Java\jdk1.7.0_45 classpath   ...

  7. linux相关技术

    1.查询服务器tcp连接状态及连接数 netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

  8. thymeleaf和artTemplate

    Company最近项目中使用了两个模板引擎,分别是Java服务器端的模板引擎Thymeleaf和前端的模板引擎artTemplate, 其实对于这两个模板引擎 理论上应该是不应该放在一起记录的,但是b ...

  9. Python基础之(判断,循环,列表,字典)

    一.python介绍 Python是一种简单易学,功能强大的编程语言,它有高效率的高层数据结构,简单而有效地实现面向对象编程.Python简洁的语法和对动态输入的支持,再加上解释性语言的本质,使得它在 ...

  10. luogu3809 后缀排序 后缀数组

    ref and 挑战程序设计竞赛. 主要是发现自己以前写得代码太难看而且忘光了,而且我字符串死活学不会啊,kmp这种东西我都觉得是省选+难度啊QAQ #include <iostream> ...