http://blog.163.com/digoal@126/blog/static/16387704020131014104256627/
 
例子来自tcpdumplike.stp脚本, 当tcp.receive事件触发后, 取出类似tcpdump输出的源ip, 目的ip, 源端口, 目的端口, 以及6个tcp包的控制比特位信息.
tcp.receive alias实际上包含2个内核函数, 分别代表ipv4和ipv6. 
kernel.function("tcp_v4_rcv")
kernel.function("tcp_v6_rcv")!, module("ipv6").function("tcp_v6_rcv")
// !表示有限匹配kernel.function("tcp_v6_rcv"), 匹配后下面的module就不触发了.
 
脚本内容以及注解
[root@db-172-16-3-150 network]# cd /usr/share/systemtap/testsuite/systemtap.examples/network
[root@db-172-16-3-150 network]# cat tcpdumplike.stp
#!/usr/bin/stap
 
// A TCP dump like example
 
probe begin, timer.s(1) {
  printf("-----------------------------------------------------------------\n")
  printf("       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F \n")
  printf("-----------------------------------------------------------------\n")
}
// stap脚本开始, 并且以后每秒输出一次头信息. 方便阅读.
 
probe tcp.receive {
  printf(" %15s %15s  %5d  %5d  %d  %d  %d  %d  %d  %d\n",
         saddr, daddr, sport, dport, urg, ack, psh, rst, syn, fin)
}
// 跟踪tcp.receive事件, 事件出发时, 输出
// saddr 源IP
// daddr 目的IP
// sport 源端口
// dport 目的端口
// urg, ack, psh, rst syn, fin 6个tcp包的控制比特位信息
 
执行输出举例
[root@db-172-16-3-150 network]# stap ./tcpdumplike.stp 
-----------------------------------------------------------------
       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F 
-----------------------------------------------------------------
     172.16.8.31    172.16.3.150  51167     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  51167     22  0  1  1  0  0  0
     172.16.3.40    172.16.3.150  51927   9000  0  0  0  0  1  0
最后一行的A=0, S=1, 表示这个包是从172.16.3.40发过来的建立三次握手的第一个包.
U=1的话, 表示重要的包, 接收到后不要放到缓冲区, 直接处理.
 
本文用到的tcp.receive probe alias原型.
/usr/share/systemtap/tapset/tcp.stp
/**
 * probe tcp.receive - Called when a TCP packet is received
 * @name: Name of the probe point
 * @iphdr: IP header address
 * @protocol: Packet protocol from driver
 * @family: IP address family
 * @saddr: A string representing the source IP address
 * @daddr: A string representing the destination IP address
 * @sport: TCP source port
 * @dport: TCP destination port
 * @urg: TCP URG flag
 * @ack: TCP ACK flag
 * @psh: TCP PSH flag
 * @rst: TCP RST flag
 * @syn: TCP SYN flag
 * @fin: TCP FIN flag
 */
probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
{
}
// tcp.receive包含ipv4和ipv6的alias.
 
probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
{
        name = "tcp.ipv4.receive"
        iphdr = __get_skb_iphdr($skb)
        # If we're here, by definition we're doing AF_INET, not AF_INET6.
        family = %{ /* pure */ AF_INET %}
        saddr = format_ipaddr(__ip_skb_saddr(iphdr), %{ /* pure */ AF_INET %})
        daddr = format_ipaddr(__ip_skb_daddr(iphdr), %{ /* pure */ AF_INET %})
        protocol = __ip_skb_proto(iphdr)
 
        tcphdr = __get_skb_tcphdr($skb)
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
 
probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
        module("ipv6").function("tcp_v6_rcv")
{
        name = "tcp.ipv6.receive"
        iphdr = __get_skb_iphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        # If we're here, by definition we're doing AF_INET6, not AF_INET.
        family = %{ /* pure */ AF_INET6 %}
        saddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->saddr,
                              %{ /* pure */ AF_INET6 %})
        daddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->daddr,
                              %{ /* pure */ AF_INET6 %})
        # If we're here, by definition we're doing IPPROTO_TCP.  There
        # isn't a protocol field in 'struct ipv6hdr'.  There is one in
        # 'struct sk_buff', but that protocol field is an Ethernet
        # Procol ID (ETH_P_*), not an IP protocol ID (IPPROTO_*).
        protocol = %{ /* pure */ IPPROTO_TCP %}
 
        tcphdr = __get_skb_tcphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
// 一些tcp常用的函数
//
//Definitions of the TCP protocol sk_state field listed below.
//
//     TCP_ESTABLISHED = 1,   Normal data transfer
//     TCP_SYN_SENT   = 2,   App. has started to open a connection
//     TCP_SYN_RECV   = 3,   A connection request has arrived; wait for ACK
//     TCP_FIN_WAIT1  = 4,   App. has said it is finished
//     TCP_FIN_WAIT2  = 5,   The other side has agreed to close
//     TCP_TIME_WAIT  = 6,   Wait for all packets to die off
//     TCP_CLOSE      = 7,   No connection is active or pending 
//     TCP_CLOSE_WAIT = 8,   The other side has initiated a release
//     TCP_LAST_ACK   = 9,   Last ACK, wait for all packets to die off
//     TCP_LISTEN     = 10,  Waiting for incoming call
//     TCP_CLOSING    = 11,  Both sides have tried to close simultaneously
//     TCP_MAX_STATES = 12   Max states number
// 
function tcp_ts_get_info_state:long(sock:long)
%{ /* pure */
        struct sock *sk = (struct sock *)(long) STAP_ARG_sock;
        STAP_RETVALUE = (int64_t) kread(&(sk->sk_state));
        CATCH_DEREF_FAULT();
%}
 
/* return the TCP destination port for a given sock */
function __tcp_sock_dport:long (sock:long)
{
    return (@defined(@cast(sock, "inet_sock")->inet_dport)
            ? @cast(sock, "inet_sock")->inet_dport # kernel >= 2.6.33
            : (@defined(@cast(sock, "inet_sock")->dport)
               ? @cast(sock, "inet_sock", "kernel")->dport # kernel >= 2.6.11
               : @cast(sock, "inet_sock", "kernel<net/ip.h>")->inet->dport))
}
// 内嵌了C代码, 为了取出sock的值.
 
TCP 包头信息

TCP Header Format

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |          Source Port          |       Destination Port        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                        Sequence Number                        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Acknowledgment Number                      |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |  Data |           |U|A|P|R|S|F|                               |

   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |

   |       |           |G|K|H|T|N|N|                               |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |           Checksum            |         Urgent Pointer        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Options                    |    Padding    |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                             data                              |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

          Note that one tick mark represents one bit position.

                               Figure 3.
控制比特信息 : 

Control Bits: 6 bits (from left to right):

    URG:  Urgent Pointer field significant

    ACK:  Acknowledgment field significant

    PSH:  Push Function

    RST:  Reset the connection

    SYN:  Synchronize sequence numbers

    FIN:  No more data from sender
 
[参考]
1. /usr/share/systemtap/testsuite/systemtap.examples
3. systemtap-testsuite
5. /usr/share/systemtap/testsuite/systemtap.examples/index.txt
6. /usr/share/systemtap/testsuite/systemtap.examples/keyword-index.txt
7. /usr/share/systemtap/tapset

Systemtap examples, Network - 4 Monitoring TCP Packets的更多相关文章

  1. computer network layers architecture (TCP/IP)

    computer network layers architecture (TCP/IP) 计算机网络分层架构 TCP/IP 协议簇 OSI 模型(7 层) TCP/IP (4 层) Applicat ...

  2. Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

    There are lots of free tools available online to get easy access to the WiFi networks intended to he ...

  3. Language-Directed Hardware Design for Network Performance Monitoring——Marple

    网络监控困难 1.仅仅通过去增加特定的监控功能到交换机是不能满足运营商不断变化的需求的.(交换机需要支持网络性能问题的表达语言) 2.他们缺乏对网络深处的性能问题进行本地化的可见性,间接推断网络问题的 ...

  4. SystemTap Beginners Guide

    SystemTap 3.0 SystemTap Beginners Guide Introduction to SystemTap Edition 3.0   Red Hat, Inc. Don Do ...

  5. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  6. TCP/UDP端口列表

    http://zh.wikipedia.org/wiki/TCP/UDP%E7%AB%AF%E5%8F%A3%E5%88%97%E8%A1%A8 TCP/UDP端口列表     本条目可通过翻译外语维 ...

  7. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

  8. How Network Load Balancing Technology Works--reference

    http://technet.microsoft.com/en-us/library/cc756878(v=ws.10).aspx In this section Network Load Balan ...

  9. 内核调试神器SystemTap — 简介与使用(一)

    a linux trace/probe tool. 官网:https://sourceware.org/systemtap/ 简介 SystemTap是我目前所知的最强大的内核调试工具,有些家伙甚至说 ...

随机推荐

  1. 51nod 1264 线段相交——计算几何

    题目链接:http://www.51nod.com/Challenge/Problem.html#!#problemId=1264 检查点的位置就行了,具体见注释. /* (a-c)×(d-c)*(d ...

  2. 2018 CCF NOIP提高组&&普及组答案

    答案: 这是今年的答案大家觉得能进到复赛吗? 下一篇文章将会为大家推荐我自己出的复赛题!!!

  3. vfs_caches_init函数解析

    vfs_caches_init函数初始化VFS,下面梳理函数调用流程 start_kernel() -->vfs_caches_init_early(); -->dcache_init_e ...

  4. WIN10配置instantclient

    在PLSQL Developer目录下建立如下bat文件,替换其快捷方式,启动PLSQL Developer: @echo off set path=C:\instantclient-basic-nt ...

  5. 常见slave 延迟原因以及解决方法

    一  序言在运维线上M-M 架构的MySQL数据库时,接收的比较多关于主备延时的报警: 点击(此处)折叠或打开 check_ins_slave_lag (err_cnt:1)critical-slav ...

  6. MFC中关于CListBox控件添加水平滚动条

    首先是设置listbox控件的属性  Horizontal Scroll设为TRUE: 然后添加函数到CUighurRecognitionDlg.cpp(在CUighurRecognitionDlg. ...

  7. Hive中文注释乱码解决方案

    本文来自网易云社区 作者:王潘安 快速解决方法 目前的hive客户端在执行desc tablexxx和show create table xxx命令的时候,字段的中文注释会出现乱码情况,如(????) ...

  8. kali-xfce的简单配置

    1.更新 设置kali的更新源 在终端中打开sources.list root@kali:~# vim /etc/apt/sources.list 删除里面的注释,清空. 然后输入下面的更新源地址: ...

  9. Leetcode 385.字典序排序

    字典序排序 给定一个整数 n, 返回从 1 到 n 的字典顺序. 例如, 给定 n =1 3,返回 [1,10,11,12,13,2,3,4,5,6,7,8,9] . 请尽可能的优化算法的时间复杂度和 ...

  10. 自动化运维之shell通配符,转义符,和元字符(二)

    1 shell通配符 通配符看起来有点象正则表达式语句,但是它与正则表达式不同的,不能相互混淆.把通配符理解为shell特殊代号字符就可. 二.shell元字符 shell除了有通配符之外,由shel ...