http://blog.163.com/digoal@126/blog/static/16387704020131014104256627/
 
例子来自tcpdumplike.stp脚本, 当tcp.receive事件触发后, 取出类似tcpdump输出的源ip, 目的ip, 源端口, 目的端口, 以及6个tcp包的控制比特位信息.
tcp.receive alias实际上包含2个内核函数, 分别代表ipv4和ipv6. 
kernel.function("tcp_v4_rcv")
kernel.function("tcp_v6_rcv")!, module("ipv6").function("tcp_v6_rcv")
// !表示有限匹配kernel.function("tcp_v6_rcv"), 匹配后下面的module就不触发了.
 
脚本内容以及注解
[root@db-172-16-3-150 network]# cd /usr/share/systemtap/testsuite/systemtap.examples/network
[root@db-172-16-3-150 network]# cat tcpdumplike.stp
#!/usr/bin/stap
 
// A TCP dump like example
 
probe begin, timer.s(1) {
  printf("-----------------------------------------------------------------\n")
  printf("       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F \n")
  printf("-----------------------------------------------------------------\n")
}
// stap脚本开始, 并且以后每秒输出一次头信息. 方便阅读.
 
probe tcp.receive {
  printf(" %15s %15s  %5d  %5d  %d  %d  %d  %d  %d  %d\n",
         saddr, daddr, sport, dport, urg, ack, psh, rst, syn, fin)
}
// 跟踪tcp.receive事件, 事件出发时, 输出
// saddr 源IP
// daddr 目的IP
// sport 源端口
// dport 目的端口
// urg, ack, psh, rst syn, fin 6个tcp包的控制比特位信息
 
执行输出举例
[root@db-172-16-3-150 network]# stap ./tcpdumplike.stp 
-----------------------------------------------------------------
       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F 
-----------------------------------------------------------------
     172.16.8.31    172.16.3.150  51167     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  51167     22  0  1  1  0  0  0
     172.16.3.40    172.16.3.150  51927   9000  0  0  0  0  1  0
最后一行的A=0, S=1, 表示这个包是从172.16.3.40发过来的建立三次握手的第一个包.
U=1的话, 表示重要的包, 接收到后不要放到缓冲区, 直接处理.
 
本文用到的tcp.receive probe alias原型.
/usr/share/systemtap/tapset/tcp.stp
/**
 * probe tcp.receive - Called when a TCP packet is received
 * @name: Name of the probe point
 * @iphdr: IP header address
 * @protocol: Packet protocol from driver
 * @family: IP address family
 * @saddr: A string representing the source IP address
 * @daddr: A string representing the destination IP address
 * @sport: TCP source port
 * @dport: TCP destination port
 * @urg: TCP URG flag
 * @ack: TCP ACK flag
 * @psh: TCP PSH flag
 * @rst: TCP RST flag
 * @syn: TCP SYN flag
 * @fin: TCP FIN flag
 */
probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
{
}
// tcp.receive包含ipv4和ipv6的alias.
 
probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
{
        name = "tcp.ipv4.receive"
        iphdr = __get_skb_iphdr($skb)
        # If we're here, by definition we're doing AF_INET, not AF_INET6.
        family = %{ /* pure */ AF_INET %}
        saddr = format_ipaddr(__ip_skb_saddr(iphdr), %{ /* pure */ AF_INET %})
        daddr = format_ipaddr(__ip_skb_daddr(iphdr), %{ /* pure */ AF_INET %})
        protocol = __ip_skb_proto(iphdr)
 
        tcphdr = __get_skb_tcphdr($skb)
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
 
probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
        module("ipv6").function("tcp_v6_rcv")
{
        name = "tcp.ipv6.receive"
        iphdr = __get_skb_iphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        # If we're here, by definition we're doing AF_INET6, not AF_INET.
        family = %{ /* pure */ AF_INET6 %}
        saddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->saddr,
                              %{ /* pure */ AF_INET6 %})
        daddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->daddr,
                              %{ /* pure */ AF_INET6 %})
        # If we're here, by definition we're doing IPPROTO_TCP.  There
        # isn't a protocol field in 'struct ipv6hdr'.  There is one in
        # 'struct sk_buff', but that protocol field is an Ethernet
        # Procol ID (ETH_P_*), not an IP protocol ID (IPPROTO_*).
        protocol = %{ /* pure */ IPPROTO_TCP %}
 
        tcphdr = __get_skb_tcphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
// 一些tcp常用的函数
//
//Definitions of the TCP protocol sk_state field listed below.
//
//     TCP_ESTABLISHED = 1,   Normal data transfer
//     TCP_SYN_SENT   = 2,   App. has started to open a connection
//     TCP_SYN_RECV   = 3,   A connection request has arrived; wait for ACK
//     TCP_FIN_WAIT1  = 4,   App. has said it is finished
//     TCP_FIN_WAIT2  = 5,   The other side has agreed to close
//     TCP_TIME_WAIT  = 6,   Wait for all packets to die off
//     TCP_CLOSE      = 7,   No connection is active or pending 
//     TCP_CLOSE_WAIT = 8,   The other side has initiated a release
//     TCP_LAST_ACK   = 9,   Last ACK, wait for all packets to die off
//     TCP_LISTEN     = 10,  Waiting for incoming call
//     TCP_CLOSING    = 11,  Both sides have tried to close simultaneously
//     TCP_MAX_STATES = 12   Max states number
// 
function tcp_ts_get_info_state:long(sock:long)
%{ /* pure */
        struct sock *sk = (struct sock *)(long) STAP_ARG_sock;
        STAP_RETVALUE = (int64_t) kread(&(sk->sk_state));
        CATCH_DEREF_FAULT();
%}
 
/* return the TCP destination port for a given sock */
function __tcp_sock_dport:long (sock:long)
{
    return (@defined(@cast(sock, "inet_sock")->inet_dport)
            ? @cast(sock, "inet_sock")->inet_dport # kernel >= 2.6.33
            : (@defined(@cast(sock, "inet_sock")->dport)
               ? @cast(sock, "inet_sock", "kernel")->dport # kernel >= 2.6.11
               : @cast(sock, "inet_sock", "kernel<net/ip.h>")->inet->dport))
}
// 内嵌了C代码, 为了取出sock的值.
 
TCP 包头信息

TCP Header Format

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |          Source Port          |       Destination Port        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                        Sequence Number                        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Acknowledgment Number                      |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |  Data |           |U|A|P|R|S|F|                               |

   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |

   |       |           |G|K|H|T|N|N|                               |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |           Checksum            |         Urgent Pointer        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Options                    |    Padding    |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                             data                              |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

          Note that one tick mark represents one bit position.

                               Figure 3.
控制比特信息 : 

Control Bits: 6 bits (from left to right):

    URG:  Urgent Pointer field significant

    ACK:  Acknowledgment field significant

    PSH:  Push Function

    RST:  Reset the connection

    SYN:  Synchronize sequence numbers

    FIN:  No more data from sender
 
[参考]
1. /usr/share/systemtap/testsuite/systemtap.examples
3. systemtap-testsuite
5. /usr/share/systemtap/testsuite/systemtap.examples/index.txt
6. /usr/share/systemtap/testsuite/systemtap.examples/keyword-index.txt
7. /usr/share/systemtap/tapset

Systemtap examples, Network - 4 Monitoring TCP Packets的更多相关文章

  1. computer network layers architecture (TCP/IP)

    computer network layers architecture (TCP/IP) 计算机网络分层架构 TCP/IP 协议簇 OSI 模型(7 层) TCP/IP (4 层) Applicat ...

  2. Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

    There are lots of free tools available online to get easy access to the WiFi networks intended to he ...

  3. Language-Directed Hardware Design for Network Performance Monitoring——Marple

    网络监控困难 1.仅仅通过去增加特定的监控功能到交换机是不能满足运营商不断变化的需求的.(交换机需要支持网络性能问题的表达语言) 2.他们缺乏对网络深处的性能问题进行本地化的可见性,间接推断网络问题的 ...

  4. SystemTap Beginners Guide

    SystemTap 3.0 SystemTap Beginners Guide Introduction to SystemTap Edition 3.0   Red Hat, Inc. Don Do ...

  5. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  6. TCP/UDP端口列表

    http://zh.wikipedia.org/wiki/TCP/UDP%E7%AB%AF%E5%8F%A3%E5%88%97%E8%A1%A8 TCP/UDP端口列表     本条目可通过翻译外语维 ...

  7. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

  8. How Network Load Balancing Technology Works--reference

    http://technet.microsoft.com/en-us/library/cc756878(v=ws.10).aspx In this section Network Load Balan ...

  9. 内核调试神器SystemTap — 简介与使用(一)

    a linux trace/probe tool. 官网:https://sourceware.org/systemtap/ 简介 SystemTap是我目前所知的最强大的内核调试工具,有些家伙甚至说 ...

随机推荐

  1. ios开发--常用的高效开发的宏

    本次在做项目的时候使用了下面的一些宏定义 以及 建立宏定义的一些规则.虽然只用了其中的一点点,但是还是极大的提高了开发效率.. 将这些宏放到一个头文件里然后再放到工程中,在需要使用这些宏定义的地方体检 ...

  2. PHP必知必会

    MQ(消息队列) 消息队列主要用于以下场景: 1. 上传图片,用户需要迅速反馈,把上传图片的后续操作交给consumer 2. A用户对B用户发消息 3. 日志记录,APP发生的任何警告错误日志都要被 ...

  3. luogu 2296 寻找道路 (搜索)

    luogu 2296 寻找道路 题目链接:https://www.luogu.org/problemnew/show/P2296 从终点bfs或者dfs,找出所有终点能到达的点. 然后再从1到n看一下 ...

  4. Windows10安装MariaDB

    截至写这篇博客为止,MariaDB官方的稳定版本为,详情访问官方地址:https://downloads.mariadb.org/ 安装之前先简单说一下MariaDB:         MariaDB ...

  5. GIMP的Path的合并于复制

    1/Path的复制不能像图层一样简单的复制粘贴,只有通过merge的方法实现: 使要合并的Path处于可见状态,右击Path工具栏:   合并前与合并后比较: 2/向不同文件复制Path: 到另外一个 ...

  6. linux系统产生随机数的6种方法

    linux系统产生随机数的6种方法 方法一:通过系统环境变量($RANDOM)实现: [root@test ~]# echo $RANDOM 11595 [root@test ~]# echo $RA ...

  7. shell 中exec、source以及bash的区别

    在bash shell中,source.exec以及sh都可以用来执行shell script,但是它们的差别在哪里呢? sh:父进程会fork一个子进程,shell script在子进程中执行 so ...

  8. c++ 快速幂 代码实现

    懒得打代码系列… 不过这个代码挺短的死背下来也ok 解析在最下面 建议自己手动试个数据理解一下 比如 3^5 ^^ 原理:a ^ b = a ^ (b / 2) * 2 (b是奇数的话还要再乘一个a) ...

  9. PowerShell-第1章 交互界面

    1.1运行程序.脚本和已有的工具: Program.exe arguments ScriptName.ps1 arguments BatchFile.cmd arguments 如果运行的命令名中包含 ...

  10. luogu1129 [ZJOI2007]矩阵游戏

    其实,只用考虑某一行能否放到某一行就行了 #include <iostream> #include <cstring> #include <cstdio> usin ...