# U" m" J$ p+ U4 V+ k4 w) ~5 a" [systemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。 {% k) i4 Q0 _2 Y" Y/ M
( o5 w! _, V0 Q2 x7 e) Q) P
socktop源码里面的版权和简单的功能介绍:, z9 m) e% H% L0 ^- Q
0 r/ F6 s8 l t7 \' H ^
# Socktop systemtap script: t5 d7 E$ h8 \: j% N q
# Copyright (C) 2006 IBM Corp.2 y# r3 n% {6 y& N! {( c
#8 ?4 ]; \# a, d8 z$ s$ M
# This file is part of systemtap, and is free software. You can * V P/ e( ?1 f' ~) d# redistribute it and/or modify it under the terms of the GNU General- N+ k" ]/ r( ?1 v
# Public License (GPL); either version 2, or (at your option) any) p! ^, o! J4 `! S# o5 o) g4 ]8 ]5 q
# later version.' l( a4 Z9 O7 b2 V: D! I. v- v
5 N$ J( x" h/ K5 |( N- H0 g+ E###4 h* G ?" m5 c4 F" q
### socktop – Combination shell/systemtap script to track reads and writes4 w& m: s4 J) L( U' X5 A" e% [
### on sockets by process. Can be filtered by process IDs and: [8 H; K2 W1 L& `! f4 b- D
### names, protocols, protocol families, users and socket type. 1 n. s( \/ K' p3 C! @$ ^3 R1 d### % K2 g) n$ [& p' t) L & C Z( z& Y3 c5 M5 O$ z$ uname -r + O9 ?& g! Q8 O) j' |1 y2.6.18-164.el5; P9 t9 u5 u4 `& I3 V7 f
: L0 _' | K4 \& h+ X5 t8 f" v, M# R( d$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm+ A: n+ N. ]# u8 N; l
$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm % p7 @' I( T1 K$ ^& J7 v8 O5 E
z& A% V4 X: Y9 B- g( G- r
#使用帮助 # e9 o( O0 ?5 j% l0 {' a$ /usr/share/doc/systemtap/examples/network/socktop -h 3 V% V& P8 l; O- DUSAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]...7 z( ^9 |! Q3 m. ~
[-t stype]... [-n pname]... [-p pid]... [-u username]... [-h] . ^. E* i# O7 J& L) S' T -d # print network device traffic (default: off) - d9 d9 O0 _8 i4 [$ t* F -i interval # interval in seconds between printing (default: 5) 1 d, D: ] N* [9 c0 I -N num # number of top processes and devices to print (default: 10) ' \; m# k2 [5 o- r5 z* H! z -f family # this protocol family only (default: all) . g4 _4 g# H# t. g -P protocol # this protocol only (default: all) ( w1 G/ J6 v e( l7 ]7 R) E2 v -t stype # this socket type only (default: all), s7 R$ Y7 f' p& p3 v
-n pname # this process name only (default: all)6 P7 U/ s; r! H& E) K6 E
-p pid # this process ID only (default: all)# d6 L4 ^8 N9 a
-u username # this user only (default: all)7 Q" z! i/ q0 b( i
-c count # number of iteration; X7 I9 M' {( W. m! v# v
-m mod_name # generate instrumentation (but do not run) a2 z$ N9 |2 w, W# s5 w1 K
-h # print this help text7 [# B8 W P( l8 |9 A2 |1 L' t
+ b9 @$ i. X3 I- K4 I5 vProtocol Families:! X h! S! c d! E
LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET( x6 i: s# H3 O" x6 E3 t% k7 y
, P4 n# \1 Z% b, ?6 t" M1 k
Protocols:' R$ m% ~: g3 m% M! b
TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list), u& T3 L/ @0 q1 z1 z3 u f! t
3 Z5 E0 r5 z; a; }9 w) M
Socket Types:" r# T7 C7 u& \# |
STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET; ]4 A5 d; n4 r) S: A7 I/ ^7 @" k
上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。8 u( a+ q) f1 U5 a- V
- s+ }" x/ {+ f8 P
$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d5 E. o4 `: q5 b! k+ L6 [
======================= Thu Mar 31 21:23:03 2011 ========================, T- b# u3 r; f( e3 `/ g. d9 M
------------------------------- PROCESSES ------------------------------- ! }7 T- }3 H9 y- I$ x3 Z7 M. APID UID #SEND #RECV SEND_KB RECV_KB PROT FAMILY COMMAND 0 t/ m) a) I! X, [" w% m: x
24821 50453 1 0 0 0 IP LOCAL crond `: V% {$ L' [6 w6 G3840 0 0 2 0 0 IP LOCAL syslog-ng 3 D2 ]4 w9 J1 B- Z. Q \8 X+ l
' ~" r8 g n! `! H6 N' z O% \
-------------------------------- DEVICES --------------------------------1 L$ T) C' ~. F, V$ K2 \1 L
DEV #XMIT #RECV XMIT_KB RECV_KB9 {8 s( E' X7 G) Q N: ?* C
eth0 457 250 102 38 # b' ^2 S& |! o' {# j5 ^# A1 A5 Wbond0 457 0 102 0 ! G3 V, Q: [; d' m. ylo 24 24 2 2' e$ h M& I; W& P: y: u0 d
eth1 0 10 0 0 # G/ n' |. Q- y/ E9 M& I" s' s=========================================================================% E$ R: G3 e; @. q4 O3 P
我们很清楚的看到了,crond在发,syslog-ng在收。& \2 {* C3 g5 k- Z: p