|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
原创文章,转载请注明: 转载自系统技术非业余研究
4 y! L0 y: x) S6 Z9 n% F; k3 w4 }" I2 u% s2 K4 ~; H; s
2 f2 V0 {; _" t* k
晚上 雕梁 说要找个工具来调查下unix域套接字的发送和接受情况,比如说A程序是否送出,B程序是否接收到,他找了tcpdump ,wireshark什么的,貌似都不支持。3 {9 A$ ]' s) T0 P2 G1 r. W
9 e) T4 \% ~& b7 n: [: q1 Z) ?6 v
这时候还是伟大的systemtap来救助了。 因为所有的socket通讯都是通过socket接口来的,任何family的通讯包括unix域套接都要走的,所以只要截获了socket 读写的几个syscall 就搞定了., S; y: X! Z! q; z) C$ p: m9 U8 |4 l
- W0 F; \5 ~( \6 u
systemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。3 l4 p c6 {& I$ s
0 \, K' V$ i# W$ X
socktop源码里面的版权和简单的功能介绍:# K& y7 D. j8 N# m
- I; K$ O0 D# k1 ]
# Socktop systemtap script& n/ K U; l( | t$ |7 [$ y
# Copyright (C) 2006 IBM Corp.
9 ~0 n$ U" h2 Q. L#/ L! E) \/ F7 G- `6 N& R% v
# This file is part of systemtap, and is free software. You can9 h5 N% S8 `* I0 r) g& G$ `. ]
# redistribute it and/or modify it under the terms of the GNU General
7 I# o" t z+ P# Public License (GPL); either version 2, or (at your option) any) ]) Q4 A7 }: W3 M: T! q! F: M% b
# later version.
& D6 d+ O5 z4 R$ O; y* f3 ~) ]- _ O: x8 s6 M% ~+ V% P0 ~
###
4 O4 f9 s+ L# T, k* L3 o7 I### socktop – Combination shell/systemtap script to track reads and writes
( _) W* @, _. g$ f( w### on sockets by process. Can be filtered by process IDs and3 n* m) z0 T8 Y' X `
### names, protocols, protocol families, users and socket type.
$ i9 J, u p9 A1 Q###! R4 x) Y, d5 {, T& ?
0 x5 @* U' r3 y- i- D1 [$ uname -r
4 m& d2 _9 j& I* U" O1 ?, t2.6.18-164.el5
! r9 k7 P$ q- Z4 U) A0 X
8 R. |) M! z7 z" d" M$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm5 R% H, T8 J# D) V2 g8 \1 _. s) s0 t
$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm
s% |$ _: \+ a
2 G9 D* x& N7 Z6 r#使用帮助; f6 X! D) `5 m3 D1 W5 |& t
$ /usr/share/doc/systemtap/examples/network/socktop -h
7 N; {5 l$ v8 u; Y# ~USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]...
' w- N7 U3 _, n5 d0 v) X; X [-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]
1 e U& w. V- @) L1 D; e9 G -d # print network device traffic (default: off)
' ]1 j7 e E' A" p8 i -i interval # interval in seconds between printing (default: 5)8 g1 f0 `: q% A$ t ?
-N num # number of top processes and devices to print (default: 10)
) _1 \/ F$ v# r1 X% D' Y% z" p -f family # this protocol family only (default: all)' j- O: P7 R; o* s9 u
-P protocol # this protocol only (default: all)
$ J- \$ X* U P$ E, I0 ~9 B3 w% U4 |: d -t stype # this socket type only (default: all)
" | G2 {0 o& w4 X -n pname # this process name only (default: all)
5 B2 [1 u& f8 s -p pid # this process ID only (default: all)
+ ]/ w3 [. [" U! I; r( g9 M% p -u username # this user only (default: all)# z8 Z) y1 \0 L' Q; E$ S
-c count # number of iteration5 w/ t0 j( F4 B4 Y2 k# b! S7 i! R
-m mod_name # generate instrumentation (but do not run)7 _" N" m; M" [% Q* |
-h # print this help text
. y- s3 m6 ?5 Q; `7 J
/ @0 ?( X- @4 o1 N4 _% d" TProtocol Families:
R- m9 B/ ~8 ~+ Z" S LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET
+ g, P) z8 X7 k4 ]: l
; E% Q$ f/ [% L' ZProtocols:
5 Z. J" F8 @/ V) {" x2 b TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)
) K# Z0 N# e7 b0 ?$ G: G 7 f8 n% b: I9 y0 b( U
Socket Types:" M% W* A5 M; t9 m$ b0 M
STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET
: C, Q d2 h/ o上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。
7 N) n- b, ]& p2 }! m& p0 m* O2 B: i7 F- b. Z
$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d
8 K! h$ \# P# R7 Q======================= Thu Mar 31 21:23:03 2011 ========================
, E: g- z; s- ?2 g B" O------------------------------- PROCESSES -------------------------------
9 [" ^- X9 E4 BPID UID #SEND #RECV SEND_KB RECV_KB PROT FAMILY COMMAND . ^6 m$ q6 q+ O, o% K) k
24821 50453 1 0 0 0 IP LOCAL crond
! ^( X3 T: ?, X. j7 r; r3840 0 0 2 0 0 IP LOCAL syslog-ng 8 y9 H! G$ r E& k$ {: j' ~/ B8 M
# I. K9 t9 c9 Q' F
-------------------------------- DEVICES --------------------------------) @. V {; z$ e. Q9 @# {4 b# @
DEV #XMIT #RECV XMIT_KB RECV_KB% {: {- L! t* J9 d" m
eth0 457 250 102 38. g/ u3 e) k3 f, z! U. l
bond0 457 0 102 0
9 i% L5 v0 ]( ]5 O. a, Wlo 24 24 2 2& m7 h3 D# ?9 y6 M/ Q E3 E
eth1 0 10 0 0
* s$ t" ^% C8 b1 R* p V/ O=========================================================================0 w" l8 F( @5 m; m! C8 y
我们很清楚的看到了,crond在发,syslog-ng在收。; D" R m. Y2 a' @
& |- E$ J5 f9 Z7 x6 \5 `' W如果你想知道报文的内容的话,可以改改脚本把报文也dump出来。6 i# @' p; S, ^: k* m, \
9 y- u8 v$ f# Y
玩得开心! |
|
/1 
发表于 2020-1-6 10:43
收藏
淘帖
支持!
反对!