|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
原创文章,转载请注明: 转载自系统技术非业余研究
& Z7 ?1 e( {. B [& N! Z! a/ Z2 X
# Q% x7 Q G& |- }) m9 U2 r9 i$ c$ r8 R& Y( t
晚上 雕梁 说要找个工具来调查下unix域套接字的发送和接受情况,比如说A程序是否送出,B程序是否接收到,他找了tcpdump ,wireshark什么的,貌似都不支持。8 v( p, L2 O( j! C
( k6 f; t7 l4 P2 \这时候还是伟大的systemtap来救助了。 因为所有的socket通讯都是通过socket接口来的,任何family的通讯包括unix域套接都要走的,所以只要截获了socket 读写的几个syscall 就搞定了.
, z8 [+ [4 @, o* o1 M) \+ _. S' t' c# Q3 x* `5 S+ b
systemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。
" r1 v1 M# u: |! `& A7 w+ o7 x% b1 A
socktop源码里面的版权和简单的功能介绍:
+ p. R2 M/ H" b5 }- A# q& `( t! |, W
# Socktop systemtap script- G- o& _5 c: Z7 r
# Copyright (C) 2006 IBM Corp.
# B+ I" j$ f$ J: w#
* ?) L4 n& Q$ f5 x; W# This file is part of systemtap, and is free software. You can8 A' ^: R5 n) ?( _ u* O
# redistribute it and/or modify it under the terms of the GNU General" x2 O) [6 t2 t* h h, b8 o; S* ]
# Public License (GPL); either version 2, or (at your option) any. c$ [, F* H7 x8 N+ j
# later version.5 L5 e$ B$ _! i/ D4 ~7 z. [
' m& @- d* c1 \- E4 f9 o: I: s
###) ]6 T& M* c1 u2 s! N: W7 |
### socktop – Combination shell/systemtap script to track reads and writes) B& V! Q* x5 O: E8 X
### on sockets by process. Can be filtered by process IDs and$ I _) h6 a3 W! B
### names, protocols, protocol families, users and socket type.5 @& H2 Z5 v2 b% X
###
! _8 o3 c8 `* `7 a4 @
9 q3 @# N* R- I5 G& Q% I \, G$ uname -r
, t2 f% n) c6 Y/ \5 X2.6.18-164.el5
! H' T/ c7 q0 u+ H/ C
5 N/ D% y6 @* F3 E8 t" Y1 o8 H$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm2 q. Z; s2 Y6 X. m7 m, {3 A3 m x
$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm a% D) D5 }! Y8 \% r. m* m& A
5 f7 _% Z: \5 l. g3 ?+ L
#使用帮助
6 j. i* g, p3 I7 k0 \# T$ /usr/share/doc/systemtap/examples/network/socktop -h$ f- v* v% q" l: U2 `
USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]...
3 I1 ?; ^6 X4 k6 V& z* r [-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]: ?% }' o; I+ l
-d # print network device traffic (default: off)
% T7 m& x( ~( y% d! ` -i interval # interval in seconds between printing (default: 5)
" @- ]) h1 D) @! X/ l4 u" a -N num # number of top processes and devices to print (default: 10)* \( f% F. c! v$ r8 r) H" {
-f family # this protocol family only (default: all)! W+ ] j' I( g9 L$ P3 t, r E
-P protocol # this protocol only (default: all)" L- {0 `' {! G
-t stype # this socket type only (default: all)) c1 b% S/ K: I2 A
-n pname # this process name only (default: all)$ l1 E" Z9 w0 J9 C) A# T2 m
-p pid # this process ID only (default: all)
+ O, ` q7 Y& ?: t7 k, b) f/ A -u username # this user only (default: all)
7 q) R4 d5 H( w) r; ]+ E -c count # number of iteration1 Q5 [6 S, o/ Y2 R( o$ i
-m mod_name # generate instrumentation (but do not run)( M( ?* O3 q6 q3 P
-h # print this help text; J2 d2 p; R' }) }$ _- q! {
S$ G$ C( y! n4 \9 v5 {Protocol Families:6 ]: ~* r( Z% i9 V4 B/ a7 t+ G' y9 a
LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET
. X( |) I3 s1 F, O1 s' m 6 f3 j' y r) U5 c
Protocols:: f) M: L; T" w5 D' g) c1 |
TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)
5 ?, I* n, O3 N& w( e , u6 v! L- @- E8 H2 Z2 r) a$ z0 z
Socket Types:
0 F- ]: C, T& H9 x P STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET
8 j T2 ?3 ~- u! z- r上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。3 B7 r. Q. V2 V7 r1 o, M9 A2 Z) ~
6 p4 j2 Z( ~2 Y k8 ^" B! O$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d; K" {" u2 u" ^+ d; ?# b
======================= Thu Mar 31 21:23:03 2011 ========================0 W. P' U' H J* V1 Y) ?
------------------------------- PROCESSES -------------------------------
R: k" {6 t, I4 j" h. Q' t' RPID UID #SEND #RECV SEND_KB RECV_KB PROT FAMILY COMMAND
, D- t0 U4 r! U0 F# _3 u7 ?# S24821 50453 1 0 0 0 IP LOCAL crond 9 w$ G Q7 d( @8 R9 a
3840 0 0 2 0 0 IP LOCAL syslog-ng + a" U/ K" p8 m) y/ X# P
. C8 ~$ P" I! y( c: Z
-------------------------------- DEVICES --------------------------------
% s$ E2 Y! w3 h2 Y+ Q. ?DEV #XMIT #RECV XMIT_KB RECV_KB, u' v) l' q# W; ]- \5 f# e
eth0 457 250 102 38! s; K* m- N0 [. \2 l% Z
bond0 457 0 102 0- g1 `3 |3 b/ a& _2 e/ f/ l
lo 24 24 2 2
* j) I, U: J! zeth1 0 10 0 08 y4 N- I( c; e( I
=========================================================================8 m0 u2 y' {& k) p7 L+ ?$ t
我们很清楚的看到了,crond在发,syslog-ng在收。: a) F& [! R- F& K) o$ A
5 W5 S! \- _ F1 ^4 k" J' o( a
如果你想知道报文的内容的话,可以改改脚本把报文也dump出来。
- m. c7 b8 N& M- R) n: O* b4 K$ P, A6 z7 b. V1 ^
玩得开心! |
|
/1 
发表于 2020-1-6 10:43
收藏
淘帖
支持!
反对!