|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
原创文章,转载请注明: 转载自系统技术非业余研究
. q$ J1 X* s9 D0 e9 _/ X0 l& @
5 I- j6 b1 k- [. x
6 g6 ?2 J) y* Q0 ?5 D- t6 R, f晚上 雕梁 说要找个工具来调查下unix域套接字的发送和接受情况,比如说A程序是否送出,B程序是否接收到,他找了tcpdump ,wireshark什么的,貌似都不支持。
8 V0 B8 {& Q! ^* U% e' @# E: ^) u d1 O
这时候还是伟大的systemtap来救助了。 因为所有的socket通讯都是通过socket接口来的,任何family的通讯包括unix域套接都要走的,所以只要截获了socket 读写的几个syscall 就搞定了.0 K( ?; n- o; f: R" o0 e6 O5 E! ]
. G9 y9 S1 \. L# Z5 {& Rsystemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。' `$ `: N3 Z5 u- h
) q+ f+ c7 b8 m4 x
socktop源码里面的版权和简单的功能介绍:4 I4 w+ R# ~/ c- c. X# w
; [# `0 g! f0 l+ X8 n& S, x: E# Socktop systemtap script( U$ |( V, y" J) |2 O" Z* }1 R
# Copyright (C) 2006 IBM Corp.0 p( i6 f- M' _( Q/ R
#
$ V1 v) d2 m, Q# This file is part of systemtap, and is free software. You can
' E( G5 p" U: ~5 y/ {# redistribute it and/or modify it under the terms of the GNU General
. q& M: J/ a9 _) e+ A# Public License (GPL); either version 2, or (at your option) any5 K& O- d# f- a2 r+ F9 [
# later version.
1 {% e. N: H9 f k1 g! e2 ^3 I" t& X c [5 g
###( f2 O, D+ _7 x
### socktop – Combination shell/systemtap script to track reads and writes
1 F1 c* N2 q8 {1 h4 ?3 O; P4 L: i. Q a### on sockets by process. Can be filtered by process IDs and# U' j& X+ [. Z
### names, protocols, protocol families, users and socket type.
4 S$ ^' t& A- E* m2 C###8 T& Y0 I+ j: l; h( T- ^
7 E3 |0 q7 k, T5 i/ ?& F; I
$ uname -r5 R+ F1 j& f H
2.6.18-164.el5
4 T' J6 s- o" D$ u+ ]0 l* x8 T $ D6 n; o$ f3 P! ]6 c
$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm
* b% z; E L9 w& n% e, g! _$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm
" t. `/ |1 @& E/ p ( _* V# K# C- p% j
#使用帮助
+ v2 w( \4 }4 |% R$ c. N$ /usr/share/doc/systemtap/examples/network/socktop -h. \6 }3 M7 d0 g$ }% [9 R
USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]... d% |8 T0 x0 f- C
[-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]: Y3 K) I4 e/ [' H8 }
-d # print network device traffic (default: off)* s( H N$ A6 z* q$ l: x1 |/ m
-i interval # interval in seconds between printing (default: 5)0 S: {* x/ h' J/ z7 x7 v( Y
-N num # number of top processes and devices to print (default: 10)
/ E6 [, ]; C1 Y$ T6 ^' i, O, p! p) k4 C -f family # this protocol family only (default: all)
* ]1 [ ^' T, R( O( C -P protocol # this protocol only (default: all)6 K) ], f6 ?9 Z, G
-t stype # this socket type only (default: all)
. i# _/ C, t, d4 E) @6 H0 K -n pname # this process name only (default: all)
# Q# L5 Z5 y- I -p pid # this process ID only (default: all)+ K! Z& |8 T: L& y. m% I% H
-u username # this user only (default: all)
& Y9 F1 {- R4 d' R0 p: m# s -c count # number of iteration/ ? ~/ @- x* R) V+ S+ E0 ]9 I
-m mod_name # generate instrumentation (but do not run)
4 a* Y! D W( s6 |' H0 \, i' a, h -h # print this help text+ f/ X1 x9 r' h l. E, ^+ w- ~" y
2 g. C) Q9 c% b7 c; OProtocol Families:; Y4 z, F3 d3 n% K' D
LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET
( p* Y$ R% h9 }+ l! f( A; n 3 d7 r, w P( S& V* }
Protocols:
1 p: k0 Z1 [- I5 k; `: o TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)
3 L- ^, m0 _9 N% e9 ~
* @. W3 c3 o1 b% e- e$ R3 @Socket Types:: o2 [& Z p' `3 O: L$ C
STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET0 j3 h% a- U j+ h2 u. K& \) ?, O
上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。8 l/ n' d3 f* g- b
) v/ }, y) n: @( `: \
$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d
/ V+ e/ c5 ]; d# }+ q6 a======================= Thu Mar 31 21:23:03 2011 ========================
9 S) R1 v, l1 a# y/ g- H3 }1 I( Y7 q------------------------------- PROCESSES -------------------------------
4 M& A9 ` j! oPID UID #SEND #RECV SEND_KB RECV_KB PROT FAMILY COMMAND
3 K/ X2 E8 N# X. w+ S3 K2 p5 v24821 50453 1 0 0 0 IP LOCAL crond
0 A: L4 l1 m5 k$ U6 ~4 h& l) r. T3840 0 0 2 0 0 IP LOCAL syslog-ng
! A* f* L! U3 V& U: E7 b0 ^
7 J# J* L0 [2 D% z6 b* [-------------------------------- DEVICES --------------------------------
2 _! X6 J. z5 t" aDEV #XMIT #RECV XMIT_KB RECV_KB
6 v! o. R9 x. q. L6 b/ A8 b* I! a* Z, meth0 457 250 102 384 h* e, B' ^2 s; d; R
bond0 457 0 102 0
; Q! ^2 O5 a- G3 E/ ]/ D# e. `& t3 klo 24 24 2 2
% f0 ~2 @1 o& b2 W- ?9 q. X4 s# \ Meth1 0 10 0 0
) [' @: C: ]- S! w=========================================================================
6 |8 F2 s$ b, i+ y& t7 n: k我们很清楚的看到了,crond在发,syslog-ng在收。
" c0 H" s4 I. J3 k4 I \+ T, R! ^3 V1 k- Z; k- S E
如果你想知道报文的内容的话,可以改改脚本把报文也dump出来。( n; G% R3 L. f) ]
& s; u( I5 B. j. h2 T7 o& }2 p玩得开心! |
|
/1 
发表于 2020-1-6 10:43
收藏
淘帖
支持!
反对!