|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
原创文章,转载请注明: 转载自系统技术非业余研究
. b# U9 O: g, Y( Q; O- x H+ L7 k! f9 z! b/ L
. i" k2 k1 l! s: R( B% \晚上 雕梁 说要找个工具来调查下unix域套接字的发送和接受情况,比如说A程序是否送出,B程序是否接收到,他找了tcpdump ,wireshark什么的,貌似都不支持。* T4 u- X* c4 X% U4 k
) ^% f/ g7 R/ q: g
这时候还是伟大的systemtap来救助了。 因为所有的socket通讯都是通过socket接口来的,任何family的通讯包括unix域套接都要走的,所以只要截获了socket 读写的几个syscall 就搞定了.' {4 k6 G- z0 L7 \# Y* u
) T7 {4 Y+ ^, k6 O3 ssystemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。
% t: E: M3 F5 v3 w
8 `$ I3 ]9 R- i. b& Tsocktop源码里面的版权和简单的功能介绍:
) S& {; l% N7 F7 J' t: p3 V; U& y2 S( m) Z
# Socktop systemtap script
* h4 u+ \* g$ J: t% f8 j$ X9 Z# Copyright (C) 2006 IBM Corp.
8 y9 S& V/ a. R5 o#
8 V. ?) L8 `# S( L H. S# This file is part of systemtap, and is free software. You can
: ^+ V* d4 ~6 n' {6 w" ~* l# redistribute it and/or modify it under the terms of the GNU General: Q" o+ R7 C5 F& x# R' Q
# Public License (GPL); either version 2, or (at your option) any% O4 h) a' p1 Q; ~8 u# ]
# later version.
y% C5 q- F: N% T3 G" L7 \
" e7 d3 M2 p7 u8 j###5 q9 ?1 g# L( r$ h1 A
### socktop – Combination shell/systemtap script to track reads and writes
) U: i1 O- d8 T: f### on sockets by process. Can be filtered by process IDs and# P0 A$ _" p) r" v* y; S
### names, protocols, protocol families, users and socket type.
& J+ e2 T8 i9 V0 Z# r( s) h" P###
% y. h4 @9 ^, x3 h5 S- d- w% r( N0 [
$ uname -r
: I. Z, h% D- h/ F& o2.6.18-164.el5
/ Y4 `: [& n9 R9 t3 O3 X5 B+ x
) {) o4 o0 R/ {: L$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm
' ~# e% [) {- s7 B$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm " c j" I9 l1 Z! X( ^
& [& d& ~3 o! p4 q#使用帮助
! A1 R5 ^8 @( @( M" b. [' I! D$ /usr/share/doc/systemtap/examples/network/socktop -h/ l3 R/ g# [9 U" ^# u! X. u
USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]..." Y# T4 q2 q6 j; y) b, m2 e) V
[-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]# ~, O1 k* I0 W( {& { [
-d # print network device traffic (default: off)
1 M. y3 D d$ l+ q( H- `2 h -i interval # interval in seconds between printing (default: 5)1 L n* h0 |8 ?- T( a3 a6 v
-N num # number of top processes and devices to print (default: 10)
' `9 Y V; f5 f7 |5 D -f family # this protocol family only (default: all)
$ K9 c/ _' Q$ k -P protocol # this protocol only (default: all)
' R+ H: A% q' c -t stype # this socket type only (default: all)4 \! L. s! l0 h; B: O/ T6 ` ?
-n pname # this process name only (default: all). {5 H: U& z5 {+ S
-p pid # this process ID only (default: all)7 ^- c/ I/ P0 [7 ^
-u username # this user only (default: all)
9 s' u* f( p* o/ j -c count # number of iteration
' T2 R" A+ D2 F: ]" q3 ? -m mod_name # generate instrumentation (but do not run)
/ q% s$ J/ z6 C- i, z* T) L5 F -h # print this help text
9 @! X; W; Y+ I
4 a. y1 \3 J% wProtocol Families:
+ Z2 y0 K1 [7 F h6 g1 @2 `) A LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET
& X1 R, Q* g5 A+ w# i+ b$ D
0 U$ R# W$ D0 {- V0 TProtocols:# h" k8 `+ {" N) o7 G" V
TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)/ z& B$ ? ]( h, _" y
( F3 c# Q& M0 c6 q9 i6 L
Socket Types:
: ]; }3 e: f0 k STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET9 o" o) J7 }1 P' ^
上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。: t% E; X/ W. x5 l5 X: i/ N
* b6 h6 y/ ?8 Y; `" D9 d8 g1 T
$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d
; X+ R5 z) ~ W; P8 H' }4 }======================= Thu Mar 31 21:23:03 2011 ========================
: i+ y4 X5 Y# T( o------------------------------- PROCESSES -------------------------------. j1 |9 D( E3 b7 F+ B- v5 Q. K
PID UID #SEND #RECV SEND_KB RECV_KB PROT FAMILY COMMAND
' ~. J- t6 a8 q# b24821 50453 1 0 0 0 IP LOCAL crond 6 ~- |* r. }5 \8 a. [8 v z R
3840 0 0 2 0 0 IP LOCAL syslog-ng
& f) J. e! s1 O , f; m% `& f& `" F+ J, Z, S- y0 j
-------------------------------- DEVICES --------------------------------
m! V b) F% NDEV #XMIT #RECV XMIT_KB RECV_KB
3 R9 }) g$ m( }% ueth0 457 250 102 38
& ^ X2 r3 ?, @4 |: h. Obond0 457 0 102 0
; h/ |3 r% S4 v& X( H7 @: [lo 24 24 2 2
# I- V8 A3 T$ o3 ~" v. t) keth1 0 10 0 0% x7 M, x* h9 D& |* ?
=========================================================================/ a# i- Y5 w/ V% t) D) c' t1 M" r2 j
我们很清楚的看到了,crond在发,syslog-ng在收。, v" N/ G- {' I. t) _9 N; w
[1 e% |9 Q' j) l7 E" k. n如果你想知道报文的内容的话,可以改改脚本把报文也dump出来。
8 ^. k& N3 G0 M! B" j0 @; k* q2 _6 _' n
玩得开心! |
|
/1 
发表于 2020-1-6 10:43
收藏
淘帖
支持!
反对!