Convenient socket read/write Viewer (socktop) in Linux)

Original article, reprinted Please note:Reposted from non-amateur Research on System Technology

Link:Convenient socket read/write Viewer (socktop) in Linux)

In the evening, Diao Liang said he was looking for a tool to investigate the sending and receiving status of Unix domain sockets. For example, if program a is sent or program B is received, he found tcpdump, Wireshark, or something, not supported.

At this time, it was a great systemtap to help. Because all socket communication is through the socket interface, any family communication, including the Unix domain, is required, so we only need to intercept several syscall for socket reading and writing.

The systemtap release provides a tool named socktop, which is located in/usr/share/doc/systemtap/examples/Network/socktop. It is a very convenient tool and is the most suitable tool to do this.

The Copyright and simple functions in the socktop source code are described as follows:

# Socktop systemtap script
# Copyright (c) 2006 IBM Corp.
#
# This file is part of systemtap, and is free software. You can
# Redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) Any
# Later version.

###
### Socktop-combination shell/systemtap script to track reads and writes
### On sockets by process. can be filtered by process IDs and
### Names, protocols, protocol families, users and socket type.
###

$ uname -r

2.6.18-164.el5

$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm

$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm

# Help

$ /usr/share/doc/systemtap/examples/network/socktop -h

USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]...

[-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]

-d           # print network device traffic (default: off)

-i interval  # interval in seconds between printing (default: 5)

-N num       # number of top processes and devices to print (default: 10)

-f family    # this protocol family only (default: all)

-P protocol  # this protocol only (default: all)

-t stype     # this socket type only (default: all)

-n pname     # this process name only (default: all)

-p pid       # this process ID only (default: all)

-u username  # this user only (default: all)

-c count     # number of iteration

-m mod_name  # generate instrumentation (but do not run)

-h           # print this help text

Protocol Families:

LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET

Protocols:

TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)

Socket Types:

STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET

The above uses clearly understand that we need to filter UNIX sockets. Every five seconds, we can report the situation, but we can also easily print out the network device traffic.

$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d

======================= Thu Mar 31 21:23:03 2011 ========================

------------------------------- PROCESSES -------------------------------

PID   UID     #SEND   #RECV SEND_KB RECV_KB PROT FAMILY   COMMAND

24821 50453       1       0       0       0 IP   LOCAL    crond

3840  0           0       2       0       0 IP   LOCAL    syslog-ng

-------------------------------- DEVICES --------------------------------

DEV             #XMIT         #RECV         XMIT_KB         RECV_KB

eth0              457           250             102              38

bond0             457             0             102               0

lo                 24            24               2               2

eth1                0            10               0               0

=========================================================================

We can clearly see that crond is sending and syslog-ng is collecting.

If you want to know the message content, you can change the script to dump the packet.

Have fun!