http://blog.163.com/digoal@126/blog/static/16387704020131014104256627/
 
例子来自tcpdumplike.stp脚本, 当tcp.receive事件触发后, 取出类似tcpdump输出的源ip, 目的ip, 源端口, 目的端口, 以及6个tcp包的控制比特位信息.
tcp.receive alias实际上包含2个内核函数, 分别代表ipv4和ipv6. 
kernel.function("tcp_v4_rcv")
kernel.function("tcp_v6_rcv")!, module("ipv6").function("tcp_v6_rcv")
// !表示有限匹配kernel.function("tcp_v6_rcv"), 匹配后下面的module就不触发了.
 
脚本内容以及注解
[root@db-172-16-3-150 network]# cd /usr/share/systemtap/testsuite/systemtap.examples/network
[root@db-172-16-3-150 network]# cat tcpdumplike.stp
#!/usr/bin/stap
 
// A TCP dump like example
 
probe begin, timer.s(1) {
  printf("-----------------------------------------------------------------\n")
  printf("       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F \n")
  printf("-----------------------------------------------------------------\n")
}
// stap脚本开始, 并且以后每秒输出一次头信息. 方便阅读.
 
probe tcp.receive {
  printf(" %15s %15s  %5d  %5d  %d  %d  %d  %d  %d  %d\n",
         saddr, daddr, sport, dport, urg, ack, psh, rst, syn, fin)
}
// 跟踪tcp.receive事件, 事件出发时, 输出
// saddr 源IP
// daddr 目的IP
// sport 源端口
// dport 目的端口
// urg, ack, psh, rst syn, fin 6个tcp包的控制比特位信息
 
执行输出举例
[root@db-172-16-3-150 network]# stap ./tcpdumplike.stp 
-----------------------------------------------------------------
       Source IP         Dest IP  SPort  DPort  U  A  P  R  S  F 
-----------------------------------------------------------------
     172.16.8.31    172.16.3.150  51167     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  1  0  0  0
     172.16.8.31    172.16.3.150  54223     22  0  1  0  0  0  0
     172.16.8.31    172.16.3.150  51167     22  0  1  1  0  0  0
     172.16.3.40    172.16.3.150  51927   9000  0  0  0  0  1  0
最后一行的A=0, S=1, 表示这个包是从172.16.3.40发过来的建立三次握手的第一个包.
U=1的话, 表示重要的包, 接收到后不要放到缓冲区, 直接处理.
 
本文用到的tcp.receive probe alias原型.
/usr/share/systemtap/tapset/tcp.stp
/**
 * probe tcp.receive - Called when a TCP packet is received
 * @name: Name of the probe point
 * @iphdr: IP header address
 * @protocol: Packet protocol from driver
 * @family: IP address family
 * @saddr: A string representing the source IP address
 * @daddr: A string representing the destination IP address
 * @sport: TCP source port
 * @dport: TCP destination port
 * @urg: TCP URG flag
 * @ack: TCP ACK flag
 * @psh: TCP PSH flag
 * @rst: TCP RST flag
 * @syn: TCP SYN flag
 * @fin: TCP FIN flag
 */
probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
{
}
// tcp.receive包含ipv4和ipv6的alias.
 
probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
{
        name = "tcp.ipv4.receive"
        iphdr = __get_skb_iphdr($skb)
        # If we're here, by definition we're doing AF_INET, not AF_INET6.
        family = %{ /* pure */ AF_INET %}
        saddr = format_ipaddr(__ip_skb_saddr(iphdr), %{ /* pure */ AF_INET %})
        daddr = format_ipaddr(__ip_skb_daddr(iphdr), %{ /* pure */ AF_INET %})
        protocol = __ip_skb_proto(iphdr)
 
        tcphdr = __get_skb_tcphdr($skb)
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
 
probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
        module("ipv6").function("tcp_v6_rcv")
{
        name = "tcp.ipv6.receive"
        iphdr = __get_skb_iphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        # If we're here, by definition we're doing AF_INET6, not AF_INET.
        family = %{ /* pure */ AF_INET6 %}
        saddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->saddr,
                              %{ /* pure */ AF_INET6 %})
        daddr = format_ipaddr(&@cast(iphdr, "ipv6hdr")->daddr,
                              %{ /* pure */ AF_INET6 %})
        # If we're here, by definition we're doing IPPROTO_TCP.  There
        # isn't a protocol field in 'struct ipv6hdr'.  There is one in
        # 'struct sk_buff', but that protocol field is an Ethernet
        # Procol ID (ETH_P_*), not an IP protocol ID (IPPROTO_*).
        protocol = %{ /* pure */ IPPROTO_TCP %}
 
        tcphdr = __get_skb_tcphdr(@defined($skb) ? $skb : kernel_pointer($pskb))
        dport = __tcp_skb_dport(tcphdr)
        sport = __tcp_skb_sport(tcphdr)
        urg = __tcp_skb_urg(tcphdr)
        ack = __tcp_skb_ack(tcphdr)
        psh = __tcp_skb_psh(tcphdr)
        rst = __tcp_skb_rst(tcphdr)
        syn = __tcp_skb_syn(tcphdr)
        fin = __tcp_skb_fin(tcphdr)
}
// 一些tcp常用的函数
//
//Definitions of the TCP protocol sk_state field listed below.
//
//     TCP_ESTABLISHED = 1,   Normal data transfer
//     TCP_SYN_SENT   = 2,   App. has started to open a connection
//     TCP_SYN_RECV   = 3,   A connection request has arrived; wait for ACK
//     TCP_FIN_WAIT1  = 4,   App. has said it is finished
//     TCP_FIN_WAIT2  = 5,   The other side has agreed to close
//     TCP_TIME_WAIT  = 6,   Wait for all packets to die off
//     TCP_CLOSE      = 7,   No connection is active or pending 
//     TCP_CLOSE_WAIT = 8,   The other side has initiated a release
//     TCP_LAST_ACK   = 9,   Last ACK, wait for all packets to die off
//     TCP_LISTEN     = 10,  Waiting for incoming call
//     TCP_CLOSING    = 11,  Both sides have tried to close simultaneously
//     TCP_MAX_STATES = 12   Max states number
// 
function tcp_ts_get_info_state:long(sock:long)
%{ /* pure */
        struct sock *sk = (struct sock *)(long) STAP_ARG_sock;
        STAP_RETVALUE = (int64_t) kread(&(sk->sk_state));
        CATCH_DEREF_FAULT();
%}
 
/* return the TCP destination port for a given sock */
function __tcp_sock_dport:long (sock:long)
{
    return (@defined(@cast(sock, "inet_sock")->inet_dport)
            ? @cast(sock, "inet_sock")->inet_dport # kernel >= 2.6.33
            : (@defined(@cast(sock, "inet_sock")->dport)
               ? @cast(sock, "inet_sock", "kernel")->dport # kernel >= 2.6.11
               : @cast(sock, "inet_sock", "kernel<net/ip.h>")->inet->dport))
}
// 内嵌了C代码, 为了取出sock的值.
 
TCP 包头信息

TCP Header Format

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |          Source Port          |       Destination Port        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                        Sequence Number                        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Acknowledgment Number                      |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |  Data |           |U|A|P|R|S|F|                               |

   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |

   |       |           |G|K|H|T|N|N|                               |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |           Checksum            |         Urgent Pointer        |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                    Options                    |    Padding    |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                             data                              |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

          Note that one tick mark represents one bit position.

                               Figure 3.
控制比特信息 : 

Control Bits: 6 bits (from left to right):

    URG:  Urgent Pointer field significant

    ACK:  Acknowledgment field significant

    PSH:  Push Function

    RST:  Reset the connection

    SYN:  Synchronize sequence numbers

    FIN:  No more data from sender
 
[参考]
1. /usr/share/systemtap/testsuite/systemtap.examples
3. systemtap-testsuite
5. /usr/share/systemtap/testsuite/systemtap.examples/index.txt
6. /usr/share/systemtap/testsuite/systemtap.examples/keyword-index.txt
7. /usr/share/systemtap/tapset

Systemtap examples, Network - 4 Monitoring TCP Packets的更多相关文章

  1. computer network layers architecture (TCP/IP)

    computer network layers architecture (TCP/IP) 计算机网络分层架构 TCP/IP 协议簇 OSI 模型(7 层) TCP/IP (4 层) Applicat ...

  2. Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

    There are lots of free tools available online to get easy access to the WiFi networks intended to he ...

  3. Language-Directed Hardware Design for Network Performance Monitoring——Marple

    网络监控困难 1.仅仅通过去增加特定的监控功能到交换机是不能满足运营商不断变化的需求的.(交换机需要支持网络性能问题的表达语言) 2.他们缺乏对网络深处的性能问题进行本地化的可见性,间接推断网络问题的 ...

  4. SystemTap Beginners Guide

    SystemTap 3.0 SystemTap Beginners Guide Introduction to SystemTap Edition 3.0   Red Hat, Inc. Don Do ...

  5. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  6. TCP/UDP端口列表

    http://zh.wikipedia.org/wiki/TCP/UDP%E7%AB%AF%E5%8F%A3%E5%88%97%E8%A1%A8 TCP/UDP端口列表     本条目可通过翻译外语维 ...

  7. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

  8. How Network Load Balancing Technology Works--reference

    http://technet.microsoft.com/en-us/library/cc756878(v=ws.10).aspx In this section Network Load Balan ...

  9. 内核调试神器SystemTap — 简介与使用(一)

    a linux trace/probe tool. 官网:https://sourceware.org/systemtap/ 简介 SystemTap是我目前所知的最强大的内核调试工具,有些家伙甚至说 ...

随机推荐

  1. hihoCoder-1089-Floyd

    我们读入的时候,要考虑重边的问题,我们只取边的最小值就可以了. #include <cstdio> #include <cstring> const int INF = 0x3 ...

  2. Linux基础学习-使用iSCSI服务部署网络存储

    使用iSCSI服务部署网络存储 iSCSI技术实现了物理硬盘设备与TCP/IP网络协议的相互结合,使得用户可以通过互联网方便地访问远程机房提供的共享存储资源.下面介绍如何在Linux上部署iSCSI服 ...

  3. JavaScript正则表达式-字符类

    字符列表 在方括号内指定一个或者多个字符组成的字符列表,与字符列表中任意字符匹配,都被认为是匹配的.每次匹配只能匹配列表中的一个字符. str = "bird,head,fed,meadow ...

  4. java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11GraphicsEnvironment问题解决

    2018-09-29 17:45:16.905 ERROR [pool-1-thread-1]o.s.scheduling.support.TaskUtils$LoggingErrorHandler. ...

  5. nginx的详解(四)

    10.nginx的访问控制及DDOS预防1)访问控制配置基于各种原因,Ningx有时要进行访问控制.比如说,一般网站的后台都不能让外部访问,所以要添加 IP 限制,通常只允许公司的IP访问.访问控制就 ...

  6. Unity3D for iOS初级教程:Part 1/3

    转自Unity 3d for ios 这篇文章还可以在这里找到 英语 Learn how to use Unity to make a simple 3D iOS game! 这篇教材是来自教程团队成 ...

  7. [UOJ#220][BZOJ4651][Noi2016]网格

    [UOJ#220][BZOJ4651][Noi2016]网格 试题描述 跳蚤国王和蛐蛐国王在玩一个游戏. 他们在一个 n 行 m 列的网格上排兵布阵.其中的 c 个格子中 (0≤c≤nm),每个格子有 ...

  8. 学习系列 - 马拉车&扩展KMP

    Manacher(马拉车)是一种求最长回文串的线性算法,复杂度O(n).网上对其介绍的资料已经挺多了的,请善用搜索引擎. 而扩展KMP说白了就是是求模式串和主串的每一个后缀的最长公共前缀[KMP更像是 ...

  9. [BZOJ1590] [Usaco2008 Dec]Secret Message 秘密信息(字典树)

    传送门 看到前缀就要想到字典树! 看到前缀就要想到字典树! 看到前缀就要想到字典树! #include <cstdio> #include <iostream> #define ...

  10. farm

    farm 时间限制:C/C++ 4秒,其他语言8秒 空间限制:C/C++ 262144K,其他语言524288K 64bit IO Format: %lld 题目描述 White Rabbit has ...