Home > Linux, 工具介绍, 网络编程 > Linux下方便的socket读写查看器(socktop)

Linux下方便的socket读写查看器(socktop)

March 31st, 2011

原创文章,转载请注明: 转载自系统技术非业余研究

本文链接地址: Linux下方便的socket读写查看器(socktop)

晚上 雕梁 说要找个工具来调查下unix域套接字的发送和接受情况,比如说A程序是否送出,B程序是否接收到,他找了tcpdump ,wireshark什么的,貌似都不支持。

这时候还是伟大的systemtap来救助了。 因为所有的socket通讯都是通过socket接口来的,任何family的通讯包括unix域套接都要走的,所以只要截获了socket 读写的几个syscall 就搞定了.

systemtap发行版本提供了个工具socktop, 位于 /usr/share/doc/systemtap/examples/network/socktop, 是个非常方便的工具, 干这个事情最合适了。

socktop源码里面的版权和简单的功能介绍:

# Socktop systemtap script
# Copyright (C) 2006 IBM Corp.
#
# This file is part of systemtap, and is free software. You can
# redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) any
# later version.

###
### socktop – Combination shell/systemtap script to track reads and writes
### on sockets by process. Can be filtered by process IDs and
### names, protocols, protocol families, users and socket type.
###


$ uname -r
2.6.18-164.el5

$ rpm -i kernel-debuginfo-common-2.6.18-164.el5.x86_64.rpm
$ rpm -i kernel-debuginfo-2.6.18-164.el5.x86_64.rpm  

#使用帮助
$ /usr/share/doc/systemtap/examples/network/socktop -h 
USAGE: socktop [-d] [-i interval] [-N num] [-P protocol]... [-f family]...
               [-t stype]... [-n pname]... [-p pid]... [-u username]... [-h]
    -d           # print network device traffic (default: off)
    -i interval  # interval in seconds between printing (default: 5)
    -N num       # number of top processes and devices to print (default: 10)
    -f family    # this protocol family only (default: all)
    -P protocol  # this protocol only (default: all)
    -t stype     # this socket type only (default: all)
    -n pname     # this process name only (default: all)
    -p pid       # this process ID only (default: all)
    -u username  # this user only (default: all)
    -c count     # number of iteration
    -m mod_name  # generate instrumentation (but do not run)
    -h           # print this help text

Protocol Families:
    LOCAL, INET, INET6, IPX, NETLINK, X25, AX25, ATMPVC, APPLETALK, PACKET

Protocols:
    TCP, UDP, SCTP, IP, FC, ... (see /etc/protocols for complete list)

Socket Types:
    STREAM, DGRAM, RAW, RDM, SEQPACKET, DCCP, PACKET

上面的使用写的很明白了,我们要过滤的是unix套接字, 每5秒报告下情况, 还顺手把网络设备的流量打出来。

$sudo /usr/share/doc/systemtap/examples/network/socktop -f LOCAL -i 5 -d
======================= Thu Mar 31 21:23:03 2011 ========================
------------------------------- PROCESSES -------------------------------
PID   UID     #SEND   #RECV SEND_KB RECV_KB PROT FAMILY   COMMAND        
24821 50453       1       0       0       0 IP   LOCAL    crond          
3840  0           0       2       0       0 IP   LOCAL    syslog-ng      

-------------------------------- DEVICES --------------------------------
DEV             #XMIT         #RECV         XMIT_KB         RECV_KB
eth0              457           250             102              38
bond0             457             0             102               0
lo                 24            24               2               2
eth1                0            10               0               0
=========================================================================

我们很清楚的看到了,crond在发,syslog-ng在收。

如果你想知道报文的内容的话,可以改改脚本把报文也dump出来。

玩得开心!

Post Footer automatically generated by wp-posturl plugin for wordpress.

  1. February 2nd, 2012 at 11:29 | #1

    “监控A程序是否送出,B程序是否接收到”, 这个需求太common了.

    十分受用, 多谢, 峰哥

    Yu Feng Reply:

    多谢关注!

  2. piboyeliu
    February 2nd, 2012 at 11:49 | #2

    我们公司的机器没有安装stap, 老大介绍的好多东西都试验不了啊

    Yu Feng Reply:

    自己安装个符合信息,几分钟的事情~

    piboyeliu Reply:

    内核不支持,需要重新编译吧。

    Yu Feng Reply:

    RHEL系的内核都是支持的,其他的内核由于不支持utrace,用起来不爽。

    piboyeliu Reply:

    我公司的是suse

  3. tiger
    February 20th, 2012 at 21:44 | #3

    不错,以前抓unix domain的包,都是先发到nc上的,通过nc转包然后抓取。。

Comments are closed.