1Demonstrations of bindsnoop, the Linux eBPF/bcc version. 2 3This tool traces the kernel function performing socket binding and 4print socket options set before the system call invocation that might 5impact bind behavior and bound interface: 6SOL_IP IP_FREEBIND F.... 7SOL_IP IP_TRANSPARENT .T... 8SOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. 9SOL_SOCKET SO_REUSEADDR ...R. 10SOL_SOCKET SO_REUSEPORT ....r 11 12 13# ./bindsnoop.py 14Tracing binds ... Hit Ctrl-C to end 15PID COMM PROT ADDR PORT OPTS IF 163941081 test_bind_op TCP 192.168.1.102 0 F.N.. 0 173940194 dig TCP :: 62087 ..... 0 183940219 dig UDP :: 48665 ..... 0 193940893 Acceptor Thr TCP :: 35343 ...R. 0 20 21The output shows four bind system calls: 22two "test_bind_op" instances, one with IP_FREEBIND and IP_BIND_ADDRESS_NO_PORT 23options, dig process called bind for TCP and UDP sockets, 24and Acceptor called bind for TCP with SO_REUSEADDR option set. 25 26 27The -t option prints a timestamp column 28 29# ./bindsnoop.py -t 30TIME(s) PID COMM PROT ADDR PORT OPTS IF 310.000000 3956801 dig TCP :: 49611 ..... 0 320.011045 3956822 dig UDP :: 56343 ..... 0 332.310629 3956498 test_bind_op TCP 192.168.1.102 39609 F...r 0 34 35 36The -U option prints a UID column: 37 38# ./bindsnoop.py -U 39Tracing binds ... Hit Ctrl-C to end 40 UID PID COMM PROT ADDR PORT OPTS IF 41127072 3956498 test_bind_op TCP 192.168.1.102 44491 F...r 0 42127072 3960261 Acceptor Thr TCP :: 48869 ...R. 0 43 0 3960729 Acceptor Thr TCP :: 44637 ...R. 0 44 0 3959075 chef-client UDP :: 61722 ..... 0 45 46 47The -u option filtering UID: 48 49# ./bindsnoop.py -Uu 0 50Tracing binds ... Hit Ctrl-C to end 51 UID PID COMM PROT ADDR PORT OPTS IF 52 0 3966330 Acceptor Thr TCP :: 39319 ...R. 0 53 0 3968044 python3.7 TCP ::1 59371 ..... 0 54 0 10224 fetch TCP 0.0.0.0 42091 ...R. 0 55 56 57The --cgroupmap option filters based on a cgroup set. 58It is meant to be used with an externally created map. 59 60# ./bindsnoop.py --cgroupmap /sys/fs/bpf/test01 61 62For more details, see docs/special_filtering.md 63 64 65In order to track heavy bind usage one can use --count option 66# ./bindsnoop.py --count 67Tracing binds ... Hit Ctrl-C to end 68LADDR LPORT BINDS 690.0.0.0 6771 4 700.0.0.0 4433 4 71127.0.0.1 33665 1 72 73 74Usage message: 75# ./bindsnoop.py -h 76usage: bindsnoop.py [-h] [-t] [-w] [-p PID] [-P PORT] [-E] [-U] [-u UID] 77 [--count] [--cgroupmap CGROUPMAP] [--mntnsmap MNTNSMAP] 78 79Trace TCP binds 80 81optional arguments: 82 -h, --help show this help message and exit 83 -t, --timestamp include timestamp on output 84 -w, --wide wide column output (fits IPv6 addresses) 85 -p PID, --pid PID trace this PID only 86 -P PORT, --port PORT comma-separated list of ports to trace. 87 -E, --errors include errors in the output. 88 -U, --print-uid include UID on output 89 -u UID, --uid UID trace this UID only 90 --count count binds per src ip and port 91 --cgroupmap CGROUPMAP 92 trace cgroups in this BPF map only 93 94examples: 95 ./bindsnoop # trace all TCP bind()s 96 ./bindsnoop -t # include timestamps 97 ./bindsnoop -w # wider columns (fit IPv6) 98 ./bindsnoop -p 181 # only trace PID 181 99 ./bindsnoop -P 80 # only trace port 80 100 ./bindsnoop -P 80,81 # only trace port 80 and 81 101 ./bindsnoop -U # include UID 102 ./bindsnoop -u 1000 # only trace UID 1000 103 ./bindsnoop -E # report bind errors 104 ./bindsnoop --count # count bind per src ip 105 ./bindsnoop --cgroupmap mappath # only trace cgroups in this BPF map 106 ./bindsnoop --mntnsmap mappath # only trace mount namespaces in the map 107 108 it is reporting socket options set before the bins call 109 impacting system call behavior: 110 SOL_IP IP_FREEBIND F.... 111 SOL_IP IP_TRANSPARENT .T... 112 SOL_IP IP_BIND_ADDRESS_NO_PORT ..N.. 113 SOL_SOCKET SO_REUSEADDR ...R. 114 SOL_SOCKET SO_REUSEPORT ....r 115 116 SO_BINDTODEVICE interface is reported as "IF" index 117