[networking-discuss] Re: [dtrace-discuss] DTrace TCP Provider

Thu, 12 Oct 2006 10:59:49 -0700 

G'Day Darren,

On Tue, Oct 10, 2006 at 03:21:40PM -0700, [EMAIL PROTECTED] wrote:
[...]
> Show me something I can't do with tcpdump/snoop...examining loopback
> traffic on Solaris is interesting, but there's a good chance that the
> IP observability project will deliver this before dtrace.

You mean Bug ID 4085089 will be completed soon?

Sure, the IP observabality project should provide loopback snooping, and
that will be useful in numerous ways. truss is useful in numerous ways;
but that's no reason why we shouldn't have, in addition, a syscall
provider.

Here is where I'm at with loopback tracing,

# ./tcpio3.d
           LADDR:PORT                 RADDR:PORT   BYTES FLAGS
       127.0.0.1:51309  ->        127.0.0.1:79         0 (SYN)
       127.0.0.1:79     <-        127.0.0.1:51309      0 (SYN)
       127.0.0.1:79     ->        127.0.0.1:51309      0 (SYN|ACK)
       127.0.0.1:51309  <-        127.0.0.1:79         0 (SYN|ACK)
       127.0.0.1:51309  ->        127.0.0.1:79         0 (ACK)
       127.0.0.1:79     <-        127.0.0.1:51309      0 (ACK)
       127.0.0.1:51309  ->        127.0.0.1:79         2 (loopback)
       127.0.0.1:79     <-        127.0.0.1:51309      2 (loopback)
       127.0.0.1:79     ->        127.0.0.1:51309    207 (loopback)
       127.0.0.1:51309  <-        127.0.0.1:79       207 (loopback)
       127.0.0.1:79     <-        127.0.0.1:51309      0 (loopback)
       127.0.0.1:51309  <-        127.0.0.1:79         0 (loopback)
       127.0.0.1:79     ->        127.0.0.1:51309      0 (FIN|ACK)
       127.0.0.1:51309  <-        127.0.0.1:79         0 (FIN|ACK)
       127.0.0.1:51309  ->        127.0.0.1:79         0 (ACK)
       127.0.0.1:79     <-        127.0.0.1:51309      0 (ACK)
       127.0.0.1:51309  ->        127.0.0.1:79         0 (FIN|ACK)
       127.0.0.1:79     <-        127.0.0.1:51309      0 (FIN|ACK)
       127.0.0.1:79     ->        127.0.0.1:51309      0 (ACK)
       127.0.0.1:51309  <-        127.0.0.1:79         0 (ACK)
^C

That was a trace of a localhost finger connection. Events appear
duplicatied as we see both the send and receive. IPv6 works fine too.

ftp is also interesting to check, as we can initiate some known sized
data transfers (assuming no tcp retransmits), and check that the numbers
match. Here I send a "contents" file to /tmp from both deimos and
localhost,

# ls -l /tmp/contents
-rw-r--r--   1 fred     other    21380410 Oct 12 10:16 /tmp/contents

# ./tcpbytes3.d
Tracing... Hit Ctrl-C to end.
^C

   HOST                             PORT                BYTES
   deimos                           ftp                   536
   deimos                           ssh                  1568
   localhost                        ftp-data         21380410
   localhost                        60228            21380410
   deimos                           ftp-data         21380410

Both the ftp-data connections match the file size. The 60228 port is
the client sending data, our output shows both send and receive totals.

cheers,

Brendan

-- 
Brendan
[CA, USA]
_______________________________________________
networking-discuss mailing list
[email protected]

Reply via email to