dtrace_ip (4)
Leading comments
Copyright (c) 2015 Mark Johnston <markj@FreeBSD.org> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the docum...
NAME
dtrace_ip - a DTrace provider for tracing events related to the IPv4 and IPv6 protocolsSYNOPSIS
Fn ip:::receive pktinfo_t * csinfo_t * ipinfo_t * ifinfo_t *ipv4info_t * ipv6info_t * Fn ip:::send pktinfo_t * csinfo_t * ipinfo_t * ifinfo_t *
ipv4info_t * ipv6info_t *
DESCRIPTION
The DTrace ip provider allows users to trace events in the ip(4) and ip6(4) protocol implementations. The Fn ip:::send probe fires whenever the kernel prepares to transmit an IP packet, and the Fn ip:::receive probe fires whenever the kernel receives an IP packet. The arguments to these probes can be used to obtain detailed information about the IP headers of the corresponding packet, as well as the network interface on which the packet was sent or received. Unlike the dtrace_tcp4 and dtrace_udp4 providers, ip provider probes are triggered by forwarded packets. That is, the probes will fire on packets that are not destined to the local host.ARGUMENTS
The Vt pktinfo_t argument is currently unimplemented and is included for compatibility with other implementations of this provider. Its fields are:- Vt uintptr_t pkt_addr
- Always set to 0.
The Vt csinfo_t argument is currently unimplemented and is included for compatibility with other implementations of this provider. Its fields are:
- Vt uintptr_t cs_addr
- Always set to 0.
- Vt uint64_t cs_cid
- A pointer to the Vt struct inpcb for this packet, or NULL
- Vt pid_t cs_pid
- Always set to 0.
The Vt ipinfo_t argument contains IP fields common to both IPv4 and IPv6 packets. Its fields are:
- Vt uint8_t ip_ver
- IP version of the packet, 4 for IPv4 packets and 6 for IPv6 packets.
- Vt uint32_t ip_plength
- IP payload size. This does not include the size of the IP header or IPv6 option headers.
- Vt string ip_saddr
- IP source address.
- Vt string ip_daddr
- IP destination address.
The Vt ifinfo_t argument describes the outgoing and incoming interfaces for the packet in the Fn ip:::send and Fn ip:::receive probes respectively. Its fields are:
- Vt string if_name
- The interface name.
- Vt int8_t if_local
- A boolean value indicating whether or not the interface is a loopback interface.
- Vt uintptr_t if_addr
- A pointer to the Vt struct ifnet which describes the interface. See the ifnet(9) manual page.
The Vt ipv4info_t argument contains the fields of the IP header for IPv4 packets. This argument is NULL for IPv6 packets. DTrace scripts should use the Fn ip_ver field in the Vt ipinfo_t argument to determine whether to use this argument. Its fields are:
- Vt uint8_t ipv4_ver
- IP version. This will always be 4 for IPv4 packets.
- Vt uint8_t ipv4_ihl
- The IP header length, including options, in 32-bit words.
- Vt uint8_t ipv4_tos
- IP type of service field.
- Vt uint16_t ipv4_length
- The total packet length, including the header, in bytes.
- Vt uint16_t ipv4_ident
- Identification field.
- Vt uint8_t ipv4_flags
- The IP flags.
- Vt uint16_t ipv4_offset
- The fragment offset of the packet.
- Vt uint8_t ipv4_ttl
- Time to live field.
- Vt uint8_t ipv4_protocol
- Next-level protocol ID.
- Vt string ipv4_protostr
- A string containing the name of the encapsulated protocol. The protocol strings are defined in the protocol array in /usr/lib/dtrace/ip.d
- Vt uint16_t ipv4_checksum
- The IP checksum.
- Vt ipaddr_t ipv4_src
- IPv4 source address.
- Vt ipaddr_t ipv4_dst
- IPv4 destination address.
- Vt string ipv4_saddr
- A string representation of the source address.
- Vt string ipv4_daddr
- A string representation of the destination address.
- Vt ipha_t *ipv4_hdr
- A pointer to the raw IPv4 header.
The Vt ipv6info_t argument contains the fields of the IP header for IPv6 packets. Its fields are not set for IPv4 packets; as with the Vt ipv4info_t argument, the Fn ip_ver field should be used to determine whether this argument is valid. Its fields are:
- Vt uint8_t ipv6_ver
- IP version. This will always be 6 for IPv6 packets.
- Vt uint8_t ipv6_tclass
- The traffic class, used to set the differentiated services codepoint and extended congestion notification flags.
- Vt uint32_t ipv6_flow
- The flow label of the packet.
- Vt uint16_t ipv6_plen
- The IP payload size, including extension headers, in bytes.
- Vt uint8_t ipv6_nexthdr
- An identifier for the type of the next header.
- Vt string ipv6_nextstr
- A string representation of the type of the next header.
- Vt uint8_t ipv6_hlim
- The hop limit.
- Vt ip6_addr_t *ipv6_src
- IPv6 source address.
- Vt ip6_addr_t *ipv6_dst
- IPv6 destination address.
- Vt string ipv6_saddr
- A string representation of the source address.
- Vt string ipv6_daddr
- A string representation of the destination address.
- Vt struct ip6_hdr *ipv6_hdr
- A pointer to the raw IPv6 header.
FILES
- /usr/lib/dtrace/ip.d
- DTrace type and translator definitions for the ip provider.
EXAMPLES
The following script counts received packets by remote host address.ip:::receive { @num[args[2]->ip_saddr] = count(); }
This script will print some details of each IP packet as it is sent or received by the kernel:
#pragma D option quiet #pramga D option switchrate=10Hz dtrace:::BEGIN { printf(" %10s %30s %-30s %8s %6s\n", "DELTA(us)", "SOURCE", "DEST", "INT", "BYTES"); last = timestamp; } ip:::send { this->elapsed = (timestamp - last) / 1000; printf(" %10d %30s -> %-30s %8s %6d\n", this->elapsed, args[2]->ip_saddr, args[2]->ip_daddr, args[3]->if_name, args[2]->ip_plength); last = timestamp; } ip:::receive { this->elapsed = (timestamp - last) / 1000; printf(" %10d %30s <- %-30s %8s %6d\n", this->elapsed, args[2]->ip_daddr, args[2]->ip_saddr, args[3]->if_name, args[2]->ip_plength); last = timestamp; }