On Tue, Sep 29, 2020 at 4:14 AM Kanthi P <[email protected]> wrote: > > Hi, > > I am looking for tracking inbound connections on a system using > tracepoints/kprobes. > > I was checking "trace_inet_sock_set_state", with which we can track the state > changes during connection establishment and closure. It seems straightforward > to track total connections, but since we only want inbound, one way would be > to look at what are the ip addresses/ports on which a node listens to and > while tracking the state changes, I can see if the local address/port matches > to the one this system listens on and based on that make a decision whether > its an inbound connection or not. This looks a bit roundabout way for me, so > thought of reaching for suggestions to do it simpler. > > Another way is to store the socker address when TCP_SYN_RECV to > TCP_ESTABLISHED state change happens and during closure we can check if it is > for this socket, so we know its inbound connection. But this would make the > map size grow too high as we have about 50k concurrent connections. > > Can you suggest a better way to do this?
Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data from the socket if you do not need it any more, all in bpf program. > > Thanks, > Kanthi > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1913): https://lists.iovisor.org/g/iovisor-dev/message/1913 Mute This Topic: https://lists.iovisor.org/mt/77193554/21656 Group Owner: [email protected] Unsubscribe: https://lists.iovisor.org/g/iovisor-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
