trace_tcp

The trace_tcp gadget tracks tcp connect, accept and close.

Requirements

• Minimum Kernel Version : *5.4

*This is the minimal kernel version we have tried for this Gadget, however it's possible that it works with earlier versions.

Getting started

Running the gadget:

kubectl gadget

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_tcp:latest [flags]

ig

$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_tcp:latest [flags]

Flags

--accept-only

Show only accept events

Default value: "false"

--connect-only

Show only connect events

Default value: "false"

--failure-only

Don't show successful events

Default value: "false"

Guide

kubectl gadget

First, we need to create one pod:

$ kubectl run bb --image busybox:latest sleep inf
pod/bb created

You can now use the gadget, but output will be empty:

$ kubectl gadget run trace_tcp:latest
K8S.NODE          K8S.NAMESPACE         K8S.PODNAME           K8S.CONTAINERNAME     SRC                          DST                          COMM                PID         TID         UID        GID TYPE

Indeed, it is waiting for TCP connection to be established in the default namespace (you can use -A to monitor all namespaces and then be sure to not miss any event). So, in another terminal, exec a container and run this wget:

$ kubectl exec -ti bb -- wget https://www.kinvolk.io
Connecting to www.kinvolk.io (188.114.96.3:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html           100% |************************************************************************************************| 47748  0:00:00 ETA
'index.html' saved

Go back to the terminal where the gadget is running. The requests will be logged by the gadget:

K8S.NODE          K8S.NAMESPACE         K8S.PODNAME           K8S.CONTAINERNAME     SRC                          DST                          COMM                PID         TID         UID        GID TYPE
minikube-docker   default               bb                    bb                    p/default/bb:60552           172.67.196.142:443           wget             750625      750625           0          0 connect

ig

Start the gadget in a terminal:

$ sudo ig run trace_tcp:latest --containername test-trae-tcp
RUNTIME.CONTAINERNAME        SRC                                   DST                                   COMM                        PID            TID            UID            GID TYPE

Then, run a container that creates a TCP connection.

$ docker run -it --name test-trace-tcp busybox /bin/sh -c "wget https://www.example.com"
Connecting to www.example.com (93.184.216.34:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html           100% |********************************|  1256  0:00:00 ETA
'index.html' saved

The gadget will print that connection on the first terminal

$ sudo ig trace tcp -c test-trace-tcp
RUNTIME.CONTAINERNAME        SRC                                   DST                                   COMM                        PID            TID            UID            GID TYPE
test-trace-tcp               172.17.0.2:39664                      93.184.215.14:443                     wget                     757178         757178              0              0 connect

The printed lines correspond to TCP connection established with the socket.

Congratulations! You reached the end of this guide! You can now delete the pod you created:

kubectl gadget

$ kubectl delete pod bb

ig

$ docker rm -f test-trace-tcp

Architecture

connect

This diagram shows the path for asynchronous tcp connect calls. For synchronous one the tcp_set_state path is done before sys_connect returns back to the Tracee