ptcpdump 是一款进程感知、基于 eBPF 实现的 tcpdump,
介绍
- 进程感知
- 感知与数据包相关的进程信息
- 支持按进程 ID 和进程名称过滤数据包
- 容器感知和 Kubernetes 感知
- 感知与数据包相关的容器和 pod 信息
- 支持多个容器运行时:支持按容器 ID、容器名称和 pod 名称过滤数据包
- 支持使用 pcap-filter(7) 语法过滤数据包
- 直接在内核空间应用过滤器
- 支持将捕获的数据包保存为 PcapNG 格式,以便使用 Wireshark 等第三方工具进行离线分析
安装
help
$ ptcpdump --help
Usage:
ptcpdump [flags] [expression] [-- command [args]]
Examples:
sudo ptcpdump -i any tcp
sudo ptcpdump -i eth0 -i lo
sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1
sudo ptcpdump -i any --pname curl
sudo ptcpdump -i any -- curl ubuntu.com
sudo ptcpdump -i any -w ptcpdump.pcapng
sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
sudo ptcpdump -i any -w - port 80 | tshark -r -
ptcpdump -r ptcpdump.pcapng
Expression: see "man 7 pcap-filter"
Flags:
--container-id string Filter by container id (only TCP and UDP packets are supported)
--container-name string Filter by container name (only TCP and UDP packets are supported)
--containerd-address string Address of containerd service (default "/run/containerd/containerd.sock")
--count Print only on stdout the packet count when reading capture file instead of parsing/printing the packets
--cri-runtime-address string Address of CRI container runtime service (default: uses in order the first successful one of [/run/containerd/containerd.sock, /run/crio/crio.sock, /var/run/cri-dockerd.sock, /var/run/dockershim.sock])
-Q, --direction string Choose send/receive direction for which packets should be captured. Possible values are 'in', 'out' and 'inout' (default "inout")
--docker-address string Address of Docker Engine service (default "/var/run/docker.sock")
-f, --follow-forks Trace child processes as they are created by currently traced processes when filter by process
-h, --help help for ptcpdump
-i, --interface strings Interfaces to capture (default [lo])
--list-interfaces Print the list of the network interfaces available on the system
--log-level string Set the logging level ("debug", "info", "warn", "error", "fatal") (default "warn")
--oneline Print parsed packet output in a single line
--pid uint Filter by process ID (only TCP and UDP packets are supported)
--pname string Filter by process name (only TCP and UDP packets are supported)
--pod-name string Filter by pod name (format: NAME.NAMESPACE, only TCP and UDP packets are supported)
--print Print parsed packet output, even if the raw packets are being saved to a file with the -w flag
-r, --read-file string Read packets from file (which was created with the -w option). e.g. ptcpdump.pcapng
-c, --receive-count uint Exit after receiving count packets
-s, --snapshot-length uint32 Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes (default 262144)
-v, --verbose count When parsing and printing, produce (slightly more) verbose output
--version Print the ptcpdump and libpcap version strings and exit
-w, --write-file string Write the raw packets to file rather than parsing and printing
示例
Filter like tcpdump:
sudo ptcpdump -i eth0 tcp
sudo ptcpdump -i eth0 tcp and port 80 and host 10.10.1.1
sudo ptcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
Multiple interfaces:
sudo ptcpdump -i eth0 -i lo
Filter by process:
sudo ptcpdump -i any --pid 1234
sudo ptcpdump -i any --pname curl
Capture by process via run target program:
sudo ptcpdump -i any -- curl ubuntu.com
Filter by container:
sudo ptcpdump -i any --container-id 36f0310403b1
sudo ptcpdump -i any --container-name test
Filter by Pod:
sudo ptcpdump -i any --pod-name test.default
Save data in PcapNG format:
sudo ptcpdump -i any -w demo.pcapng
sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
sudo ptcpdump -i any -w - port 80 | tshark -r -