github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/builtin-gadgets/trace/tcp.md (about) 1 --- 2 title: 'Using trace tcp' 3 weight: 20 4 description: > 5 Trace tcp connect, accept and close. 6 --- 7 8 The trace tcp gadget can be used to monitor tcp connections, as it shows 9 connect, accept and close events related to TCP connections. 10 11 ### On Kubernetes 12 13 First, we need to create one pod: 14 15 ```bash 16 $ kubectl run bb --image busybox:latest sleep inf 17 pod/bb created 18 ``` 19 20 You can now use the gadget, but output will be empty: 21 22 ```bash 23 $ kubectl gadget trace tcp 24 K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER T PID COMM IP SRC DST 25 ``` 26 27 Indeed, it is waiting for TCP connection to be established in the `default` namespace (you can use `-A` to monitor all namespaces and then be sure to not miss any event). 28 So, in *another terminal*, `exec` a container and run this `wget`: 29 30 ```bash 31 $ kubectl exec -ti bb -- wget https://www.kinvolk.io 32 Connecting to www.kinvolk.io (188.114.96.3:443) 33 wget: note: TLS certificate validation not implemented 34 saving to 'index.html' 35 index.html 100% |************************************************************************************************| 47748 0:00:00 ETA 36 'index.html' saved 37 38 ``` 39 40 Go back to *the first terminal* and see: 41 42 ```bash 43 K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER T PID COMM IP SRC DST 44 minikube-docker default bb bb C 253124 wget 4 p/default/bb:50192 o/188.114.96.3:443 45 ``` 46 47 The printed lines correspond to TCP connection established with the socket. 48 Here is the full legend of all the fields: 49 50 * `T`: How the TCP connection was established, it can be one of the following values: 51 * `C`: The TCP connection was established after a `connect()` system call. 52 * `A`: The TCP connection was established after an `accept()` system call. 53 * `X`: The TCP connection was closed following the `close()` system call. 54 * `U`: The TCP connection was either established or closed following an unknown reason. 55 * `PID`: The PID which established the TCP connection. 56 * `COMM`: The command corresponding to the PID. 57 * `IP`: The IP version (either 4 or 6). 58 * `SRC`: The source IP address, pod namespace + pod name or service name together with the port 59 * `DST`: The destination IP address, pod namespace + pod name or service name together with the port 60 61 So, the above line should be read like this: "Command `wget`, with PID 253124, established a TCP connection through IP version 4, using the `connect()` system call, from the `busybox` container on port 50192 towards address 188.114.96.3 and port 433" 62 63 Note that, IP 188.114.96.3 corresponds to `kinvolk.io` while port 443 is the port generally used for HTTPS. 64 65 #### Clean everything 66 67 Congratulations! You reached the end of this guide! 68 You can now delete the resource we created: 69 70 ```bash 71 $ kubectl delete pod busybox 72 pod "busybox" deleted 73 ``` 74 75 ### With `ig` 76 77 With the following container we can see that the gadget shows that a 78 TCP connection was established. 79 80 Start the gadget: 81 82 ```bash 83 $ sudo ig trace tcp -c test-trace-tcp 84 ``` 85 86 Then, run a container that creates a TCP connection. 87 88 ```bash 89 $ docker run -it --rm --name test-trace-tcp busybox /bin/sh -c "wget https://www.example.com" 90 Connecting to www.example.com (93.184.216.34:443) 91 wget: note: TLS certificate validation not implemented 92 saving to 'index.html' 93 index.html 100% |********************************| 1256 0:00:00 ETA 94 'index.html' saved 95 ``` 96 97 The gadget will print that connection on the first terminal 98 99 ```bash 100 $ sudo ig trace tcp -c test-trace-tcp 101 RUNTIME.CONTAINERNAME T PID COMM IP SRC DST 102 test-trace-tcp C 269349 wget 4 172.17.0.2:46502 93.184.216.34:443 103 ```