Network probe manager

Edit online

Network probe manager tracks incoming and outgoing network packets in a system (packet information as interpret by the bpf module in AIX®). Probe specification allows the user to specify Berkeley Packet Filter (BPF) filters, similar to tcpdump filter expression for granular tracking.

You can use built-in variables to collect packet header and payload information for Internet protocols. For example, Ethernet, Internet Protocol Version 4/Version 6 (IPv4/v6), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Internet Group Message Protocol (IGMP), and Address Resolution Protocol (ARP) protocols.

Network probe manager reports critical protocol-specific events (TCP state changes, round-trip times, retransmissions, UDP buffer overflows).

The network probe manager addresses following primary use cases:

Provide the following packet-specific information according to the bpf module based on IP address and ports:
- Track the incoming and outgoing bytes for a connection.
- Use following built-ins to gather protocol header and payload information.
  - TCP flags (SYN, FIN), TCP sequence and acknowledgment number.
  - IPv4/IPv6 (IP addresses, protocol types: tcp, udp, icmp, igmp, and so on).
  - ICMP (packet type: ECHO REQUEST, ECHO RESPONSE, and so on).
Provide access to complete RAW network packet for probe script processing.
Report the following protocol-related events:
- Track TCP sender and receiver buffer full events.
- TCP connection state changes from SYN-SENT state to ESTABLISHED state or from ESTABLISHED state to CLOSE state.
- Monitor delta time between state changes (for example, time that is taken from SYN-SENT state to ESTABLISHED state).
- Identify the listener (connection information) that discarded connections because the listener's queue is full.
- Identify retransmissions (second and further retransmission for a packet) for TCP connections.
- Identify the UDP socket that dropped packets because of insufficient receiving buffer.

Probe specification

Probe specification for network probe manager contains three or five tuples that are separated by : (colon). First tuple is always @@net.

Network probe manager supports two major categories of specifications: One category gathers packet-specific information and another category gathers protocol-specific information.

Format to gather packet specific information:
@@net:bpf:<interface1>|<interface 2>|…..:<protocol>:<Filter>
Format to gather protocol specific information
@@net:tcp:<event_name>

@@net:udp:<event_name>

Probe sub type

The second tuple signifies the sub type of the probe that indicates which layer of AIX network stack contains the probe. This tuple can have one of the following values (it cannot be *):

Table 1. Second tuple specification for probe sub type
Second Tuple (sub type)	Description
bpf	This probe starts at network interface layer when a packet matches the specific filter.
tcp	This probe starts for TCP protocol-specific events.
udp	This probe starts for UDP protocol-specific events.

Probe network event or gather network packet information

The third tuple is specific to particular sub type (specified in second tuple). It cannot have a value of *.

bpf-based probes

The specification contains 5 tuples for bpf-based probes that are described in the following table:

Table 2. bpf-based probes: Tuple specification
Second tuple (Sub type)	Subsequent tuples	Description
bpf	Third tuple: interface names	This tuple specifies an interface or a list of interfaces for which the packet information can be captured. Possible values are `enX` (for example, `en0`,`en1`) and `lo0`. The * value is not supported for this tuple. You can specify one or more interfaces at a time by using \| as delimiter.
bpf	Fourth tuple: protocol	This tuple specifies the network protocol to start the probe. Possible values are `ether, arp, rarp, ipv4, ipv6, tcp, udp, icmp4, icmp6` and `igmp`. Protocol-specific built-ins are populated for access in Vue script. For example, a protocol value of ipv4 populates `__ip4hdr` built-ins. The * value for this tuple indicates that the probe starts for all protocol types that match the specified filter. When the protocol is , none of the built-in values that are supported by network probe manager are available to Vue scripts. You can access the raw packet data of requested size by using the Vue function `copy_kdata ()` and map to corresponding protocol headers. Note: Specifying as a value can be performance intensive as the probe is started for all incoming and outgoing packets on the specified interfaces that match the filter. There are also copies involved when the packet information is spanned across multiple packet buffers.
bpf	Fifth tuple: bpf filter string	This tuple specifies the bpf filter expression (filter expressions as specified in tcpdump command). Filter expression must be provided in the double quotation marks. Filter expression and protocol that is specified in the fourth tuple must be compatible. The * value is not supported in this tuple.

Examples

Specification format to access the built-in variables that are related to Ethernet header (__etherhdr), IP header(__ip4hdr) or (__ip6hdr), and TCP header (__tcphdr) information from the Vue script when interface en0 receives or sends packet on port 23 (filter string ” port 23”):
```
@@net:bpf:en0:tcp:“port 23”
```
Specification format to access the built-in variables related to Ethernet header(__etherhdr), IP header(__ip4hdr or __ip6hdr), and UDP header (__udphdr) information from the Vue script when system receives or sends packet from host example.com (filter string “example.com”) on en0 and en1 interfaces:
```
@@net:bpf:en0|en1:udp:“host example.com”
```
Specification format to access the raw packet information when system receives or sends packet from or to "host example.com":
```
@@net:bpf:en1:*:“host example.com”
```

Note: Each bpf probe specification uses a bpf device. These devices are shared by ProbeVue, tcpdump, and any other application that uses the libpcap or bpf services for packet capture and injection. The number of bpf probes depends on the number of available bpf devices in the system.

When a bpf probe is started, the __mdata variable contains the raw packet data. You can access the raw data of requested size by using the Vue function copy_kdata () and map to the ether_header, ip header, and so on. Use the following structures to find out the header and payload data information.

Example

VUE script to access the raw packet data when the “*” is specified as the protocol.

 /* Define the ether header structure */
struct  ether_header {
        char  ether_dhost[6];
        char  ether_shost[6];
        short ether_type;
};

/* ProbeVue script to access and interpret the data from RAW packet */

@@net:bpf:en0:*:"port 23"
{
        /* define the script local variables */
        __auto struct ether_header eth;
        __auto char *mb;

        /* __mdata contains the address of packet data */
        mb =(char *) __mdata;
        printf("Network probevue\n");
        
       /* 
        * Use already available “copy_kdata(…)” VUE function to copy data of 
        * requested size (size of ether_header) from mbuf data pointer to eth
        * (ether_header) variable.
        */
        copy_kdata (mb, eth);
        printf("Ether Type  from raw data :%x\n",eth.ether_type);
      
}

TCP probes

The specification contains three tuples for TCP probes as described in the following table:

Table 3. TCP probes: Tuple specification
Second tuple (Sub type)	Events (Third tuple) The * value is not supported in this tuple.	Description
tcp	state_change	This probe is started whenever the TCP state changes.
	send_buf_full	This probe is started whenever the send buffer full event occurs.
	recv_buf_full	This probe is started whenever the receive buffer full event occurs.
	retransmit	This probe is started whenever the re-transmission of packet happens for TCP connection.
	listen_q_full	This probe is started whenever a server (listener socket) discards the new connection requests due to listener’s queue being full.

__proto_info built-in variable provides the TCP connection (four tuple) information (local IP, remote IP, local port, and remote port) whenever the TCP-related event occurs. Remote port and IP address contains a value of NULL for the listen_q_full event.

Example

Probe specifications for TCP protocol state changes:

@@net:tcp:state_change

udp probes

For udp probes the specification contains three tuples as described in the following table:

Table 4. udp second tuple: Third tuple values
Second tuple (Sub type)	Events (third tuple) The * value is not supported in this tuple.	Description
udp	sock_recv_buf_overflow	This probe is started whenever the datagram or the UDP socket’s receive buffer overflows.

The __proto_info built-in variable provides the UDP protocol related data (source IP and destination IP addresses, source and destination port numbers) whenever socket receive buffer overflow event occurs.

@@net:udp:sock_recv_buf_overflow

Example

Probe specifications for UDP socket’s receive buffer overflow:

@@net:udp:sock_recv_buf_overflow

Network probe-related built-in variables for Vue scripts

Network related events can be probed using following built-in variables.

__etherhdr built-in variable

The __etherhdr variable is a special built-in variable to get ether header information from filtered packet. This built-in variable is available when you probe the packet information at interface layer with any one of these protocols: “ether”, “ipv4”, “ipv6”, “tcp”, “udp”, “icmp4”, icmp6”, “igmp”, “arp”, and “rarp”. This variable is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __etherhdr->member.

The __etherhdr built-in value has the following members:

Table 5. The __etherhdr built-in variable members
Member name	Type	Description
src_addr	mac_addr_t	Source MAC address. The data type mac_addr_t is used to store the MAC address. Use format specifier “M” to print the MAC address.
dst_addr	mac_addr_t	Destination MAC address. The data type mac_addr_t is used to store the MAC address. Use format specifier “M” to print the MAC address.
ether_type	unsigned short	This name indicates the protocol encapsulated in the payload of an Ethernet frame. Protocols can be IPv4, IPv6, ARP, and REVARP. It can match one of the following built-in constant values for ether_type: ETHERTYPE_IP ETHERTYPE_IPV6 ETHERTYPE_ARP ETHERTYPE_REVARP Refer the header files `/usr/include/netinet/if_ether.h` and `/usr/include/netinet/if_ether6.h` for ether_type values.

Note: The __etherhdr built-in variable is applicable only for Ethernet interfaces and not for loopback interfaces.

__ip4hdr built-in variable

The __ip4hdr variable is a special built-in variable to get the IPv4 header information from filtered packet. This variable is available when you probe the packet information at interface layer with any one of the protocols: “ipv4”,“tcp”, “udp”, “icmp4”, and “igmp”. And, it has valid data when IP version is IPv4. This variable is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __ip4hdr->member.

This built-in variable has the following members:

Table 6. The __ip4hdr built-in variable members
Member name	Type	Description
src_addr	ip_addr_t	Source IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address in dotted decimal format and use format specifier “H” to print the host name. Host name printing is a costly operation.
dst_addr	ip_addr_t	Destination IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address in dotted decimal format and use format specifier “H” to print host name. Host name printing is a costly operation.
protocol	unsigned short	This member name indicates the protocol that is used in the data portion of the IP datagram. Protocols can be TCP, UDP, ICMP, IGMP, FRAGMENTED, and so on. It can match one of the following built-in constant values for protocol. `IPPROTO_HOPOPTS, IPPROTO_ICMP, IPPROTO_IGMP, IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ROUTING, IPPROTO_FRAGMENT, IPPROTO_NONE, IPPROTO_LOCAL` Refer the header file `/usr/include/netinet/in.h` for protocol values.
ttl	unsigned short	Time to live or hop limit.
cksum	unsigned short	IP header checksum.
id	unsigned short	Identification number. This member is used for uniquely identifying the group of fragments of a single IP datagram.
total_len	unsigned short	Total length. This value is entire packet (fragment) size, including IP header and data in bytes.
hdr_len	unsigned short	Size of the IP header.
tos	unsigned short	Type of service.
frag_offset	unsigned short	Fragment offset. This value specifies the offset of particular fragment, relative to beginning of the original un fragmented IP datagram. The first fragment has an offset of zero. It can match one of the built-in constant `frag_offset` flag values. The flag values must be bitwise and with the built-in constant flag value to validate the presence of the particular flag: IP_DF (No fragment flag) IP_MF (more fragments flag) Refer the header file `/usr/include/netinet/ip.h` for flag values.

__ip6hdr built-in variable

The __ip6hdr variable is a special built-in variable to get the IPv6 header information from filtered packet. This variable is available when user probes the packet information at interface layer. This variable with any one of the protocols (“ipv6”, “tcp”, “udp” and “icmp6”) has valid data when IP version is IPv6. This variable is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __ip6hdr->member.

This built-in variable has the following members:

Table 7. The __ip6hdr built-in variable members
Member name	Type	Description
src_addr	ip_addr_t	Source IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address and use format specifier “H” to print the host name. Host name printing is a costly operation.
dst_addr	ip_addr_t	Destination IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address and use format specifier “H” to print host name. Host name printing is costly operation.
protocol	unsigned short	This value indicates the protocol that is used in the data portion of the IP datagram. Protocols can be TCP, UDP, and ICMPV6, and so on. It can match one of the following built-in constant values for protocol: `IPPROTO_TCP,IPPROTO_UDP, IPPROTO_ROUTING, IPPROTO_ICMPV6, IPPROTO_NONE, IPPROTO_DSTOPTS, IPPROTO_LOCAL` Refer the header file `/usr/include/netinet/in.h` for protocol values.
hop_limit	unsigned short	Hop limit (time to live).
total_len	unsigned short	Total length (payload length). The size of the payload including any extension headers.
next_hdr	unsigned short	Specifies the type of the next header. This field usually specifies the transport layer protocol that is used by a packet's payload. When extension headers are present in the packet, this field indicates which extension header follows. The values are shared with those used for the IPv4 protocol field.
flow_label	unsigned int	Flow label.
traffic_class	unsigned int	Traffic class.

__tcphdr built-in variable

The __tcphdr variable is a special built-in variable to get the tcp header information from filtered packet. This variable is available when you probe the packet information at interface layer with tcp protocol. It is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __tcphdr->member.

The __tcphdr built-in variable has the following members:

Table 8. The __tcphdr built-in variable members
Member name	Type	Description
src_port	unsigned short	Source port of the packet.
dst_port	unsigned short	Destination port of the packet.
flags	unsigned short	These values are the control bits and are set to indicate the communication of control information. 1 bit for each flag. It can match one of the built-in constant flag values. The flag values must be bitwise and with the built-in constant flag value to validate the presence of the particular flag. TH_FIN (No more data from sender) TH_SYN (request to establish the connection) TH_RST (Reset the connection) TH_PUSH (Push function. Asks to push the buffered data to the receiving application) TH_ACK (Indicates that this packet contains acknowledgment) TH_URG (Indicates that the urgent pointer field is significant) Refer TCP documentation for detailed information about these flags and refer the header file `/usr/include/netinet/tcp.h` for flag values.
seq_num	unsigned int	Sequence number.
ack_num	unsigned int	Acknowledgment number.
hdr_len	unsigned int	TCP header length information
cksum	unsigned short	Checksum.
window	unsigned short	Window size.
urg_ptr	unsigned short	Urgent pointer.

__udphdr built-in variable

The __udphdr is a special built-in variable that is used to get the udp header information from filtered packet. This built-in is available when user probes the packet information at interface layer with udp as protocol. It is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __udphdr->member.

__udphdr built-in variable has the following members:

Table 9. The __udphdr built-in variable members
Member name	Type	Description
src_port	unsigned short	Source port of the packet.
dst_port	unsigned short	Destination port of the packet.
length	unsigned short	UDP header and data length information.
cksum	unsigned short	Checksum.

__icmp built-in variable

The __icmp is a special built-in variable that is used to get the icmp header information from filtered packet. This built-in is available when user probes the packet information at interface layer with icmp protocol. It is available in probes of sub type bpf. Its member elements can be accessed by using the syntax __icmp->member.

This built-in variable has the following members:

Table 10. The __icmp built-in variable members
Member name	Type	Description
type	unsigned short	Type of ICMP message. For example: 0 - echo reply, 8 - echo request, 3 - destination unreachable. Look in for all the types. For more information, refer to the standard network documentation. It can match one of the following built-in constant values for of ICMP message types: `ICMP_ECHOREPLY, ICMP_UNREACH ICMP_SOURCEQUENCH, ICMP_REDIRECT, ICMP_ECHO, ICMP_TIMXCEED, ICMP_PARAMPROB, ICMP_TSTAMP, ICMP_TSTAMPREPLY, ICMP_IREQ, ICMP_IREQREPLY, ICMP_MASKREQ, ICMP_MASKREPLY` Refer the header file `/usr/include/netinet/ip_icmp.h` for protocol values. Note: All possible message type values are not defined, and hence there can be other options present in the value.
code	unsigned short	Subtype of ICMP message. For each type of message, several different codes and subtypes are defined. For example, no route to destination, communication with destination administratively prohibited, not a neighbor, address unreachable, port unreachable. For more information, refer to the standard network documentation. It can match one of the following built-in constant values for ICMP sub types: ICMP_UNREACH_NET ICMP_UNREACH_HOST ICMP_UNREACH_PROTOCOL ICMP_UNREACH_PORT ICMP_UNREACH_NEEDFRAG ICMP_UNREACH_SRCFAIL ICMP_UNREACH_NET_ADMIN_PROHIBITED ICMP_UNREACH_HOST_ADMIN_PROHIBITED Subtype values for type 4 The subtype values for type 4 are as follows: `ICMP_REDIRECT_NET ICMP_REDIRECT_HOST ICMP_REDIRECT_TOSNET ICMP_REDIRECT_TOSHOST` Subtype values for type 6 The subtype values for type 6 are as follows: `ICMP_TIMXCEED_INTRANS ICMP_TIMXCEED_REASS` Subtype values for type 7 The subtype values for type 7 are as follows: ICMP_PARAMPROB_PTR ICMP_PARAMPROB_MISSING Refer the header file /usr/include/netinet/ip_icmp.h for message subtype values. Note: Not all possible message sub types values are defined, and hence there might be other options present in the message sub type value.
cksum	unsigned short	Checksum.

__icmp6 built-in variable

__icmp6 is a special built-in variable that is used to get the icmpv6 header information from filtered packet. This is available when user probes the packet information at interface layer with icmp6 protocol. It is available in probes of sub type bpf. Member elements of this built-in variable can be accessed using syntax “__icmp6->member”.

__icmp6 has the following members:

Table 11. The __icmp6 built-in variable members
Member name	Type	Description
type	unsigned short	Type of ICMPV6 message. This specifies the type of message, which determines the format of the remaining data. It can match one of the following built-in constant values for ICMPV6 types. `ICMP6_DST_UNREACH ICMP6_PACKET_TOO_BIG ICMP6_TIME_EXCEEDED ICMP6_PARAM_PROB ICMP6_INFOMSG_MASK ICMP6_ECHO_REQUEST ICMP6_ECHO_REPLY` Refer the header file `/usr/include/netinet/icmp6.h` for protocol values. Note: Not all possible message type values are defined, and hence there might be other options present in the value.
code	unsigned short	Subtype of ICMPV6 message. This value depends on the message type. It provides an extra level of message granularity. It can match one of the following built-in constant values for ICMPV6 sub types. `ICMP6_DST_UNREACH_NOROUTE ICMP6_DST_UNREACH_ADMIN ICMP6_DST_UNREACH_ADDR ICMP6_DST_UNREACH_BEYONDSCOPE ICMP6_DST_UNREACH_NOPORT` Refer the header file `/usr/include/netinet/icmp6.h` for message subtype values. Note: Not all possible message sub type values are defined, and hence there might be other options present in the value.
cksum	unsigned short	Checksum.

__igmp built-in variable

__igmp is a special built-in variable that is used to get the igmp header information from filtered packet. This is available when user probes the packet information at interface layer with igmp protocol. This is available in probes of sub type bpf. Its member elements can be accessed using syntax “__igmp->member”.

__igmp built-in has the following members:

Table 12. The __igmp built-in variable members
Member name	Type	Description
type	unsigned short	Type of IGMP message. For example: `Membership Query (0x11), Membership Report (IGMPv1: 0x12, IGMPv2: 0x16, IGMPv3: 0x22), Leave Group (0x17)` For more information, refer to the standard or Network documentation. It can match one of the following built-in constant values for IGMP Message types. `IGMP_HOST_MEMBERSHIP_QUERY IGMP_HOST_MEMBERSHIP_REPORT IGMP_DVMRP IGMP_HOST_NEW_MEMBERSHIP_REPORT IGMP_HOST_LEAVE_MESSAGE IGMP_HOST_V3_MEMBERSHIP_REPORT IGMP_MTRACE IGMP_MTRACE_RESP IGMP_MAX_HOST_REPORT_DELAY` Refer the header file `/usr/include/netinet/igmp.h` for protocol values. Note: Not all possible message type values are defined, and hence there could be other options present in the value.
code	unsigned short	Subtype of IGMP type. It can match one of the following built-in constant values for IGMP Message subtypes. Subtype values for type no 3. `DVMPP_PROBE 1 DVMRP_REPORT 2 DVMRP_ASK_NEIGHBORS 3 DVMRP_ASK_NEIGHBORS2 4 DVMRP_NEIGHBORS 5 DVMRP_NEIGHBORS2 6 DVMRP_PRUNE 7 DVMRP_GRAFT 8 DVMRP_GRAFT_ACK 9 DVMRP_INFO_REQUEST 10 DVMRP_INFO_REPLY 11` Note: Not all possible message sub type values are defined, and hence there could be other options present in the value.
cksum	unsigned short	IGMP Checksum value.
group_addr	ip_addr_t	Group address that is reported or queried. This address is the multicast address that is queried when you are sending a Group-Specific or Group-and-Source-Specific Query. The field has a value of zero when you are sending a General Query. The data type ip_addr_t is used to store the group IP address. Use format specifier “I” to print the IP address.

__arphdr built-in variable

The __arphdr variable is a special built-in variable that is used to get the arphdr header information from filtered packet. This variable is available when user probes the packet information at interface layer with arp or rarp protocol. It is available in probes of sub type bpf.The __arphdr member elements can be accessed by using the syntax __arphdr->member.

The __arphdr built-in variable has following members:

Table 13. The __arphdr built-in variable members
Member name	Type	Description
hw_addr_type	unsigned short	Format of the hardware address type. This field identifies the specific data-link protocol that is being used. It can match one of the following built-in constant values for data link protocol: `ARPHRD_ETHER, ARPHRD_802_5, ARPHRD_802_3, and ARPHRD_FDDI` Refer the header file /usr/include/net/if_arp.h for protocol values.
protocol_type	unsigned short	Format of the protocol address type. This field identifies the specific network protocol that is being used. It can match one of the following built-in constant values for network protocol: `SNAP_TYPE_IP, SNAP_TYPE_AP, SNAP_TYPE_ARP, VLAN_TAG_TYPE` Refer the header file `/usr/include/net/nd_lan.h` for the protocol values.
hdr_len	unsigned short	Mac or hardware address length.
proto_len	unsigned short	Protocol or IP address length.
operation	unsigned short	Specifies the operation that the sender is performing: 1 for request, 2 for reply. It can match one of the following built-in constant values for network protocol: `ARPOP_REQUEST, ARPOP_REPLY` Refer the header file `/usr/include/net/if_arp.h` for protocol values.
src_mac_addr	mac_addr_t	Sender or source MAC address. Sender hardware or mac address is stored in mac_addr_t data type. The format specifier “%M” is used to print sender MAC or hardware address.
dst_mac_addr	mac_addr_t	Target or Destination MAC address. Target hardware or MAC address is stored in mac_addr_t data type. The format specifier “%M” is used to print target MAC or hardware address.
src_ip	ip_addr_t	Source or sender IP address. Sender IP address is stored in `ip_addr_t` data type. The format specifier “%I” is used to print sender IP address.
dst_ip	ip_addr_t	Target or Destination IP address. Target IP address is stored in `ip_addr_t` data type. The format specifier “%I” is used to print target IP address.

Example

Vue script to probe packet header information for packets received or sent over port 23. Provides the source and destination node information and also tcp header length information

@@net:bpf:en0:tcp:"port 23"
{
        printf("src_addr:%I and dst_addr:%I\n",__ip4hdr->src_addr,__ip4hdr->dst_addr);
        printf("src port:%d\n",__tcphdr->src_port);
        printf("dst port:%d\n",__tcphdr->dst_port);
        printf("tcp hdr_len:%d\n",__tcphdr->hdr_len);
}

Output:
# probevue bpf_tcp.e
src_addr:10.10.10.12 and dst_addr:10.10.18.231
src port:48401
dst port:23
tcp hdr_len:20
..................
.................

__proto_info built-in variable

The __proto_info variable is a special built-in variable that is used to get the protocol (source and destination IP addresses and ports) information for TCP or UDP events. The __proto_info variable is available in probes of sub type tcp or udp. Its member elements can be accessed by using the syntax __proto_info->member.

The __proto_info built-in variable has the following members:

Table 14. The __proto_info built-in variable members
Member name	Type	Description
local_port	unsigned short	Local port
remote_port	unsigned short	Remote port
local_addr	ip_addr_t	Local address
remote_addr	ip_addr_t	Remote address

Additional information for TCP-specific events

The TCP state change events are described in the following table:

Table 15. TCP state change events
Name	Type	Description
__prev_state	short	Previous state information for connection.
__cur_state	short	Present state information for connection.
		It can match one of the following built-in constant values for TCP states: TCPS_ESTABLISHED (connection established) TPCS_CLOSED (Connection closed) TPCS_LISTEN (Listening for connection) TPCS_SYN_SENT (Sent SYN to remote end) TCPS_SYN_RECEIVED (Received SYN from remote end) TCPS_CLOSE_WAIT (Received Fin, waiting for close) TCPS_FIN_WAIT_1 (are closed, sent fin) TCPS_CLOSING (closed exchanged FIN, await FIN ACK) TCPS_LAST_ACK (Had Fin and close , Await FIN ACK) TCPS_FIN_WAIT_2 (are closed , Fin is Acked) TCPS_TIME_WAIT (in 2*msl quiet wait after close) The values are defined in exported header file `/usr/include/netinet/tcp_fsm.h`.

Example:

The following Vue script provides state change information for a particular connection:

@@net:tcp:state_change
when(__proto_info->local_addr ==”10.10.10.1” and __proto_info->remote_addr == 10.10.10.2”
	and __proto_info->local_port =”8000” and  __proto_info->remote_port =”9000”)
{
	printf(“Previous state:%d and current_state:%d\n”,__prev_state,__cur_state);
}

TCP retransmit event

Table 16. TCP retransmit event
Name	Type	Description
__nth_retransmit	unsigned short	Nth retransmission

Examples

1. Following example Identifies the listener which has discarded connections due to listener's queue is full.

@@net:tcp:listen_q_full
{
	printf(“Listener IP address:%I and Port number is:%d\n”,__proto_info->local_addr, __proto_info->local_port);
}

2. Following example Identifies connection which drop packets due to socket buffer overflows

@@net:udp:sock_recv_buf_overflow
{
        printf("Connection information which drops packet due to socket buffer overflows:\n"); 
        printf("Local IP address:%I and Remote IP address:%I\n",__proto_info->local_addr,__proto_info->remote_addr);
        printf("local port :%d and remote port:%d\n",__proto_info->local_port, __proto_info->remote_port);
 }

3. Identify retransmissions (second & further retransmission for a packet) for TCP connections for particular connection.

@@net:tcp:retransmit
when (__proto_info->local_addr == "10.10.10.1" &&
 	__proto_info->remote_addr == "10.10.10.2" && 
__proto_info->local_port == "4000" &&
 	__proto_info->remote_port == "5000")
{
        printf(" %d th re-transmition for this connection\n", _nth_retransmit);
}

4. Identify the connection information whenever sender buffer full event occurs .

@@net:tcp:send_buf_full
{
        printf("Connection information whenever send buffer full event occurs:\n"); 
        printf("Local IP address:%I and Remote IP address:%I\n",__proto_info->local_addr,__proto_info->remote_addr);
        printf("local port :%d and remote port:%d\n",__proto_info->local_port, __proto_info->remote_port);
 }