Using ipio.d
The following DTrace script traces IP packets and prints various details:
#!/usr/sbin/dtrace -s
#pragma D option quiet
#pragma D option switchrate=10hz
dtrace:::BEGIN
{
printf(" %3s %10s %15s %15s %8s %6s\n", "CPU", "DELTA(us)",
"SOURCE", "DEST", "INT", "BYTES");
last = timestamp;
}
ip:::send
{
this->elapsed = (timestamp - last) / 1000;
printf(" %3d %10d %15s -> %15s %8s %6d\n", cpu, this->elapsed,
args[2]->ip_saddr, args[2]->ip_daddr, args[3]->if_name,
args[2]->ip_plength);
last = timestamp;
}
ip:::receive
{
this->elapsed = (timestamp - last) / 1000;
printf(" %3d %10d %15s <- %15s %8s %6d\n", cpu, this->elapsed,
args[2]->ip_daddr, args[2]->ip_saddr, args[3]->if_name,
args[2]->ip_plength);
last = timestamp;
}This example output shows tracing packets as they pass in and out of tunnels:
# ./ipio.d
CPU DELTA(us) SOURCE DEST INT BYTES
1 598913 203.0.113.1 -> 192.0.2.55/27 ip.tun0 68
1 73 192.0.2.3/27 -> 192.0.2.1/27 nge0 140
1 18325 192.0.2.3/27 <- 192.0.2.1/27 nge0 140
1 69 203.0.113.1 <- 192.0.2.55/27 ip.tun0 68
0 102921 203.0.113.1 -> 192.0.2.55/27 ip.tun0 20
0 79 192.0.2.3/27 -> 192.0.2.1/27 nge0 92The following fields are printed:
-
CPU -
CPU ID that event occurred on
-
DELTA (us) -
Elapsed time since previous event
-
SOURCE -
Source IP address
-
DEST -
Destination IP address
-
INT -
Interface
-
BYTES -
Payload bytes
Tip:
Multi-CPU servers may shuffle the output slightly due to DTrace per-CPU buffering. Monitor changes in the CPU column, or add a timestamp column and post sort.