- Introduction¶
- Main Changes¶
- Add -q/--quiet option¶
- Add --context option¶
- Use fentry, btf raw tracepoint, and tcx ebpf features on newer kernels¶
- Add --backend option¶
- Support --backend=cgroup-skb¶
- Support OpenWrt 24.10 x86-64 system¶
- Support displaying thread information in output¶
- Support displaying UID in output and capturing by UID¶
Introduction¶
This article introduces the main changes in ptcpdump from v0.27 (after v0.26) to the latest v0.32, in chronological order.
Main Changes¶
Add -q/--quiet option¶
Added the -q/--quiet option to simplify the output:
13:50:35.524360 lo curl.345650 Out IP 127.0.0.1.58694 > 127.0.0.1.8000: tcp 0, ParentProc [bash.345626]
Add --context option¶
Added the --context option to specify the context information included in the output. This option controls showing only specific context information.
Use --context=process to restrict output to process information only:
# --context=process 09:32:09.718892 vethee2a302f wget.3553008 In IP 10.244.0.2.33426 > 139.178.84.217.80: Flags [S], seq 4113492822, win 64240, length 0 # -v --context=process 13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52) 139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0 Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org)This option supports specifying multiple values either by separating them with commas or by specifying the option multiple times:
# -v --context=process,parentproc # -v --context=process --context=parentproc 13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52) 139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0 Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org) ParentProc (pid 553296, cmd /bin/sh, args sh) # -v --context=process,parentproc,container # -v --context=process --context=parentproc --context=container 13:44:41.529003 eth0 In IP (tos 0x4, ttl 45, id 45428, offset 0, flags [DF], proto TCP (6), length 52) 139.178.84.217.443 > 172.19.0.2.42606: Flags [.], cksum 0x5284, seq 3173118145, ack 1385712707, win 118, options [nop,nop,TS val 134560683 ecr 1627716996], length 0 Process (pid 553587, cmd /usr/bin/wget, args wget kernel.org) ParentProc (pid 553296, cmd /bin/sh, args sh) Container (name test, id d9028334568bf75a5a084963a8f98f78c56bba7f45f823b3780a135b71b91e95, image docker.io/library/alpine:3.18, labels {"io.cri-containerd.kind":"container","io.kubernetes.container.name":"test","io.kubernetes.pod.name":"test","io.kubernetes.pod.namespace":"default","io.kubernetes.pod.uid":"9e4bc54b-de48-4b1c-8b9e-54709f67ed0c"})
Use fentry, btf raw tracepoint, and tcx ebpf features on newer kernels¶
When running ptcpdump on newer kernels, the program will automatically use fentry instead of kprobe, btf raw tracepoint instead of raw tracepoint, and tcx instead of tc. Using these new ebpf features optimizes performance on newer kernels.
Add --backend option¶
Added the --backend option to specify the technology used for packet capturing. The default is tc/tcx.
Support --backend=cgroup-skb¶
It now supports using --backend=cgroup-skb to capture packets using cgroup-skb ebpf programs. Traffic captured this way will not contain link-layer information; the link-layer information in ptcpdump output will be fixed fake data.
Support OpenWrt 24.10 x86-64 system¶
Based on user feedback, program compatibility has been improved to support using ptcpdump on OpenWrt 24.10 x86-64 systems (provided the system kernel was compiled with ebpf and BTF parameters enabled).
Support displaying thread information in output¶
When capturing packets using --backend=cgroup-skb, thread information is now displayed in the output:
$ sudo ptcpdump -i any --backend cgroup-skb -v port 80
10:18:26.846884 ens33 Out IP (tos 0x0, ttl 64, id 57734, offset 0, flags [DF], proto TCP (6), length 478)
xxx.xxx.xxx.35102 > xxx.xxx.xxx.80: Flags [P.], cksum 0x3381, seq xx:xx, ack xx, win 64240, length 438
Process (pid 113278, cmd /snap/firefox/5437/usr/lib/firefox/firefox, args /snap/firefox/5437/usr/lib/firefox/firefox)
Thread (tid 113438, name Socket Thread)
ParentProc (pid 49607, cmd /usr/bin/xfce4-panel, args xfce4-panel --display :0.0 --sm-client-id xxxx)
Support displaying UID in output and capturing by UID¶
It now supports displaying UID information in the output:
12:37:40.051539 ens33 Out IP (tos 0x0, ttl 64, id 48697, offset 0, flags [DF], proto TCP (6), length 60)
10.0.x.x.42906 > 139.x.x.x.443: Flags [S], cksum 0xecc8, seq 940329637, win 64240, options [mss 1460,sackOK,TS val 3421262256 ecr 0,nop,wscale 7], length 0
Process (pid 99722, cmd /usr/bin/curl, args curl https://kernel.org)
User (uid 1000)
ParentProc (pid 18840, cmd /usr/bin/bash, args -bash)
It now supports specifying a UID for packet capturing:
$ sudo ptcpdump -i any --uid 100 -v port 80
If you have additional improvements or new feature suggestions for ptcpdump, feel free to leave a message in the comments or project issues.
Comments