tools/tcpsubnet: add time and time to output, default 0.0.0.0/0, update doc

man/man8/tcpsubnet.8

@@ -41,7 +41,7 @@ Prints the BPF program.
 subnets
 Comma separated list of subnets. Traffic will be categorized
 in theses subnets. Order matters.
-(default 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16)
+(default 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,0.0.0.0/0)
 .SH EXAMPLES
 .TP
 Summarize TCP traffic by the default subnets:
@@ -63,11 +63,14 @@ Subnet
 (Standard output) Right hand side column:
 Aggregate traffic in units passed as argument
 .TP
-(JSON output) Key
-Subnet
+(JSON output) date
+Current date formatted in the system locale
 .TP
-(JSON output) Value
-Aggregate traffic in units passed as argument
+(JSON output) time
+Current time formatted in the system locale
+.TP
+(JSON output) entries
+Map of subnets to aggregates. Values will be in format passed to -f
 .SH OVERHEAD
 This traces all tcp_sendmsg function calls in the TCP/IP stack.
 It summarizes data in-kernel to reduce overhead.

tools/tcpsubnet.py

@@ -24,6 +24,7 @@
 #
 # 03-Oct-2017   Rodrigo Manyari   Created this based on tcptop.
 # 13-Feb-2018   Rodrigo Manyari   Fix pep8 errors, some refactoring.
+# 05-Mar-2018   Rodrigo Manyari   Add date time to output.
 
 import argparse
 import json
@@ -31,20 +32,22 @@ import logging
 import struct
 import socket
 from bcc import BPF
+from datetime import datetime as dt
 from time import sleep
 
 # arguments
 examples = """examples:
     ./tcpsubnet                 # Trace TCP sent to the default subnets:
                                 # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
-                                # 192.168.0.0/16
+                                # 192.168.0.0/16,0.0.0.0/0
     ./tcpsubnet -f K            # Trace TCP sent to the default subnets
                                 # aggregated in KBytes.
     ./tcpsubnet 10.80.0.0/24    # Trace TCP sent to 10.80.0.0/24 only
     ./tcpsubnet -J              # Format the output in JSON.
 """
 
-default_subnets = "127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+default_subnets = "127.0.0.1/32,10.0.0.0/8," \
+    "172.16.0.0/12,192.168.0.0/16,0.0.0.0/0"
 
 parser = argparse.ArgumentParser(
     description="Summarize TCP send and aggregate by subnet",
@@ -235,6 +238,12 @@ while (1):
     data = {}
 
     # output
+    now = dt.now()
+    data['date'] = now.strftime('%x')
+    data['time'] = now.strftime('%X')
+    data['entries'] = {}
+    if not args.json:
+        print(now.strftime('[%x %X]'))
     for k, v in reversed(sorted(keys.items(), key=lambda keys: keys[1].value)):
         send_bytes = 0
         if k in ipv4_send_bytes:
@@ -242,7 +251,7 @@ while (1):
         subnet = subnets[k.index][0]
         send = formatFn(send_bytes)
         if args.json:
-            data[subnet] = send
+            data['entries'][subnet] = send
         else:
             print("%-21s %6d" % (subnet, send))
 

tools/tcpsubnet_example.txt

@@ -6,8 +6,15 @@ It works only for IPv4. Eg:
 
 # tcpsubnet
 Tracing... Output every 1 secs. Hit Ctrl-C to end
+[03/05/18 22:32:47]
 127.0.0.1/32               8
+[03/05/18 22:32:48]
+[03/05/18 22:32:49]
+[03/05/18 22:32:50]
+[03/05/18 22:32:51]
+[03/05/18 22:32:52]
 127.0.0.1/32              10
+[03/05/18 22:32:53]
 
 This example output shows the number of bytes sent to 127.0.0.1/32 (the
 loopback interface). For demo purposes, I set netcat listening on port
@@ -20,6 +27,9 @@ loopback interface). For demo purposes, I set netcat listening on port
 The first line sends 7 digits plus the null character (8 bytes)
 The second line sends 9 digits plus the null character (10 bytes)
 
+Notice also, how tcpsubnet prints a header line with the current date
+and time formatted in the current locale.
+
 Try it yourself to get a feeling of how tcpsubnet works.
 
 By default, tcpsubnet will categorize traffic in the following subnets:
@@ -28,7 +38,10 @@ By default, tcpsubnet will categorize traffic in the following subnets:
 - 10.0.0.0/8
 - 172.16.0.0/12
 - 192.168.0.0/16
+- 0.0.0.0/0
 
+The last subnet is a catch-all. In other words, anything that doesn't
+match the first 4 defaults will be categorized under 0.0.0.0/0
 You can change this default behavoir by passing a comma separated list
 of subnets. Let's say we would like to know how much traffic we
 are sending to github.com. We first find out what IPs github.com resolves
@@ -43,25 +56,35 @@ to monitor, Eg:
  
 # tcpsubnet.py 192.30.253.110/27,0.0.0.0/0
 Tracing... Output every 1 secs. Hit Ctrl-C to end
-0.0.0.0/0               3516
-192.30.253.110/27       2501
-192.30.253.110/27         37
-0.0.0.0/0               2037
-192.30.253.110/27       1146
-192.30.253.110/27      12698
+[03/05/18 22:38:58]
+0.0.0.0/0               5780
+192.30.253.110/27       2205
+[03/05/18 22:38:59]
+0.0.0.0/0               2036
+192.30.253.110/27       1183
+[03/05/18 22:39:00]
+[03/05/18 22:39:01]
+192.30.253.110/27      12537
 
 If we would like to be more accurate, we can use the two IPs returned
 by dig, Eg:
 
 # tcpsubnet 192.30.253.113/32,192.130.253.112/32,0.0.0.0/0
 Tracing... Output every 1 secs. Hit Ctrl-C to end
-0.0.0.0/0               4416
-192.30.253.113/32        230
-0.0.0.0/0               3138
-192.30.253.113/32       1337
-0.0.0.0/0               2537
-0.0.0.0/0               3206
-0.0.0.0/0              12736
+[03/05/18 22:42:56]
+0.0.0.0/0               1177
+192.30.253.113/32        910
+[03/05/18 22:42:57]
+0.0.0.0/0              48704
+192.30.253.113/32        892
+[03/05/18 22:42:58]
+192.30.253.113/32        891
+0.0.0.0/0                858
+[03/05/18 22:42:59]
+0.0.0.0/0              11159
+192.30.253.113/32        894
+[03/05/18 22:43:00]
+0.0.0.0/0              60601
 
 NOTE: When used in production, it is expected that you will have full
 information about your network topology. In which case you won't need
@@ -79,9 +102,12 @@ format and adds mM. When using kmKM, the output will be rounded to floor.
 Eg:
 
 # tcpsubnet -fK 0.0.0.0/0
+[03/05/18 22:44:04]
+0.0.0.0/0                  1
+[03/05/18 22:44:05]
 0.0.0.0/0                  5
-0.0.0.0/0                 10
-0.0.0.0/0                 16
+[03/05/18 22:44:06]
+0.0.0.0/0                 31
 
 Just like the majority of the bcc tools, tcpsubnet supports -i and --ebpf
 
@@ -91,16 +117,17 @@ on how the subnets are evaluated and the BPF program is constructed.
 Last but not least, it supports -J [--json] to print the output in
 JSON format. This is handy if you're calling tcpsubnet from another
 program (say a nodejs server) and would like to have a structured stdout.
+The output in JSON format will also include the date and time.
 Eg:
 
 # tcpsubnet -J -fK 192.130.253.110/27,0.0.0.0/0
-{}
-{"0.0.0.0/0": 3, "192.30.253.110/27": 2}
-{"192.30.253.110/27": 0}
-{"0.0.0.0/0": 1, "192.30.253.110/27": 1}
-{"0.0.0.0/0": 0}
-{"192.30.253.110/27": 13}
-{}
+{"date": "03/05/18", "entries": {"0.0.0.0/0": 2}, "time": "22:46:27"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:28"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:29"}
+{"date": "03/05/18", "entries": {}, "time": "22:46:30"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 0}, "time": "22:46:31"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 1}, "time": "22:46:32"}
+{"date": "03/05/18", "entries": {"192.30.253.110/27": 18}, "time": "22:46:32"}
 
 
 USAGE:
@@ -126,7 +153,7 @@ optional arguments:
 examples:
     ./tcpsubnet                 # Trace TCP sent to the default subnets:
                                 # 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,
-                                # 192.168.0.0/16
+                                # 192.168.0.0/16,0.0.0.0/0
     ./tcpsubnet -f K            # Trace TCP sent to the default subnets
                                 # aggregated in KBytes.
     ./tcpsubnet 10.80.0.0/24    # Trace TCP sent to 10.80.0.0/24 only