Faster interface for info from /proc/net/tcp

apinetworkingproctcp

Given a linux TCP socket's inode (obtained via /proc/<pid>/fd), is there a faster way to look up the information that I can get from /proc/net/tcp about this socket?

I have written a troubleshooting tool which monitors processes and prints realtime information about IO operations (strace-type info collected into higher level abstractions and presented in a less raw way), but on a heavily loaded network server, I am finding that the time it takes to look up socket info (e.g. the foreign address/port) is prohibitive simply due to the very large size of /proc/net/tcp (about 2MB on the server I'm currently looking at).

I can manage this somewhat with caching, but this necessarily introduces latency and makes me wonder about the absurdity of an "API" that requires reading and parsing 2MB worth of ASCII text in order to find info on a socket.

Best Answer

Here is a link to libnetfilter_conntrack. You would have to re-write your program in a language that can support calling C functions from a library directly. But I think this library will have the hooks you need to get the data you want much faster than parsing through that text file.

This is what the iptstate program uses to accomplish its task.

Related Solutions

Accounting for /proc/net/dev reported traffic

When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be nethogs.

You can use ip link show or netstat -i to find out your network interface names.

$ netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
em1       1500        0      0      0 0             0      0      0      0 BMU
lo       65536    81375      0      0 0         81375      0      0      0 LRU
virbr0    1500        0      0      0 0             0      0      0      0 BMU
wlp3s0    1500  2264942      0      0 0       2376236      0      0      0 BMRU

My wireless on my Fedora 19 laptop is wlp3s0, so we tell nethogs to watch that:

$ sudo nethogs wlp3s0

As you let nethogs run it will start to show you the applications that are consuming your network bandwidth.

Is there documentation for /proc/net/netstat and /proc/net/snmp

The /proc/net/* files are generated by the kernel: the entries are in net/ipv4/proc.c in the kernel source, and the entry list is found in include/uapi/linux/snmp.h. It grabs the values from various MIB databases that the kernel keeps.

According to the snmp.h header file, the MIB definitions come from the following documents:

RFC 1213: MIB-II
RFC 2011 (updates 1213): SNMPv2-MIB-IP
RFC 2863: Interfaces Group MIB
RFC 2465: IPv6 MIB: General Group
draft-ietf-ipv6-rfc2011-update-10.txt: MIB for IP: IP Statistics Tables

ActiveOpens is from RFC 1213 (page 47):

tcpActiveOpens OBJECT-TYPE
          SYNTAX  Counter
          ACCESS  read-only
          STATUS  mandatory
          DESCRIPTION
                  "The number of times TCP connections have made a
                  direct transition to the SYN-SENT state from the
                  CLOSED state."
          ::= { tcp 5 }

If you can't find the netstat entry in the RFCs, you'll have to search around. Quite a few of the items are not listed in detail in these documents. If you want more than the brief summary, you'll have to search the kernel source for some of the entries that you described.

EmbryonicRsts is modified in net/ipv4/tcp_minisocks.c (line 796 in 4.16.0), and appears to count invalid SYN resets on non-fast opened connections. This is probably not likely to occur unless you're in a SYN cookie flood.

Best Answer

Related Solutions

Accounting for /proc/net/dev reported traffic

Is there documentation for /proc/net/netstat and /proc/net/snmp

Related Question