Yandex has published the source code for the skbtrace utility, which provides tools for monitoring the network stack and tracing network operations in Linux. The utility is implemented as an add-on for the BPFtrace dynamic debugging system. The code is written in Go and distributed under the MIT license. Supports work with Linux 4.14+ kernels and BPFTrace 0.9.2+ toolkit.
During operation, the skbtrace utility generates scripts in the high-level BPFtrace language that perform dynamic tracing and analysis of the execution time of operations related to the Linux network stack and network sockets. The scripts are then translated into eBPF applications and executed at the kernel level.
Of the specific features of skbtrace, there is a measurement of packet forwarding time between the incoming and outgoing network interface, the lifetime of a TCP connection from receiving SYN to the arrival of FIN / RST, delays between different packet processing events, and the time to negotiate a TCP connection. Skbtrace can also be used to detect retransmission of TCP packets, even if they are encapsulated in other packets, and act as a simple analogue of the tcpdump utility that can analyze the execution of certain kernel procedures, such as calling kfree_skb to free memory when packets are dropped.
Source: opennet.ru