Skip to content

libbpf-tools: tcpstates: Fix CLOSE to SYN_SENT wrong delta #5377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

libbpf-tools: tcpstates: Fix CLOSE to SYN_SENT wrong delta #5377

wants to merge 1 commit into from

Conversation

Rtoax
Copy link
Contributor

@Rtoax Rtoax commented Jul 23, 2025
edited
Loading

When the TCP socket is initially created, the timestamp of when sk is created is not recorded, so the delay from the CLOSE state to any state is 0, which is obviously wrong.

This patch records the time when sk is created as the start time of the CLOSE state, thereby obtaining the time from CLOSE to LISTEN or SYN_SENT.

At the same time, because some time differences are really too small, nanosecond level time display support is added (-n).

Before:

bcc/libbpf-tools$ sudo ./tcpstates | grep CLOSE
ffff8b296bd1af80 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b296bd1df00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b29c851a600 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b29c4ac4c00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b29c4ac6880 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b29c4ac4280 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
ffff8b29c4ac5580 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
                                                                                            ^^^^^

After:

bcc/libbpf-tools$ sudo ./tcpstates | grep CLOSE
ffff8b29f6c91300 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.020
ffff8b29f6c94280 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.011
ffff8b2a1d45cc00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.022
ffff8b2a1d45af80 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.027
ffff8b29c8518980 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.023

@yonghong-song
Copy link
Collaborator

I think using tcp_v4_init_sock/tcp_v6_init_sock to initialize the sock for CLOSE->SYN_SENT does not really represent the time from CLOSE to SYNC_SENT.

The statement machine
CLOSE -> connect() (user space) -> tcp_v{4,6}_init_sock() -> SYN_SENT

At CLOSE moment, the socket is removed from the hash table, so the current implementation will have time 0.

This patch added socket back to the hash table at tcp_v{4,6}_init_sock() so the CLOSE->SYN_SENT time is actually the time from tcp_v{4,6}_init_sock() to SYN_SENT. So the time is not correct.

@Rtoax
libbpf-tools: tcpstates: Fix CLOSE to SYN_SENT wrong delta
a2f1379 
When the TCP socket is initially created, the timestamp of when sk is created
is not recorded, so the delay from the CLOSE state to any state is 0, which
is obviously wrong.

This patch records the time when sk is created as the start time of the
CLOSE state, thereby obtaining the time from CLOSE to LISTEN or SYN_SENT.

At the same time, because some time differences are really too small,
nanosecond level time display support is added (-n).

Before:
    bcc/libbpf-tools$ sudo ./tcpstates | grep CLOSE
    ffff8b296bd1af80 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b296bd1df00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b29c851a600 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b29c4ac4c00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b29c4ac6880 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b29c4ac4280 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
    ffff8b29c4ac5580 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.000
                                                                                                ^^^^^

After:
    bcc/libbpf-tools$ sudo ./tcpstates | grep CLOSE
    ffff8b29f6c91300 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.020
    ffff8b29f6c94280 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.011
    ffff8b2a1d45cc00 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.022
    ffff8b2a1d45af80 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.027
    ffff8b29c8518980 421523  Chrome_Chi 10.56.52.9  0  10.32.0.200  8080  CLOSE  -> SYN_SENT    0.023

Signed-off-by: Rong Tao <[email protected]>
@Rtoax Rtoax force-pushed the patch-104-libbpf-tcpstates branch from c7fb1fb to a2f1379 Compare August 6, 2025 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi is a code owner

@ekyooo ekyooo Awaiting requested review from ekyooo ekyooo is a code owner

@yonghong-song yonghong-song Awaiting requested review from yonghong-song yonghong-song is a code owner

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Rtoax @yonghong-song