Project 6: TCP Connection Tracker (tcpconnect Clone)

A tool that tracks TCP connections in real-time—showing new connections, connection states, and detecting connection issues like refused connections or timeouts.

Quick Reference

Attribute Value
Primary Language C (libbpf)
Alternative Languages Go (cilium/ebpf), Rust (aya)
Difficulty Level 3: Advanced
Time Estimate 2 weeks
Knowledge Area Networking / TCP State
Tooling libbpf
Prerequisites Projects 1-5 completed, TCP/IP knowledge

What You Will Build

A tool that tracks TCP connections in real-time—showing new connections, connection states, and detecting connection issues like refused connections or timeouts.

Why It Matters

TCP connection tracking requires understanding kernel networking internals. You’ll trace multiple kernel functions and correlate events to build a complete picture of connection lifecycle.

Core Challenges

  • Finding the right trace points → maps to tcp_v4_connect, inet_csk_accept
  • Extracting socket information → maps to sock, inet_sock structures
  • Tracking connection state → maps to TCP state machine
  • Correlating client and server views → maps to connect vs accept

Key Concepts

  • TCP State Machine: “TCP/IP Illustrated Volume 1” Chapter 18 - Stevens
  • Linux TCP Implementation: “The Linux Programming Interface” Chapter 58-61 - Kerrisk
  • tcpconnect/tcpaccept: BCC Tools

Real-World Outcome

$ sudo ./tcptrack
TIME       TYPE     PID    COMM         SADDR:SPORT      DADDR:DPORT       LAT(ms)
14:23:01   CONNECT  1234   curl         192.168.1.10:45678  93.184.216.34:443   23.5
14:23:01   ACCEPT   5678   nginx        0.0.0.0:443      192.168.1.50:34567    0.1
14:23:02   CONNECT  1234   python       127.0.0.1:45679   127.0.0.1:5432        0.2
14:23:02   CLOSE    1234   curl         192.168.1.10:45678  93.184.216.34:443     -
14:23:05   REFUSED  9012   wget         192.168.1.10:45680  10.0.0.50:8080        -

[Active connections: 156]
[Connection rate: 23.4/s]
[Failure rate: 0.5%]

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_BPF_EBPF_LINUX.md
  • “BPF Performance Tools” by Brendan Gregg