Requirements
pwrurequires >= 5.3 kernel to run.- For
--output-skb>= 5.9 kernel is required. - (Auto-detected) For
--backend=kprobe-multi>= 5.18 kernel is required.
Commands
Basic command that writes traces with tuple and skb information to a file:
pwru --output-tuple --output-skb --output-file packet.trace-1.txt 'tcp port 8080'
tcp port 8080 (TCP packets with source or destination port set to 8080) can be replaced with any pcap-filter.
For example, src host 1.1.1.1 and tcp src port 443 can be used to trace packets received from 1.1.1.1:443 to diagnose RX path issues. However unlikely to happen, the src port 443 part of the expression excludes packets from 1.1.1.1 but sent to port 443.
Add --filter-func kfree_skb_reason --output-caller to find the function that called kfree_skb_reason(). If it does not provide sufficient information, try --output-stack instead of --output-caller.
Run with Docker
You can also run it in Docker with:
docker run --privileged --rm -t --pid=host -v /sys/kernel/debug/:/sys/kernel/debug/ cilium/pwru pwru --output-tuple 'tcp port 8080'