Maintained by Dynatrace

NetTracer is a tool for tracing TCP events and collecting network connections metrics on Linux. It consists of two parts - a BPF program used for collecting data and a user space C++ binary that prints the data in structured or semi-structured format.

The BPF program, composed of BPF maps and kprobes, is compiled to an ELF object file. At runtime, that object file is loaded by NetTracer using utilities found in bpf_generic.

NetTracer does not have any runtime dependencies on kernel headers, nor it is tied to any specific kernel version or configuration. To adapt to the currently running kernel at runtime, NetTracer creates a series of TCP connections with known parameters (such as known IP addresses and ports) and discovers where those parameters are stored in the kernel struct sock. This process is often referred to as offset guessing. Since a BPF programs cannot loop, NetTracer does not directly iterate over the possible offsets. It is instead controlled from user space by the binary using a state machine.

Only Linux kernels of version 4.15 or above are supported. NetTracer was inspired by weaveworks' tcptracer-bpf.


  • Tracing of TCP events: connect, accept and close
  • Collecting metrics about each traced connection (see Metrics below)
  • High performance - written in C and C++
  • Independence from kernel version and configuration


For each IPv4 and IPv6 TCP connection, defined by:

  • Source address and port
  • Destination address and port
  • PID of the communicating process
  • Network namespace

the following metrics are collected:

  • Bytes sent
  • Bytes received
  • Packets sent
  • Packets received
  • Packets retransmitted
  • Round-Trip Time (in microseconds)
  • Round-Trip Time variance