jkstill/proc_net_tcp_decode

## proc_net_tcp_decode
Decoding the data in /proc/net/tcp:

Linux 5.x  /proc/net/tcp
Linux 6.x  /proc/PID/net/tcp

Given a socket:

$ ls -l  /proc/24784/fd/11
lrwx------ 1 jkstill dba 64 Dec  4 16:22 /proc/24784/fd/11 -> socket:[15907701]

Find the address

$ head -1 /proc/24784/net/tcp; grep 15907701 /proc/24784/net/tcp
  sl  local_address rem_address   st  tx_queue  rx_queue tr tm->when  retrnsmt   uid  timeout inode
  46: 010310AC:9C4C 030310AC:1770 01 0100000150:00000000  01:00000019 00000000  1000 0 54165785 4 cd1e6040 25 4 27 3 -1

46: 010310AC:9C4C 030310AC:1770 01
|   |         |   |        |    |--> connection state
|   |         |   |        |------> remote TCP port number
|   |         |   |-------------> remote IPv4 address
|   |         |--------------------> local TCP port number
|   |---------------------------> local IPv4 address
|----------------------------------> number of entry

00000150:00000000 01:00000019 00000000
|        |        |  |        |--> number of unrecovered RTO timeouts
|        |        |  |----------> number of jiffies until timer expires
|        |        |----------------> timer_active (see below)
|        |----------------------> receive-queue
|-------------------------------> transmit-queue

1000 0 54165785 4 cd1e6040 25 4 27 3 -1
|    | |        | |        |  | |  |  |--> slow start size threshold,
|    | |        | |        |  | |  |       or -1 if the treshold
|    | |        | |        |  | |  |       is >= 0xFFFF
|    | |        | |        |  | |  |----> sending congestion window
|    | |        | |        |  | |-------> (ack.quick<<1)|ack.pingpong
|    | |        | |        |  |---------> Predicted tick of soft clock
|    | |        | |        |               (delayed ACK control data)
|    | |        | |        |------------> retransmit timeout
|    | |        | |------------------> location of socket in memory
|    | |        |-----------------------> socket reference count
|    | |-----------------------------> inode
|    |----------------------------------> unanswered 0-window probes
|---------------------------------------------> uid


timer_active:
0 no timer is pending
1 retransmit-timer is pending
2 another timer (e.g. delayed ack or keepalive) is pending
3 this is a socket in TIME_WAIT state. Not all field will contain data.
4 zero window probe timer is pending

==========================================
Perl script to decode the address

#!/usr/bin/perl

my $hexip=$ARGV[0];
my $hexport=$ARGV[1];

print "hex: $hexip\n";

my @ip = map hex($_), ( $hexip =~ m/../g );

my $ip = join('.',reverse(@ip));

my $port = hex($hexport);

print "IP: $ip  PORT: $port\n";

==========================================

$ hexip.pl 030310AC 1770
hex: 030310AC
IP: 172.16.3.3  PORT: 6000
	Decoding the data in /proc/net/tcp:

	Linux 5.x /proc/net/tcp
	Linux 6.x /proc/PID/net/tcp

	Given a socket:

	$ ls -l /proc/24784/fd/11
	lrwx------ 1 jkstill dba 64 Dec 4 16:22 /proc/24784/fd/11 -> socket:[15907701]

	Find the address

	$ head -1 /proc/24784/net/tcp; grep 15907701 /proc/24784/net/tcp
	sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
	46: 010310AC:9C4C 030310AC:1770 01 0100000150:00000000 01:00000019 00000000 1000 0 54165785 4 cd1e6040 25 4 27 3 -1

	46: 010310AC:9C4C 030310AC:1770 01
	\| \| \| \| \| \|--> connection state
	\| \| \| \| \|------> remote TCP port number
	\| \| \| \|-------------> remote IPv4 address
	\| \| \|--------------------> local TCP port number
	\| \|---------------------------> local IPv4 address
	\|----------------------------------> number of entry

	00000150:00000000 01:00000019 00000000
	\| \| \| \| \|--> number of unrecovered RTO timeouts
	\| \| \| \|----------> number of jiffies until timer expires
	\| \| \|----------------> timer_active (see below)
	\| \|----------------------> receive-queue
	\|-------------------------------> transmit-queue

	1000 0 54165785 4 cd1e6040 25 4 27 3 -1
	\| \| \| \| \| \| \| \| \| \|--> slow start size threshold,
	\| \| \| \| \| \| \| \| \| or -1 if the treshold
	\| \| \| \| \| \| \| \| \| is >= 0xFFFF
	\| \| \| \| \| \| \| \| \|----> sending congestion window
	\| \| \| \| \| \| \| \|-------> (ack.quick<<1)\|ack.pingpong
	\| \| \| \| \| \| \|---------> Predicted tick of soft clock
	\| \| \| \| \| \| (delayed ACK control data)
	\| \| \| \| \| \|------------> retransmit timeout
	\| \| \| \| \|------------------> location of socket in memory
	\| \| \| \|-----------------------> socket reference count
	\| \| \|-----------------------------> inode
	\| \|----------------------------------> unanswered 0-window probes
	\|---------------------------------------------> uid


	timer_active:
	0 no timer is pending
	1 retransmit-timer is pending
	2 another timer (e.g. delayed ack or keepalive) is pending
	3 this is a socket in TIME_WAIT state. Not all field will contain data.
	4 zero window probe timer is pending

	==========================================
	Perl script to decode the address

	#!/usr/bin/perl

	my $hexip=$ARGV[0];
	my $hexport=$ARGV[1];

	print "hex: $hexip\n";

	my @ip = map hex($_), ( $hexip =~ m/../g );

	my $ip = join('.',reverse(@ip));

	my $port = hex($hexport);

	print "IP: $ip PORT: $port\n";

	==========================================

	$ hexip.pl 030310AC 1770
	hex: 030310AC
	IP: 172.16.3.3 PORT: 6000