Question about inet_set_socket_state trace point

Hi everyone,

I am using inet_set_socket_state trace point to get current establish connection count

Here, incrementing counter value in BPF map when new state is TCP_ESTABLISHED and decrementing when old state is TCP_ESTABLISHED.

But observed that the map count is having discrepancy with what netstat shows. When we start the probe, it looks all fine, but when we leave it running say for 2-3 days we see the difference. And this difference is building over time.

Can someone please help me here if I am missing something?


TRACEPOINT_PROBE(sock, inet_sock_set_state) {

if (args->newstate >= TCP_ESTABLISHED) 

                 __sync_fetch_and_add(val, 1); 

       if (args->newstate >= TCP_ESTABLISHED)       

                 __sync_fetch_and_add(val, -1);  


netstat -tanp  | grep -i "EST" | wc -l


