Skip to main content
Profiles are configuration files containing pre-defined sets of command line arguments. They provide a comprehensive and consistent configuration for Retis aimed at specific debugging scenarios, improving user experience and reducing the need to remember complex command combinations.

What Are Profiles?

A profile bundles together:
  • Collector selections
  • Probe configurations
  • Filter settings
  • Other command-line options
Instead of typing a long command with many options, you can use a profile: 
# Without profile - long and complex
$ retis collect -c skb,skb-drop,skb-tracking -p kfree_skb -p consume_skb ...

# With profile - simple and clear
$ retis -p generic collect

Using Profiles

Specify a profile with the -p flag before the command: 
$ retis -p <profile-name> collect
List available profiles: 
$ retis profile list
generic
ifdump
dropmon
nft-dropmon

Built-in Profiles

generic

General-purpose packet investigation across the networking stack

ifdump

Capture packets at device driver level (ingress/egress)

dropmon

Monitor dropped packets with stack traces

nft-dropmon

Monitor Netfilter/nftables packet drops

generic Profile

The generic profile provides a starting point for investigating packets in the networking stack. It defines probes at various strategic locations and enables the skb, skb-drop, and skb-tracking collectors. 
$ retis -p generic collect
This profile is ideal when:
  • You’re starting to investigate a network issue
  • You need visibility across multiple stack layers
  • You want packet tracking enabled by default

ifdump Profile

Collects packets at the device driver boundary:
  • Ingress: Just after the device driver receives packets
  • Egress: Right before packets are sent to the device driver
This is similar to tools like tcpdump (which use AF_PACKET). 
$ retis -p ifdump collect
Example output: 
7129250251406 (5) [ping] 23561 [tp] net:net_dev_start_xmit #67be86dc28effff8f67ed249b80 (skb ffff8f67919c2b00)
  if 4 (wlp82s0) [redacted] > 2606:4700:4700::1111 ttl 64 label 0xbf87b len 64 proto ICMPv6 (58) type 128 code 0

7129262331018 (0) [irq/185-iwlwifi] 1259 [tp] net:netif_receive_skb #67be926148affff8f6546b13700 (skb ffff8f6851bffd00)
  if 4 (wlp82s0) 2606:4700:4700::1111 > [redacted] ttl 54 label 0x55519 len 64 proto ICMPv6 (58) type 129 code 0
When not using a profile, retis collect automatically uses the same probes as the ifdump profile by default.

dropmon Profile

Monitors dropped packets with stack traces to understand where and why packets are being dropped. 
$ retis -p dropmon collect
Example output: 
4152973315243 [nc] 14839 [tp] skb:kfree_skb drop (NO_SOCKET)
    bpf_prog_88089ccd9794be3a_sd_devices+0x3601
    bpf_prog_88089ccd9794be3a_sd_devices+0x3601
    bpf_trace_run3+0x52
    kfree_skb_reason+0x8f
    tcp_v6_rcv+0x77
    ip6_protocol_deliver_rcu+0x6b
    ip6_input_finish+0x43
    __netif_receive_skb_one_core+0x62
    process_backlog+0x85
    __napi_poll+0x28
    net_rx_action+0x2a4
    __do_softirq+0xd1
    do_softirq.part.0+0x3d
    __local_bh_enable_ip+0x68
    __dev_queue_xmit+0x28b
    ip6_finish_output2+0x2ae
    ip6_finish_output+0x160
    ip6_xmit+0x2c0
    inet6_csk_xmit+0xe9
    __tcp_transmit_skb+0x535
    tcp_connect+0xb95
    tcp_v6_connect+0x515
    __inet_stream_connect+0x10f
    inet_stream_connect+0x3a
    __sys_connect+0xa8
    __x64_sys_connect+0x18
    do_syscall_64+0x5d
    entry_SYSCALL_64_after_hwframe+0x6e
  if 1 (lo) rxif 1 ::1.36986 > ::1.8080 ttl 64 label 0x975b1 len 40 proto TCP (6) flags [S] seq 2899194670 win 65476
The stack trace shows the exact code path leading to the drop, making it easier to identify the root cause.
Use dropmon to monitor drops in real-time:
$ retis -p dropmon collect

nft-dropmon Profile

Similar to dropmon, but specifically for Netfilter/nftables drops. Shows which firewall rule dropped the packet. 
$ retis -p nft-dropmon collect --allow-system-changes
The --allow-system-changes flag allows Retis to install a temporary nftables tracing table. This is required for the nft collector to work.
Example output: 
3443313082998 [swapper/0] 0 [k] __nft_trace_packet
    __nft_trace_packet+0x1
    nft_do_chain+0x3ef
    nft_do_chain_inet+0x54
    nf_hook_slow+0x42
    ip_local_deliver+0xd0
    ip_sublist_rcv_finish+0x7e
    ip_sublist_rcv+0x186
    ip_list_rcv+0x13d
    __netif_receive_skb_list_core+0x29d
    netif_receive_skb_list_internal+0x1d1
    napi_complete_done+0x72
    virtnet_poll+0x3ce
    __napi_poll+0x28
    net_rx_action+0x2a4
    __do_softirq+0xd1
    __irq_exit_rcu+0xbe
    common_interrupt+0x86
    asm_common_interrupt+0x26
    pv_native_safe_halt+0xf
    default_idle+0x9
    default_idle_call+0x2c
    do_idle+0x226
    cpu_startup_entry+0x1d
    __pfx_kernel_init+0x0
    arch_call_rest_init+0xe
    start_kernel+0x71e
    x86_64_start_reservations+0x18
    x86_64_start_kernel+0x96
    __pfx_verify_cpu+0x0
  if 2 (eth0) rxif 2 172.16.42.1.52294 > 172.16.42.2.8080 ttl 64 tos 0x0 id 37968 off 0 [DF] len 60 proto TCP (6) flags [S] seq 1971640626 win 64240
  table firewalld (1) chain filter_IN_FedoraServer (202) handle 215 drop
You can correlate the handle number with your nftables rules: 
$ nft -a list table inet firewalld
...
chain filter_IN_FedoraServer { # handle 202
...
    jump filter_INPUT_POLICIES_post # handle 214
    meta l4proto { icmp, ipv6-icmp } accept # handle 273
    reject with icmpx admin-prohibited # handle 215  <- This rule
}
...
You can also generate pcap files from netfilter drops:
$ retis -p nft-dropmon collect -o
$ retis -p nft-dropmon pcap -o nft-drops.pcap
$ wireshark nft-drops.pcap

Extending Profiles

Profiles can be extended with additional CLI arguments. Arguments are additive: 
# Add a custom probe to the dropmon profile
$ retis -p dropmon collect -p skb:consume_skb

# Use a profile without specifying a profile at all
$ retis collect -p skb:kfree_skb -p ovs_ct_clear
This flexibility allows you to:
  • Start with a profile’s baseline configuration
  • Add specific probes for your use case
  • Override or supplement default filters

Custom Profiles

You can create your own profiles using YAML configuration files.

Profile Locations

Profiles can be stored in:
  1. User profile directory: $HOME/.config/retis/profiles/
    • Profiles here are available by name
    • No path needed when using them
  2. Custom directory: Any directory you specify
    • Use -P /custom/path to specify the directory
    • Useful for sharing team profiles
  3. Direct path: Provide the full path to a profile file
    • Use when you want a one-off profile

Profile Format

Profiles are YAML files that specify command arguments. Here’s an example profile structure: 
collect:
  collectors:
    - skb
    - skb-drop
    - skb-tracking
  probes:
    - "kfree_skb"
    - "consume_skb"
  filter-packets: "tcp port 443"

Using Custom Profiles

Place your profile in ~/.config/retis/profiles/myprofile.yaml:
$ retis -p myprofile collect

Contributing Profiles

If you create a profile that could benefit others, consider contributing it to the official Retis repository!

Profile Best Practices

Start with Built-ins

Begin with built-in profiles and extend them before creating custom ones:
$ retis -p generic collect -f 'tcp port 80'

Name Descriptively

Use clear, descriptive names for custom profiles:
  • webserver-debug.yaml
  • profile1.yaml

Document Your Profiles

Include comments in custom profile YAML files explaining their purpose and use cases.

Share Team Profiles

Use a shared directory (-P) for team profiles to ensure consistent debugging approaches.

Next Steps

Collectors

Learn about collectors used in profiles

Filtering

Understand how to add filters to profiles

Profile Reference

See detailed documentation for each profile

Build docs developers (and LLMs) love

Get started for freeTalk to us