diff --git a/tools/tcptracer_example.txt b/tools/tcptracer_example.txt
new file mode 100644
index 000000000000..9f2ec9a533d7
--- /dev/null
+++ b/tools/tcptracer_example.txt
@@ -0,0 +1,25 @@
+Demonstrations of tcptracer, the Linux eBPF/bcc version.
+
+
+This tool traces the kernel function performing TCP connections (eg, via a
+connect() or accept() syscalls) and closing them (explicitly or if the process
+dies). Some example output (IP addresses are fake):
+
+```
+# ./tcptracer
+T  PID    COMM             IP SADDR            DADDR            SPORT  DPORT
+CN 2389   telnet           4  192.168.1.2      192.168.1.1      53404  23
+CN 23323  curl             6  ::1              ::1              36226  80
+CL 2389   telnet           4  192.168.1.2      192.168.1.1      53404  23
+AC 23278  nc               6  ::1              ::1              80     36226
+CL 23323  curl             6  ::1              ::1              36226  80
+CL 23278  nc               6  ::1              ::1              80     36226
+AC 15195  nc               4  10.202.210.1     10.202.109.12    8080   43904
+CL 15195  nc               4  10.202.210.1     10.202.109.12    8080   43904
+```
+
+This output shows three conections, one outgoing from a "telnet" process, one
+outgoing from "curl" to a local netcat, and one incoming received by the "nc"
+process. The output details show the kind of event (CN for connection, CL for
+close and AC for accept), PID, IP version, source address, destination address,
+source port and destination port.