10.6 监控io性能
iostat命令:监控磁盘详细io信息。安装sysstat包得到。
当你用vmstat命令查看,b列或者wa列很大时,有可能就是磁盘遇到瓶颈了,用iostat进一步分析磁盘瓶颈在哪里。能看到每个磁盘对应的情况。
[root@lgs-01 ~]# iostat 1 3Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)avg-cpu: %user %nice %system %iowait %steal %idle 0.49 0.00 1.80 0.13 0.00 97.59Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtnsda 67.30 1074.56 76.33 164784 11705sdb 1.61 23.55 0.00 3612 0dm-0 0.28 6.76 0.00 1036 0avg-cpu: %user %nice %system %iowait %steal %idle 0.00 0.00 0.50 0.00 0.00 99.50Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtnsda 0.00 0.00 0.00 0 0sdb 0.00 0.00 0.00 0 0dm-0 0.00 0.00 0.00 0 0avg-cpu: %user %nice %system %iowait %steal %idle 0.00 0.00 0.00 0.00 0.00 100.00Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtnsda 0.00 0.00 0.00 0 0sdb 0.00 0.00 0.00 0 0dm-0 0.00 0.00 0.00 0 0
与sar -b 13 相似的结果
[root@lgs-01 ~]# sar -b 1 3Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)21时47分49秒 tps rtps wtps bread/s bwrtn/s21时47分50秒 0.00 0.00 0.00 0.00 0.0021时47分51秒 0.00 0.00 0.00 0.00 0.0021时47分52秒 0.00 0.00 0.00 0.00 0.00平均时间: 0.00 0.00 0.00 0.00 0.00
重点看iostat -x 命令:其中有个重要的参数 %util ,代表1秒内有多少百分比的时间在等待io的请求,大于60%就要小心异常了。
[root@lgs-01 ~]# iostat -xLinux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)avg-cpu: %user %nice %system %iowait %steal %idle 0.20 0.00 0.84 0.05 0.00 98.91Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %utilsda 0.01 0.38 14.76 11.38 415.94 30.41 34.14 0.04 1.47 0.58 2.63 0.22 0.57sdb 0.00 0.00 0.62 0.00 9.11 0.00 29.25 0.00 0.34 0.34 0.00 0.26 0.02dm-0 0.00 0.00 0.11 0.00 2.61 0.00 48.19 0.00 0.35 0.35 0.00 0.21 0.00
iotop命令:能够查看具体进程的磁盘读写情况,以IO> 排序
[root@lgs-01 ~]# iotopTotal DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/sActual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND 512 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfsaild/sda1] 1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-root --system --deserialize 21 2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd] 3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0] 5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H] 6 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:0] 7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0] 8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh] 9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched] 10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0] 11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1] 12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1] 13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1] 15 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0H] 17 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs] 18 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns] 19 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd] 20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback] 21 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd] 22 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset] 23 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd] 24 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md] 25 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:1] 30 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kswapd0] 31 be/5 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksmd] 32 be/7 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khugepaged] 33 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [crypto] 41 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthrotld] 42 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:1] 43 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:1] 44 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kmpath_rdacd] 45 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kpsmoused] 46 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:2] 47 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ipv6_addrconf] 561 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 565 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 566 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % VGAuthService -s 567 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % vmtoolsd 568 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % irqbalance --foreground 569 be/4 polkitd 0.00 B/s 0.00 B/s 0.00 % 0.00 % polkitd --no-debug
10.7 free命令
free命令:查看内存总体的使用情况
[root@lgs-01 ~]# free total used free shared buff/cache availableMem: 1867048 584212 758824 8784 524012 1091040Swap: 4194300 0 4194300
-m选项:以mb单位显示
[root@lgs-01 ~]# free -m total used free shared buff/cache availableMem: 1823 570 741 8 511 1065Swap: 4095 0 4095
-h选项:以易读的方式显示
[root@lgs-01 ~]# free -h total used free shared buff/cache availableMem: 1.8G 570M 741M 8.6M 511M 1.0GSwap: 4.0G 0B 4.0G
total=used+free+buff/cache
available=free+buff/cache的剩余部分
因为cpu和磁盘的读写速度差距太大,所以需要引入cache和buff来协调
cache的概念: data(磁盘内的数据) ---> 内存中(叫cache缓存)---> cpu(计算)
buff的概念: cpu(data 计算后的数据)---> 内存(缓冲buff)---> data(结算结果保存到磁盘)
10.8 ps命令
ps命令:当前全部进程情况的快照信息,是静态的
一般使用 ps aux: 与Windows的任务管理器类似
[root@lgs-01 ~]# ps auxUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.3 128164 6828 ? Ss 21:44 0:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 21root 2 0.0 0.0 0 0 ? S 21:44 0:00 [kthreadd]root 3 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/0]root 5 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/0:0H]root 6 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:0]root 7 0.0 0.0 0 0 ? S 21:44 0:00 [migration/0]root 8 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_bh]root 9 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_sched]root 10 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/0]root 11 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/1]root 12 0.0 0.0 0 0 ? S 21:44 0:00 [migration/1]root 13 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/1]root 15 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:0H]root 17 0.0 0.0 0 0 ? S 21:44 0:00 [kdevtmpfs]root 18 0.0 0.0 0 0 ? S< 21:44 0:00 [netns]root 19 0.0 0.0 0 0 ? S 21:44 0:00 [khungtaskd]root 20 0.0 0.0 0 0 ? S< 21:44 0:00 [writeback]root 21 0.0 0.0 0 0 ? S< 21:44 0:00 [kintegrityd]root 22 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]root 23 0.0 0.0 0 0 ? S< 21:44 0:00 [kblockd]root 24 0.0 0.0 0 0 ? S< 21:44 0:00 [md]root 30 0.0 0.0 0 0 ? S 21:44 0:00 [kswapd0]root 31 0.0 0.0 0 0 ? SN 21:44 0:00 [ksmd]root 32 0.0 0.0 0 0 ? SN 21:44 0:00 [khugepaged]root 33 0.0 0.0 0 0 ? S< 21:44 0:00 [crypto]root 41 0.0 0.0 0 0 ? S< 21:44 0:00 [kthrotld]root 43 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:1]root 44 0.0 0.0 0 0 ? S< 21:44 0:00 [kmpath_rdacd]root 45 0.0 0.0 0 0 ? S< 21:44 0:00 [kpsmoused]root 46 0.0 0.0 0 0 ? R 21:44 0:00 [kworker/0:2]root 47 0.0 0.0 0 0 ? S< 21:44 0:00 [ipv6_addrconf]root 66 0.0 0.0 0 0 ? S< 21:44 0:00 [deferwq]root 99 0.0 0.0 0 0 ? S 21:44 0:00 [kauditd]root 236 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/1:2]root 238 0.0 0.0 0 0 ? S< 21:44 0:00 [ata_sff]root 239 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_0]root 240 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_0]root 241 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_1]root 242 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_1]root 245 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt_poll_0]root 246 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt/0]root 254 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_2]root 255 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_2]root 257 0.0 0.0 0 0 ? S< 21:44 0:00 [ttm_swap]root 285 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]root 286 0.0 0.0 0 0 ? S< 21:44 0:00 [xfsalloc]root 287 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs_mru_cache]root 288 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda3]root 289 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda3]root 290 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda3]root 291 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda3]root 292 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda]root 293 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda3]root 294 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s]root 295 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda3]root 363 0.0 0.1 36832 2840 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-journaldroot 381 0.0 0.3 342552 6012 ? Ss 21:44 0:00 /usr/sbin/lvmetad -froot 391 0.0 0.3 47872 5896 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-udevdroot 414 0.0 0.0 0 0 ? S< 21:44 0:00 [nfit]root 451 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:1H]root 500 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda1]root 501 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda1]root 502 0.0 0.0 0 0 ? S< 21:44 0:00 [kdmflush]root 503 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda1]root 504 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]root 505 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda1]root 507 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda]root 508 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda1]root 509 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s]root 512 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda1]root 535 0.0 0.0 55452 892 ? S
可以配合grep,具体查找进程是否运行
[root@lgs-01 ~]# ps aux|grep mysqlroot 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pidmysql 1180 0.2 24.2 1300776 452360 ? Sl 21:44 0:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data/mysql --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/data/mysql/lgs-01.err --pid-file=/data/mysql/lgs-01.pidroot 1491 0.0 0.0 112680 984 pts/0 S+ 22:08 0:00 grep --color=auto mysql
ps -elf选项:与aux类似
[root@lgs-01 ~]# ps -elfF S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD4 S root 1 0 0 80 0 - 32041 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 211 S root 2 0 0 80 0 - 0 kthrea 21:44 ? 00:00:00 [kthreadd]1 S root 3 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/0]1 S root 5 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:0H]1 S root 6 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:0]1 S root 7 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/0]1 S root 8 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_bh]1 S root 9 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_sched]5 S root 10 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/0]5 S root 11 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/1]1 S root 12 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/1]1 S root 13 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/1]1 S root 15 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:0H]5 S root 17 2 0 80 0 - 0 devtmp 21:44 ? 00:00:00 [kdevtmpfs]1 S root 18 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [netns]1 S root 19 2 0 80 0 - 0 watchd 21:44 ? 00:00:00 [khungtaskd]1 S root 20 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [writeback]1 S root 21 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kintegrityd]1 S root 22 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]1 S root 23 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kblockd]1 S root 24 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [md]1 S root 30 2 0 80 0 - 0 kswapd 21:44 ? 00:00:00 [kswapd0]1 S root 31 2 0 85 5 - 0 ksm_sc 21:44 ? 00:00:00 [ksmd]1 S root 32 2 0 99 19 - 0 khugep 21:44 ? 00:00:00 [khugepaged]1 S root 33 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [crypto]1 S root 41 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kthrotld]1 S root 43 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:1]1 S root 44 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kmpath_rdacd]1 S root 45 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kpsmoused]1 R root 46 2 0 80 0 - 0 - 21:44 ? 00:00:00 [kworker/0:2]1 S root 47 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ipv6_addrconf]1 S root 66 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [deferwq]1 S root 99 2 0 80 0 - 0 kaudit 21:44 ? 00:00:00 [kauditd]1 S root 236 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/1:2]1 S root 238 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ata_sff]1 S root 239 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_0]1 S root 240 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_0]1 S root 241 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_1]1 S root 242 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_1]1 S root 245 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt_poll_0]1 S root 246 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt/0]1 S root 254 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_2]1 S root 255 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_2]1 S root 257 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ttm_swap]1 S root 285 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]1 S root 286 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfsalloc]1 S root 287 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs_mru_cache]1 S root 288 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda3]1 S root 289 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda3]1 S root 290 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda3]1 S root 291 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda3]1 S root 292 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda]1 S root 293 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda3]1 S root 294 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s]1 S root 295 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda3]4 S root 363 1 0 80 0 - 9208 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-journald4 S root 381 1 0 80 0 - 85638 poll_s 21:44 ? 00:00:00 /usr/sbin/lvmetad -f4 S root 391 1 0 80 0 - 11968 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-udevd1 S root 414 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [nfit]1 S root 451 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:1H]1 S root 500 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda1]1 S root 501 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda1]1 S root 502 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kdmflush]1 S root 503 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda1]1 S root 504 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]1 S root 505 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda1]1 S root 507 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda]1 S root 508 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda1]1 S root 509 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s]1 S root 512 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda1]5 S root 535 1 0 76 -4 - 13863 ep_pol 21:44 ? 00:00:00 /sbin/auditd4 S dbus 561 1 0 80 0 - 8217 ep_pol 21:44 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --sy4 S root 566 1 0 80 0 - 24902 poll_s 21:44 ? 00:00:00 /usr/bin/VGAuthService -s4 S root 567 1 0 80 0 - 76324 poll_s 21:44 ? 00:00:01 /usr/bin/vmtoolsd4 S root 568 1 0 80 0 - 5405 hrtime 21:44 ? 00:00:00 /usr/sbin/irqbalance --foreground4 S polkitd 569 1 0 80 0 - 133772 poll_s 21:44 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug4 S root 570 1 0 80 0 - 54097 poll_s 21:44 ? 00:00:00 /usr/sbin/rsyslogd -n4 S root 573 1 0 80 0 - 6051 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-logind4 S root 576 1 0 80 0 - 31559 hrtime 21:44 ? 00:00:00 /usr/sbin/crond -n5 S chrony 580 1 0 80 0 - 28910 poll_s 21:44 ? 00:00:00 /usr/sbin/chronyd4 S root 601 1 0 80 0 - 83559 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid4 S root 617 1 0 80 0 - 118063 poll_s 21:44 ? 00:00:00 /usr/sbin/NetworkManager --no-daemon1 S root 679 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:1H]4 S root 918 1 0 80 0 - 26499 poll_s 21:44 ? 00:00:00 /usr/sbin/sshd -D4 S root 921 1 0 80 0 - 140598 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/tuned -l -P4 S root 956 1 0 80 0 - 28847 do_wai 21:44 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-f4 S mysql 1180 956 0 80 0 - 325194 poll_s 21:44 ? 00:00:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data4 D root 1227 918 0 80 0 - 36961 flush_ 21:44 ? 00:00:00 sshd: root@pts/05 S root 1278 1 0 80 0 - 22386 ep_pol 21:44 ? 00:00:00 /usr/libexec/postfix/master -w4 S root 1281 1 0 80 0 - 27511 n_tty_ 21:44 tty1 00:00:00 /sbin/agetty --noclear tty1 linux4 S postfix 1282 1278 0 80 0 - 22412 ep_pol 21:44 ? 00:00:00 pickup -l -t unix -u4 S postfix 1283 1278 0 80 0 - 22429 ep_pol 21:44 ? 00:00:00 qmgr -l -t unix -u4 S root 1377 1227 0 80 0 - 28881 do_wai 21:44 pts/0 00:00:00 -bash1 S root 1454 2 0 80 0 - 0 worker 21:54 ? 00:00:00 [kworker/1:0]1 S root 1484 2 0 80 0 - 0 worker 22:01 ? 00:00:00 [kworker/0:0]1 S root 1485 2 0 80 0 - 0 worker 22:06 ? 00:00:00 [kworker/0:1]1 S root 1492 2 0 80 0 - 0 worker 22:09 ? 00:00:00 [kworker/0:3]0 R root 1493 1377 0 80 0 - 37766 - 22:09 pts/0 00:00:00 ps -elf
当系统被入侵了,看到一个陌生的进程,可以查他的pid,如956
[root@lgs-01 ~]# ps aux|grep 956root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pidroot 1503 0.0 0.0 112676 988 pts/0 R+ 22:11 0:00 grep --color=auto 956
每个进程都有一个进程的目录,以pid命名的,在/proc/ 下
[root@lgs-01 ~]# ls /proc/1 1283 17 238 255 292 363 46 507 569 679 asound diskstats ioports loadavg net stat version10 13 18 239 257 293 381 47 508 570 7 buddyinfo dma irq locks pagetypeinfo swaps vmallocinfo11 1377 19 24 285 294 391 5 509 573 8 bus driver kallsyms mdstat partitions sys vmstat1180 1454 2 240 286 295 41 500 512 576 9 cgroups execdomains kcore meminfo sched_debug sysrq-trigger zoneinfo12 1484 20 241 287 3 414 501 535 580 918 cmdline fb keys misc schedstat sysvipc1227 1485 21 242 288 30 43 502 561 6 921 consoles filesystems key-users modules scsi timer_list1278 1492 22 245 289 31 44 503 566 601 956 cpuinfo fs kmsg mounts self timer_stats1281 15 23 246 290 32 45 504 567 617 99 crypto interrupts kpagecount mpt slabinfo tty1282 1506 236 254 291 33 451 505 568 66 acpi devices iomem kpageflags mtrr softirqs uptime
进入 /proc/956/ 目录,查看具体有哪些文件,可以知道该进程的目录所在,就可以把入侵的陌生进程给删除掉。 如该进程 956 的目录是 /usr/local/mysql
[root@lgs-01 ~]# ls -l /proc/956总用量 0dr-xr-xr-x. 2 root root 0 5月 7 22:12 attr-rw-r--r--. 1 root root 0 5月 7 22:12 autogroup-r--------. 1 root root 0 5月 7 22:12 auxv-r--r--r--. 1 root root 0 5月 7 22:12 cgroup--w-------. 1 root root 0 5月 7 22:12 clear_refs-r--r--r--. 1 root root 0 5月 7 22:07 cmdline-rw-r--r--. 1 root root 0 5月 7 22:12 comm-rw-r--r--. 1 root root 0 5月 7 22:12 coredump_filter-r--r--r--. 1 root root 0 5月 7 22:12 cpusetlrwxrwxrwx. 1 root root 0 5月 7 22:12 cwd -> /usr/local/mysql-r--------. 1 root root 0 5月 7 22:12 environlrwxrwxrwx. 1 root root 0 5月 7 22:12 exe -> /usr/bin/bashdr-x------. 2 root root 0 5月 7 22:12 fddr-x------. 2 root root 0 5月 7 22:12 fdinfo-rw-r--r--. 1 root root 0 5月 7 22:12 gid_map-r--------. 1 root root 0 5月 7 22:12 io-r--r--r--. 1 root root 0 5月 7 22:12 limits-rw-r--r--. 1 root root 0 5月 7 22:12 loginuiddr-x------. 2 root root 0 5月 7 22:12 map_files-r--r--r--. 1 root root 0 5月 7 22:12 maps-rw-------. 1 root root 0 5月 7 22:12 mem-r--r--r--. 1 root root 0 5月 7 22:12 mountinfo-r--r--r--. 1 root root 0 5月 7 22:12 mounts-r--------. 1 root root 0 5月 7 22:12 mountstatsdr-xr-xr-x. 5 root root 0 5月 7 22:12 netdr-x--x--x. 2 root root 0 5月 7 22:12 ns-r--r--r--. 1 root root 0 5月 7 22:12 numa_maps-rw-r--r--. 1 root root 0 5月 7 22:12 oom_adj-r--r--r--. 1 root root 0 5月 7 22:12 oom_score-rw-r--r--. 1 root root 0 5月 7 22:12 oom_score_adj-r--r--r--. 1 root root 0 5月 7 22:12 pagemap-r--r--r--. 1 root root 0 5月 7 22:12 personality-rw-r--r--. 1 root root 0 5月 7 22:12 projid_maplrwxrwxrwx. 1 root root 0 5月 7 22:12 root -> /-rw-r--r--. 1 root root 0 5月 7 22:12 sched-r--r--r--. 1 root root 0 5月 7 22:12 schedstat-r--r--r--. 1 root root 0 5月 7 22:12 sessionid-rw-r--r--. 1 root root 0 5月 7 22:12 setgroups-r--r--r--. 1 root root 0 5月 7 22:12 smaps-r--r--r--. 1 root root 0 5月 7 22:12 stack-r--r--r--. 1 root root 0 5月 7 22:07 stat-r--r--r--. 1 root root 0 5月 7 22:12 statm-r--r--r--. 1 root root 0 5月 7 22:07 status-r--r--r--. 1 root root 0 5月 7 22:12 syscalldr-xr-xr-x. 3 root root 0 5月 7 21:54 task-r--r--r--. 1 root root 0 5月 7 22:12 timers-rw-r--r--. 1 root root 0 5月 7 22:12 uid_map-r--r--r--. 1 root root 0 5月 7 22:09 wchan
VSZ:是虚拟内存。 RSS:物理内存剩余大小
STAT:进程的状态
D:不能中断的进程,比较少见;如果运行很多,会影响系统cpu的负载,如果此时cpu使用率不高,可以不用特别在意R:运行状态的进程,某一时间段内在使用cpu的进程S:sleep休眠状态的进程,运算完暂停休息,在过一会再激活使用cpuT:暂停的进程,ctrl+Z ,被暂停放到后台去的进程Z:僵尸进程,太多的话要杀死清理掉<:高优先级的进程,优先使用cpu资源N:低优先级的进程,不着急使用cpuL:内存中被锁了内存分页的进程小s:主进程 如 nginx: master process Ss 就是主进程小l:多线程进程,包含多个线程的,线程之间可以共享内存空间。+:前台进程,在终端上前台运行的进程。
10.9 查看网络状态
netstat命令:查看各个通信协议的详细通信信息
一般用-lnp选项,查看端口通信信息,关注监听的端口,sockets段不用留意。
[root@lgs-01 ~]# netstat -lnpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd udp6 0 0 ::1:323 :::* 580/chronyd raw6 0 0 :::58 :::* 7 617/NetworkManager Active UNIX domain sockets (only servers)Proto RefCnt Flags Type State I-Node PID/Program name Pathunix 2 [ ACC ] STREAM LISTENING 20318 1278/master private/anvilunix 2 [ ACC ] STREAM LISTENING 20321 1278/master private/scacheunix 2 [ ACC ] STREAM LISTENING 20267 1278/master private/rewriteunix 2 [ ACC ] STREAM LISTENING 20270 1278/master private/bounceunix 2 [ ACC ] STREAM LISTENING 14906 1/systemd /var/run/dbus/system_bus_socketunix 2 [ ACC ] STREAM LISTENING 1347 1/systemd /run/systemd/journal/stdoutunix 2 [ ACC ] STREAM LISTENING 19309 1180/mysqld /tmp/mysql.sockunix 2 [ ACC ] STREAM LISTENING 20238 1278/master public/pickupunix 2 [ ACC ] STREAM LISTENING 20242 1278/master public/cleanupunix 2 [ ACC ] STREAM LISTENING 20245 1278/master public/qmgrunix 2 [ ACC ] STREAM LISTENING 20282 1278/master public/flushunix 2 [ ACC ] STREAM LISTENING 20297 1278/master public/showqunix 2 [ ACC ] STREAM LISTENING 12701 1/systemd /run/systemd/privateunix 2 [ ACC ] STREAM LISTENING 12723 1/systemd /run/lvm/lvmpolld.socketunix 2 [ ACC ] STREAM LISTENING 20249 1278/master private/tlsmgrunix 2 [ ACC ] STREAM LISTENING 20273 1278/master private/deferunix 2 [ ACC ] SEQPACKET LISTENING 12736 1/systemd /run/udev/controlunix 2 [ ACC ] STREAM LISTENING 20276 1278/master private/traceunix 2 [ ACC ] STREAM LISTENING 20279 1278/master private/verifyunix 2 [ ACC ] STREAM LISTENING 20285 1278/master private/proxymapunix 2 [ ACC ] STREAM LISTENING 12741 1/systemd /run/lvm/lvmetad.socketunix 2 [ ACC ] STREAM LISTENING 20306 1278/master private/discardunix 2 [ ACC ] STREAM LISTENING 20303 1278/master private/retryunix 2 [ ACC ] STREAM LISTENING 20309 1278/master private/localunix 2 [ ACC ] STREAM LISTENING 20312 1278/master private/virtualunix 2 [ ACC ] STREAM LISTENING 20315 1278/master private/lmtpunix 2 [ ACC ] STREAM LISTENING 16599 566/VGAuthService /var/run/vmware/guestServicePipeunix 2 [ ACC ] STREAM LISTENING 20294 1278/master private/relayunix 2 [ ACC ] STREAM LISTENING 20300 1278/master private/errorunix 2 [ ACC ] STREAM LISTENING 20288 1278/master private/proxywriteunix 2 [ ACC ] STREAM LISTENING 20291 1278/master private/smtp
-lntp:只看tcp协议
root@lgs-01 ~]# netstat -lntpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld
-lntup:只看tcp与udp协议,关注Local Address的端口
[root@lgs-01 ~]# netstat -lnutpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd udp6 0 0 ::1:323 :::* 580/chronyd
netstat -an:查看所有连接状态
[root@lgs-01 ~]# netstat -anActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 192.168.87.130:22 192.168.87.1:55741 ESTABLISHEDtcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::3306 :::* LISTEN udp 0 0 127.0.0.1:323 0.0.0.0:* udp6 0 0 ::1:323 :::* raw6 0 0 :::58 :::* 7 Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node Pathunix 2 [ ACC ] STREAM LISTENING 20318 private/anvilunix 2 [ ACC ] STREAM LISTENING 20321 private/scacheunix 2 [ ACC ] STREAM LISTENING 20267 private/rewriteunix 2 [ ACC ] STREAM LISTENING 20270 private/bounceunix 2 [ ] DGRAM 1337 /run/systemd/notifyunix 2 [ ACC ] STREAM LISTENING 14906 /var/run/dbus/system_bus_socketunix 2 [ ] DGRAM 1339 /run/systemd/cgroups-agentunix 2 [ ACC ] STREAM LISTENING 1347 /run/systemd/journal/stdoutunix 5 [ ] DGRAM 1350 /run/systemd/journal/socketunix 14 [ ] DGRAM 1352 /dev/logunix 2 [ ACC ] STREAM LISTENING 19309 /tmp/mysql.sockunix 2 [ ACC ] STREAM LISTENING 20238 public/pickupunix 2 [ ACC ] STREAM LISTENING 20242 public/cleanupunix 2 [ ACC ] STREAM LISTENING 20245 public/qmgrunix 2 [ ACC ] STREAM LISTENING 20282 public/flushunix 2 [ ACC ] STREAM LISTENING 20297 public/showqunix 2 [ ] DGRAM 15247 /var/run/chrony/chronyd.sockunix 2 [ ACC ] STREAM LISTENING 12701 /run/systemd/privateunix 2 [ ACC ] STREAM LISTENING 12723 /run/lvm/lvmpolld.socketunix 2 [ ACC ] STREAM LISTENING 20249 private/tlsmgrunix 2 [ ACC ] STREAM LISTENING 20273 private/deferunix 2 [ ACC ] SEQPACKET LISTENING 12736 /run/udev/controlunix 2 [ ACC ] STREAM LISTENING 20276 private/traceunix 2 [ ACC ] STREAM LISTENING 20279 private/verifyunix 2 [ ACC ] STREAM LISTENING 20285 private/proxymapunix 2 [ ACC ] STREAM LISTENING 12741 /run/lvm/lvmetad.socketunix 2 [ ACC ] STREAM LISTENING 20306 private/discardunix 2 [ ACC ] STREAM LISTENING 20303 private/retryunix 2 [ ACC ] STREAM LISTENING 20309 private/localunix 2 [ ACC ] STREAM LISTENING 20312 private/virtualunix 2 [ ] DGRAM 12754 /run/systemd/shutdowndunix 2 [ ACC ] STREAM LISTENING 20315 private/lmtpunix 2 [ ACC ] STREAM LISTENING 16599 /var/run/vmware/guestServicePipeunix 2 [ ACC ] STREAM LISTENING 20294 private/relayunix 2 [ ACC ] STREAM LISTENING 20300 private/errorunix 2 [ ACC ] STREAM LISTENING 20288 private/proxywriteunix 2 [ ACC ] STREAM LISTENING 20291 private/smtpunix 3 [ ] STREAM CONNECTED 20243 unix 2 [ ] DGRAM 20354 unix 3 [ ] STREAM CONNECTED 19583 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20271 unix 3 [ ] STREAM CONNECTED 16085 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20246 unix 3 [ ] STREAM CONNECTED 16066 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20239 unix 3 [ ] STREAM CONNECTED 20292 unix 2 [ ] DGRAM 16573 unix 3 [ ] STREAM CONNECTED 16380 unix 3 [ ] STREAM CONNECTED 20240 unix 2 [ ] DGRAM 16597 unix 3 [ ] STREAM CONNECTED 16381 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20278 unix 3 [ ] STREAM CONNECTED 15029 unix 2 [ ] DGRAM 20206 unix 3 [ ] STREAM CONNECTED 15075 unix 3 [ ] STREAM CONNECTED 20302 unix 2 [ ] DGRAM 16544 unix 3 [ ] STREAM CONNECTED 20322 unix 3 [ ] STREAM CONNECTED 20274 unix 3 [ ] STREAM CONNECTED 20293 unix 3 [ ] STREAM CONNECTED 20323 unix 3 [ ] STREAM CONNECTED 20277 unix 3 [ ] STREAM CONNECTED 16047 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20244 unix 3 [ ] STREAM CONNECTED 16044 /var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 20316 unix 3 [ ] STREAM CONNECTED 17470 unix 3 [ ] STREAM CONNECTED 20317 unix 3 [ ] STREAM CONNECTED 13914 /run/systemd/journal/stdoutunix 3 [ ] DGRAM 13070 unix 3 [ ] STREAM CONNECTED 20319 unix 3 [ ] STREAM CONNECTED 13913 unix 3 [ ] STREAM CONNECTED 20275 unix 3 [ ] STREAM CONNECTED 16808 /var/run/dbus/system_bus_socketunix 3 [ ] DGRAM 13069 unix 3 [ ] STREAM CONNECTED 20320 unix 3 [ ] STREAM CONNECTED 20314 unix 3 [ ] STREAM CONNECTED 20247 unix 3 [ ] STREAM CONNECTED 14925 unix 2 [ ] DGRAM 13916 unix 3 [ ] STREAM CONNECTED 20272 unix 2 [ ] DGRAM 16720 unix 3 [ ] STREAM CONNECTED 20313 unix 3 [ ] STREAM CONNECTED 14969 unix 3 [ ] STREAM CONNECTED 20310 unix 3 [ ] STREAM CONNECTED 20311 unix 3 [ ] STREAM CONNECTED 18944 unix 2 [ ] DGRAM 12864 unix 3 [ ] STREAM CONNECTED 20308 unix 3 [ ] STREAM CONNECTED 16589 /var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 16030 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20307 unix 3 [ ] STREAM CONNECTED 20280 unix 3 [ ] STREAM CONNECTED 15121 unix 3 [ ] STREAM CONNECTED 20304 unix 3 [ ] STREAM CONNECTED 16588 unix 3 [ ] STREAM CONNECTED 20305 unix 2 [ ] DGRAM 18043 unix 3 [ ] STREAM CONNECTED 16700 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 14814 unix 3 [ ] STREAM CONNECTED 20286 unix 3 [ ] STREAM CONNECTED 18409 unix 3 [ ] STREAM CONNECTED 20237 unix 3 [ ] STREAM CONNECTED 20236 unix 3 [ ] STREAM CONNECTED 20298 unix 3 [ ] STREAM CONNECTED 19256 /var/run/dbus/system_bus_socketunix 2 [ ] DGRAM 20571 unix 3 [ ] STREAM CONNECTED 20295 unix 3 [ ] STREAM CONNECTED 15326 unix 3 [ ] STREAM CONNECTED 20268 unix 2 [ ] DGRAM 15225 unix 3 [ ] STREAM CONNECTED 19530 unix 3 [ ] STREAM CONNECTED 14813 unix 3 [ ] STREAM CONNECTED 16042 unix 3 [ ] STREAM CONNECTED 20269 unix 3 [ ] STREAM CONNECTED 20289 unix 3 [ ] STREAM CONNECTED 20265 unix 2 [ ] DGRAM 20375 unix 3 [ ] STREAM CONNECTED 15357 unix 2 [ ] DGRAM 15234 unix 3 [ ] STREAM CONNECTED 16043 unix 2 [ ] DGRAM 14812 unix 2 [ ] DGRAM 17415 unix 3 [ ] STREAM CONNECTED 13773 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 18410 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 20296 unix 3 [ ] STREAM CONNECTED 16263 unix 3 [ ] STREAM CONNECTED 20283 unix 3 [ ] STREAM CONNECTED 20266 unix 3 [ ] STREAM CONNECTED 19531 /run/systemd/journal/stdoutunix 3 [ ] STREAM CONNECTED 16414 /var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 15275 /var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 13772 unix 3 [ ] STREAM CONNECTED 20301 unix 3 [ ] STREAM CONNECTED 20299 unix 3 [ ] STREAM CONNECTED 20290 unix 2 [ ] DGRAM 16392 unix 3 [ ] STREAM CONNECTED 16413 unix 3 [ ] STREAM CONNECTED 20281 unix 3 [ ] STREAM CONNECTED 20287 unix 3 [ ] STREAM CONNECTED 16737 /var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 19903 unix 3 [ ] STREAM CONNECTED 16690 unix 3 [ ] STREAM CONNECTED 20284 unix 3 [ ] STREAM CONNECTED 16264 /run/systemd/journal/stdout
扩展知识:熟悉 tcpip协议的三次握手四次挥手的过程。
分享小技巧:netstat -an的特殊用法
netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'
[root@lgs-01 ~]# netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'LISTEN 5ESTABLISHED 1 统计state状态的个数,重点关注ESTABLISHED 的值,代表并发连接的数。如果值在1000以内都能够接受。
ss -an命令:与netstat类似
[root@lgs-01 ~]# ss -anNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 0:0 * nl UNCONN 0 0 0:629146217 * nl UNCONN 0 0 0:629146217 * nl UNCONN 4352 0 4:1553 * nl UNCONN 768 0 4:0 * nl UNCONN 0 0 6:0 * nl UNCONN 0 0 7:561 * nl UNCONN 0 0 7:1 * nl UNCONN 0 0 7:0 * nl UNCONN 0 0 7:561 * nl UNCONN 0 0 7:1 * nl UNCONN 0 0 9:535 * nl UNCONN 0 0 9:1 * nl UNCONN 0 0 9:0 * nl UNCONN 0 0 10:0 * nl UNCONN 0 0 11:0 * nl UNCONN 0 0 12:0 * nl UNCONN 768 0 15:-4109 * nl UNCONN 0 0 15:573 * nl UNCONN 0 0 15:-4123 * nl UNCONN 0 0 15:-4121 * nl UNCONN 0 0 15:921 * nl UNCONN 0 0 15:-4124 * nl UNCONN 0 0 15:-4122 * nl UNCONN 0 0 15:1 * nl UNCONN 0 0 15:617 * nl UNCONN 0 0 15:0 * nl UNCONN 0 0 15:921 * nl UNCONN 0 0 15:-4124 * nl UNCONN 0 0 15:617 * nl UNCONN 0 0 15:-4123 * nl UNCONN 0 0 15:-4122 * nl UNCONN 0 0 15:-4121 * nl UNCONN 0 0 15:573 * nl UNCONN 768 0 15:-4109 * nl UNCONN 0 0 15:1 * nl UNCONN 0 0 16:0 * nl UNCONN 0 0 18:0 * u_str LISTEN 0 100 private/anvil 20318 * 0 u_str LISTEN 0 100 private/scache 20321 * 0 u_str LISTEN 0 100 private/rewrite 20267 * 0 u_str LISTEN 0 100 private/bounce 20270 * 0 u_dgr UNCONN 0 0 /run/systemd/notify 1337 * 0 u_str LISTEN 0 128 /var/run/dbus/system_bus_socket 14906 * 0 u_dgr UNCONN 0 0 /run/systemd/cgroups-agent 1339 * 0 u_str LISTEN 0 128 /run/systemd/journal/stdout 1347 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/socket 1350 * 0 u_dgr UNCONN 0 0 /dev/log 1352 * 0 u_str LISTEN 0 80 /tmp/mysql.sock 19309 * 0 u_str LISTEN 0 100 public/pickup 20238 * 0 u_str LISTEN 0 100 public/cleanup 20242 * 0 u_str LISTEN 0 100 public/qmgr 20245 * 0 u_str LISTEN 0 100 public/flush 20282 * 0 u_str LISTEN 0 100 public/showq 20297 * 0 u_dgr UNCONN 0 0 /var/run/chrony/chronyd.sock 15247 * 0 u_str LISTEN 0 128 /run/systemd/private 12701 * 0 u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 12723 * 0 u_str LISTEN 0 100 private/tlsmgr 20249 * 0 u_str LISTEN 0 100 private/defer 20273 * 0 u_seq LISTEN 0 128 /run/udev/control 12736 * 0 u_str LISTEN 0 100 private/trace 20276 * 0 u_str LISTEN 0 100 private/verify 20279 * 0 u_str LISTEN 0 100 private/proxymap 20285 * 0 u_str LISTEN 0 128 /run/lvm/lvmetad.socket 12741 * 0 u_str LISTEN 0 100 private/discard 20306 * 0 u_str LISTEN 0 100 private/retry 20303 * 0 u_str LISTEN 0 100 private/local 20309 * 0 u_str LISTEN 0 100 private/virtual 20312 * 0 u_dgr UNCONN 0 0 /run/systemd/shutdownd 12754 * 0 u_str LISTEN 0 100 private/lmtp 20315 * 0 u_str LISTEN 0 32 /var/run/vmware/guestServicePipe 16599 * 0 u_str LISTEN 0 100 private/relay 20294 * 0 u_str LISTEN 0 100 private/error 20300 * 0 u_str LISTEN 0 100 private/proxywrite 20288 * 0 u_str LISTEN 0 100 private/smtp 20291 * 0 u_str ESTAB 0 0 * 20243 * 20244 u_dgr UNCONN 0 0 * 20354 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 19583 * 18944 u_str ESTAB 0 0 * 20271 * 20272 u_str ESTAB 0 0 /run/systemd/journal/stdout 16085 * 15121 u_str ESTAB 0 0 * 20246 * 20247 u_str ESTAB 0 0 /run/systemd/journal/stdout 16066 * 15075 u_str ESTAB 0 0 * 20239 * 20240 u_str ESTAB 0 0 * 20292 * 20293 u_dgr UNCONN 0 0 * 16573 * 0 u_str ESTAB 0 0 * 16380 * 16381 u_str ESTAB 0 0 * 20240 * 20239 u_dgr UNCONN 0 0 * 16597 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 16381 * 16380 u_str ESTAB 0 0 * 20278 * 20277 u_str ESTAB 0 0 * 15029 * 16047 u_dgr UNCONN 0 0 * 20206 * 1352 u_str ESTAB 0 0 * 15075 * 16066 u_str ESTAB 0 0 * 20302 * 20301 u_dgr UNCONN 0 0 * 16544 * 1352 u_str ESTAB 0 0 * 20322 * 20323 u_str ESTAB 0 0 * 20274 * 20275 u_str ESTAB 0 0 * 20293 * 20292 u_str ESTAB 0 0 * 20323 * 20322 u_str ESTAB 0 0 * 20277 * 20278 u_str ESTAB 0 0 /run/systemd/journal/stdout 16047 * 15029 u_str ESTAB 0 0 * 20244 * 20243 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16044 * 14925 u_str ESTAB 0 0 * 20316 * 20317 u_str ESTAB 0 0 * 17470 * 16808 u_str ESTAB 0 0 * 20317 * 20316 u_str ESTAB 0 0 /run/systemd/journal/stdout 13914 * 13913 u_dgr UNCONN 0 0 * 13070 * 13069 u_str ESTAB 0 0 * 20319 * 20320 u_str ESTAB 0 0 * 13913 * 13914 u_str ESTAB 0 0 * 20275 * 20274 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16808 * 17470 u_dgr UNCONN 0 0 * 13069 * 13070 u_str ESTAB 0 0 * 20320 * 20319 u_str ESTAB 0 0 * 20314 * 20313 u_str ESTAB 0 0 * 20247 * 20246 u_str ESTAB 0 0 * 14925 * 16044 u_dgr UNCONN 0 0 * 13916 * 1350 u_str ESTAB 0 0 * 20272 * 20271 u_dgr UNCONN 0 0 * 16720 * 1352 u_str ESTAB 0 0 * 20313 * 20314 u_str ESTAB 0 0 * 14969 * 16030 u_str ESTAB 0 0 * 20310 * 20311 u_str ESTAB 0 0 * 20311 * 20310 u_str ESTAB 0 0 * 18944 * 19583 u_dgr UNCONN 0 0 * 12864 * 1350 u_str ESTAB 0 0 * 20308 * 20307 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16589 * 16588 u_str ESTAB 0 0 /run/systemd/journal/stdout 16030 * 14969 u_str ESTAB 0 0 * 20307 * 20308 u_str ESTAB 0 0 * 20280 * 20281 u_str ESTAB 0 0 * 15121 * 16085 u_str ESTAB 0 0 * 20304 * 20305 u_str ESTAB 0 0 * 16588 * 16589 u_str ESTAB 0 0 * 20305 * 20304 u_dgr UNCONN 0 0 * 18043 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 16700 * 15326 u_str ESTAB 0 0 * 14814 * 14813 u_str ESTAB 0 0 * 20286 * 20287 u_str ESTAB 0 0 * 18409 * 18410 u_str ESTAB 0 0 * 20237 * 20236 u_str ESTAB 0 0 * 20236 * 20237 u_str ESTAB 0 0 * 20298 * 20299 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 19256 * 19903 u_dgr UNCONN 0 0 * 20571 * 1352 u_str ESTAB 0 0 * 20295 * 20296 u_str ESTAB 0 0 * 15326 * 16700 u_str ESTAB 0 0 * 20268 * 20269 u_dgr UNCONN 0 0 * 15225 * 1352 u_str ESTAB 0 0 * 19530 * 19531 u_str ESTAB 0 0 * 14813 * 14814 u_str ESTAB 0 0 * 16042 * 16043 u_str ESTAB 0 0 * 20269 * 20268 u_str ESTAB 0 0 * 20289 * 20290 u_str ESTAB 0 0 * 20265 * 20266 u_dgr UNCONN 0 0 * 20375 * 1352 u_str ESTAB 0 0 * 15357 * 16737 u_dgr UNCONN 0 0 * 15234 * 1352 u_str ESTAB 0 0 * 16043 * 16042 u_dgr UNCONN 0 0 * 14812 * 1352 u_dgr UNCONN 0 0 * 17415 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 13773 * 13772 u_str ESTAB 0 0 /run/systemd/journal/stdout 18410 * 18409 u_str ESTAB 0 0 * 20296 * 20295 u_str ESTAB 0 0 * 16263 * 16264 u_str ESTAB 0 0 * 20283 * 20284 u_str ESTAB 0 0 * 20266 * 20265 u_str ESTAB 0 0 /run/systemd/journal/stdout 19531 * 19530 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16414 * 16413 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 15275 * 16690 u_str ESTAB 0 0 * 13772 * 13773 u_str ESTAB 0 0 * 20301 * 20302 u_str ESTAB 0 0 * 20299 * 20298 u_str ESTAB 0 0 * 20290 * 20289 u_dgr UNCONN 0 0 * 16392 * 1350 u_str ESTAB 0 0 * 16413 * 16414 u_str ESTAB 0 0 * 20281 * 20280 u_str ESTAB 0 0 * 20287 * 20286 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16737 * 15357 u_str ESTAB 0 0 * 19903 * 19256 u_str ESTAB 0 0 * 16690 * 15275 u_str ESTAB 0 0 * 20284 * 20283 u_str ESTAB 0 0 /run/systemd/journal/stdout 16264 * 16263 udp UNCONN 0 0 :::58 :::* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 ::1:323 :::* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp ESTAB 0 356 192.168.87.130:22 192.168.87.1:55741 tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 100 ::1:25 :::* tcp LISTEN 0 80 :::3306 :::*
10.10 linux下抓包
当网卡流量异常,用tcpdump抓包分析哪异常,进入包超过一万,就可用抓包工具看看是什么包信息进来
tcpdump:查看进出网卡的流量包,源ip到目标ip的数据流向
一般用选项 -nn -i:i 是指定网卡,n代表ip以数字显示否则显示主机名
[root@lgs-01 ~]# tcpdump -nn -i ens33tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes22:55:22.543456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1123041043:1123041255, ack 2103498148, win 42480, length 21222:55:22.543859 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64911, length 022:55:22.544095 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 29222:55:22.553492 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 16422:55:22.553568 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64455, length 022:55:22.553810 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 27622:55:22.554135 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 16422:55:22.554225 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65535, length 022:55:22.554385 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 27622:55:22.555297 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 18022:55:22.555553 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65079, length 022:55:22.555845 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276^C407 packets captured410 packets received by filter0 packets dropped by kernel
当是udp类型的数据包,有可能是udp flood 被DDos攻击了。国内防DDos攻击的公司:知道创宇比较出名
-nn port 22:指定端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes23:00:29.162602 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1124966907:1124967119, ack 2103510156, win 42480, length 21223:00:29.162738 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64251, length 023:00:29.162993 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 29223:00:29.163219 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 16423:00:29.163301 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 65535, length 023:00:29.163445 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 27623:00:29.163622 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 16423:00:29.163692 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65095, length 023:00:29.163835 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 27623:00:29.164121 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 18023:00:29.164259 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 64639, length 023:00:29.165500 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 27623:00:29.166456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 180
-nn not port 22:不要22端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 not port 22tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes23:01:34.896216 ARP, Request who-has 192.168.87.2 tell 192.168.87.130, length 2823:01:34.896723 ARP, Reply 192.168.87.2 is-at 00:50:56:fc:02:e0, length 4623:01:48.122694 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:48.125085 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:48.184388 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:48.186000 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:48.190795 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:48.190849 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:48.203298 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:48.203671 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:48.307289 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:48.307322 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:48.324302 IP6 fe80::712f:1717:5c59:3eb5.52043 > ff02::1:3.5355: UDP, length 3323:01:48.324446 IP 192.168.87.1.53236 > 224.0.0.252.5355: UDP, length 3323:01:52.233741 ARP, Request who-has 192.168.87.254 tell 192.168.87.1, length 4623:01:52.233860 IP 192.168.87.1.68 > 192.168.87.254.67: BOOTP/DHCP, Request from 00:50:56:c0:00:08, length 31423:01:52.233864 ARP, Reply 192.168.87.254 is-at 00:50:56:eb:bf:de, length 4623:01:52.233867 IP 192.168.87.254.67 > 192.168.87.1.68: BOOTP/DHCP, Reply, length 30023:01:52.263986 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:52.264013 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.295529 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:52.295579 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.298609 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:52.298649 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.307283 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.307318 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:52.321085 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:52.321109 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.420653 IP6 fe80::712f:1717:5c59:3eb5.60038 > ff02::1:3.5355: UDP, length 3323:01:52.420685 IP 192.168.87.1.64363 > 224.0.0.252.5355: UDP, length 3323:01:52.807692 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)23:01:52.807734 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 2823:01:54.291363 ARP, Request who-has 192.168.87.2 tell 192.168.87.1, length 46
-nn not port 22 and host 192.168.87.130:指定ip
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22 and host 192.168.87.130tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes23:04:10.183507 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1125389995:1125390207, ack 2103516588, win 42480, length 21223:04:10.183691 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 65155, length 023:04:10.184014 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 29223:04:10.184535 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 16423:04:10.184626 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64699, length 023:04:10.184840 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 27623:04:10.185036 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 16423:04:10.185105 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 64259, length 023:04:10.206582 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 27623:04:10.218205 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 18023:04:10.218394 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65535, length 023:04:10.219680 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 27623:04:10.219865 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 18023:04:10.219931 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2020, win 65079, length 023:04:10.220033 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2020:2296, ack 1, win 42480, length 27623:04:10.220254 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2296:2476, ack 1, win 42480, length 18023:04:10.220342 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2476, win 64623, length 023:04:10.220866 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2476:2752, ack 1, win 42480, length 27623:04:10.228644 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2752:2932, ack 1, win 42480, length 18023:04:10.228856 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2932, win 64167, length 023:04:10.228960 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2932:3112, ack 1, win 42480, length 18023:04:10.229180 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3112:3388, ack 1, win 42480, length 27623:04:10.229261 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3388, win 65535, length 023:04:10.229440 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3388:3664, ack 1, win 42480, length 27623:04:10.235245 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3664:3844, ack 1, win 42480, length 18023:04:10.235547 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3844, win 65079, length 023:04:10.235873 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3844:4120, ack 1, win 42480, length 27623:04:10.236032 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4120:4300, ack 1, win 42480, length 18023:04:10.236091 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4300, win 64623, length 023:04:10.236161 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4300:4576, ack 1, win 42480, length 27623:04:10.236246 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4576:4756, ack 1, win 42480, length 18023:04:10.236290 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4756, win 64167, length 023:04:10.236333 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4756:5032, ack 1, win 42480, length 27623:04:10.236402 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 5032:5212, ack 1, win 42480, length 180
-c 100 -w /tmp/1.cap:指定100个包,并写入到文件里
[root@lgs-01 ~]# tcpdump -nn -i ens33 -c 100 -w /tmp/1.captcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes100 packets captured100 packets received by filter0 packets dropped by kernel
1.cap文件不能直接cat查看,cat是乱码,用tcpdump查看
[root@lgs-01 ~]# ls -l /tmp/1.cap -rw-r--r--. 1 tcpdump tcpdump 16415 5月 7 23:06 /tmp/1.cap[root@lgs-01 ~]# file /tmp/1.cap /tmp/1.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)[root@lgs-01 ~]# cat /tmp/1.cap Ճ²¡7k?ˊPVp l8x✉$NO_¼#@@湀¨W(WٽC h欴ۖ¬݂㢕)B؏¦ӥC?£v?ٵg%~sº%"¢þ¶¯٥_ 낚A^®fٽHH˒_$a䃧韖2,|¼~¹4¯½Ҵ¨&䄸{B炷k?<< )Ѣ¸E(n@@(W(Wٽ}a)C#Pþ¯ؿk33Pܠgþq/\Y>µÿ"#gҁƲځ .⫍TKDa PV'MS-20170122YATWMSFT 5.'@k?jj )Ѣ¸E\o@@Y(W(Wٽ}a)C#Pþ?ۆ@K¼詀G�DɁ?5i̠?4ųM?Rs@k?66PV 1.cap就是捕获的网卡的原始通信数据包信息。
[root@lgs-01 ~]# tcpdump -r /tmp/1.cap reading from file /tmp/1.cap, link-type EN10MB (Ethernet)23:05:27.975940 IP lgs-01.ssh > 192.168.87.1.55741: Flags [P.], seq 1125453199:1125453347, ack 2103519516, win 42480, length 14823:05:27.976575 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [.], ack 148, win 65179, length 023:05:35.530558 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit23:05:36.310133 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [P.], seq 1:53, ack 148, win 65179, length 5223:05:36.375497 IP lgs-01.ssh > 192.168.87.1.55741: Flags [.], ack 53, win 42480, length 023:05:48.280605 IP lgs-01.58175 > 61-216-153-104.HINET-IP.hinet.net.ntp: NTPv4, Client, length 4823:05:48.337106 IP 61-216-153-104.HINET-IP.hinet.net.ntp > lgs-01.58175: NTPv4, Server, length 4823:05:51.530722 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit23:05:53.296589 ARP, Request who-has gateway tell lgs-01, length 2823:05:53.296809 ARP, Reply gateway is-at 00:50:56:fc:02:e0 (oui Unknown), length 4623:05:54.290567 ARP, Request who-has gateway tell 192.168.87.1, length 4623:05:54.806558 ARP, Request who-has gateway tell 192.168.87.1, length 4623:05:55.806633 ARP, Request who-has gateway tell 192.168.87.1, length 46
tshark命令:安装包wireshark得到,比较实用的命令,能够查看什么ip访问网站的具体什么资源文件。
类似Web网站的访问日志。
[root@lgs-01 ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.requset.uri"tshark: -R without -2 is deprecated. For single-pass filtering use -Y.Running as user "root" and group "root". This could be dangerous.Capturing on 'nflog'^C0 packets captured