【2018.05.07學習筆記】【linux基礎知識10.6-10.10】
10.6 監控io性能
iostat命令:監控磁盤詳細io信息。安裝sysstat包獲得。python
當你用vmstat命令查看,b列或者wa列很大時,有可能就是磁盤遇到瓶頸了,用iostat進一步分析磁盤瓶頸在哪裏。能看到每一個磁盤對應的狀況。mysql
[root@lgs-01 ~]# iostat 1 3
Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.49 0.00 1.80 0.13 0.00 97.59
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 67.30 1074.56 76.33 164784 11705
sdb 1.61 23.55 0.00 3612 0
dm-0 0.28 6.76 0.00 1036 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.50 0.00 0.00 99.50
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
與sar -b 13 類似的結果linux
[root@lgs-01 ~]# sar -b 1 3 Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU) 21時47分49秒 tps rtps wtps bread/s bwrtn/s 21時47分50秒 0.00 0.00 0.00 0.00 0.00 21時47分51秒 0.00 0.00 0.00 0.00 0.00 21時47分52秒 0.00 0.00 0.00 0.00 0.00 平均時間: 0.00 0.00 0.00 0.00 0.00
重點看iostat -x 命令:其中有個重要的參數 %util ,表明1秒內有多少百分比的時間在等待io的請求,大於60%就要當心異常了。ios
[root@lgs-01 ~]# iostat -x
Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.20 0.00 0.84 0.05 0.00 98.91
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.01 0.38 14.76 11.38 415.94 30.41 34.14 0.04 1.47 0.58 2.63 0.22 0.57
sdb 0.00 0.00 0.62 0.00 9.11 0.00 29.25 0.00 0.34 0.34 0.00 0.26 0.02
dm-0 0.00 0.00 0.11 0.00 2.61 0.00 48.19 0.00 0.35 0.35 0.00 0.21 0.00
iotop命令:可以查看具體進程的磁盤讀寫狀況,以IO> 排序nginx
[root@lgs-01 ~]# iotop
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
512 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfsaild/sda1]
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-root --system --deserialize 21
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H]
6 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:0]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1]
12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1]
13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1]
15 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0H]
17 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
18 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
19 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback]
21 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd]
22 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset]
23 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd]
24 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md]
25 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:1]
30 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kswapd0]
31 be/5 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksmd]
32 be/7 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khugepaged]
33 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [crypto]
41 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthrotld]
42 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:1]
43 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:1]
44 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kmpath_rdacd]
45 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kpsmoused]
46 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:2]
47 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ipv6_addrconf]
561 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
565 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
566 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % VGAuthService -s
567 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % vmtoolsd
568 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % irqbalance --foreground
569 be/4 polkitd 0.00 B/s 0.00 B/s 0.00 % 0.00 % polkitd --no-debug
10.7 free命令
free命令:查看內存整體的使用狀況sql
[root@lgs-01 ~]# free
total used free shared buff/cache available
Mem: 1867048 584212 758824 8784 524012 1091040
Swap: 4194300 0 4194300
-m選項:以mb單位顯示緩存
[root@lgs-01 ~]# free -m
total used free shared buff/cache available
Mem: 1823 570 741 8 511 1065
Swap: 4095 0 4095
-h選項:以易讀的方式顯示bash
[root@lgs-01 ~]# free -h
total used free shared buff/cache available
Mem: 1.8G 570M 741M 8.6M 511M 1.0G
Swap: 4.0G 0B 4.0G
total=used+free+buff/cache網絡
available=free+buff/cache的剩餘部分session
由於cpu和磁盤的讀寫速度差距太大,因此須要引入cache和buff來協調
cache的概念: data(磁盤內的數據) ---> 內存中(叫cache緩存)---> cpu(計算)
buff的概念: cpu(data 計算後的數據)---> 內存(緩衝buff)---> data(結算結果保存到磁盤)
10.8 ps命令
ps命令:當前所有進程狀況的快照信息,是靜態的
通常使用 ps aux: 與Windows的任務管理器相似
[root@lgs-01 ~]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 128164 6828 ? Ss 21:44 0:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 root 2 0.0 0.0 0 0 ? S 21:44 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/0:0H] root 6 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:0] root 7 0.0 0.0 0 0 ? S 21:44 0:00 [migration/0] root 8 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_sched] root 10 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/0] root 11 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/1] root 12 0.0 0.0 0 0 ? S 21:44 0:00 [migration/1] root 13 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/1] root 15 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:0H] root 17 0.0 0.0 0 0 ? S 21:44 0:00 [kdevtmpfs] root 18 0.0 0.0 0 0 ? S< 21:44 0:00 [netns] root 19 0.0 0.0 0 0 ? S 21:44 0:00 [khungtaskd] root 20 0.0 0.0 0 0 ? S< 21:44 0:00 [writeback] root 21 0.0 0.0 0 0 ? S< 21:44 0:00 [kintegrityd] root 22 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset] root 23 0.0 0.0 0 0 ? S< 21:44 0:00 [kblockd] root 24 0.0 0.0 0 0 ? S< 21:44 0:00 [md] root 30 0.0 0.0 0 0 ? S 21:44 0:00 [kswapd0] root 31 0.0 0.0 0 0 ? SN 21:44 0:00 [ksmd] root 32 0.0 0.0 0 0 ? SN 21:44 0:00 [khugepaged] root 33 0.0 0.0 0 0 ? S< 21:44 0:00 [crypto] root 41 0.0 0.0 0 0 ? S< 21:44 0:00 [kthrotld] root 43 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:1] root 44 0.0 0.0 0 0 ? S< 21:44 0:00 [kmpath_rdacd] root 45 0.0 0.0 0 0 ? S< 21:44 0:00 [kpsmoused] root 46 0.0 0.0 0 0 ? R 21:44 0:00 [kworker/0:2] root 47 0.0 0.0 0 0 ? S< 21:44 0:00 [ipv6_addrconf] root 66 0.0 0.0 0 0 ? S< 21:44 0:00 [deferwq] root 99 0.0 0.0 0 0 ? S 21:44 0:00 [kauditd] root 236 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/1:2] root 238 0.0 0.0 0 0 ? S< 21:44 0:00 [ata_sff] root 239 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_0] root 240 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_0] root 241 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_1] root 242 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_1] root 245 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt_poll_0] root 246 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt/0] root 254 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_2] root 255 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_2] root 257 0.0 0.0 0 0 ? S< 21:44 0:00 [ttm_swap] root 285 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset] root 286 0.0 0.0 0 0 ? S< 21:44 0:00 [xfsalloc] root 287 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs_mru_cache] root 288 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda3] root 289 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda3] root 290 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda3] root 291 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda3] root 292 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda] root 293 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda3] root 294 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s] root 295 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda3] root 363 0.0 0.1 36832 2840 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-journald root 381 0.0 0.3 342552 6012 ? Ss 21:44 0:00 /usr/sbin/lvmetad -f root 391 0.0 0.3 47872 5896 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-udevd root 414 0.0 0.0 0 0 ? S< 21:44 0:00 [nfit] root 451 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:1H] root 500 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda1] root 501 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda1] root 502 0.0 0.0 0 0 ? S< 21:44 0:00 [kdmflush] root 503 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda1] root 504 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset] root 505 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda1] root 507 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda] root 508 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda1] root 509 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s] root 512 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda1] root 535 0.0 0.0 55452 892 ? S<sl 21:44 0:00 /sbin/auditd dbus 561 0.0 0.1 32868 2036 ? Ssl 21:44 0:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activ root 566 0.0 0.3 99608 6092 ? Ss 21:44 0:00 /usr/bin/VGAuthService -s root 567 0.1 0.3 305296 6308 ? Ssl 21:44 0:01 /usr/bin/vmtoolsd root 568 0.0 0.0 21620 1288 ? Ss 21:44 0:00 /usr/sbin/irqbalance --foreground polkitd 569 0.0 0.6 535088 12128 ? Ssl 21:44 0:00 /usr/lib/polkit-1/polkitd --no-debug root 570 0.0 0.3 216388 6124 ? Ssl 21:44 0:00 /usr/sbin/rsyslogd -n root 573 0.0 0.0 24204 1676 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-logind root 576 0.0 0.0 126236 1680 ? Ss 21:44 0:00 /usr/sbin/crond -n chrony 580 0.0 0.0 115640 1764 ? S 21:44 0:00 /usr/sbin/chronyd root 601 0.0 1.5 334236 28972 ? Ssl 21:44 0:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid root 617 0.0 0.4 472252 9148 ? Ssl 21:44 0:00 /usr/sbin/NetworkManager --no-daemon root 679 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/0:1H] root 918 0.0 0.2 105996 4084 ? Ss 21:44 0:00 /usr/sbin/sshd -D root 921 0.0 0.8 562392 16604 ? Ssl 21:44 0:00 /usr/bin/python -Es /usr/sbin/tuned -l -P root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/m mysql 1180 0.2 24.2 1300776 452360 ? Sl 21:44 0:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data/mysql --pl root 1227 0.0 0.2 147844 5352 ? Rs 21:44 0:00 sshd: root@pts/0 root 1278 0.0 0.1 89544 2084 ? Ss 21:44 0:00 /usr/libexec/postfix/master -w root 1281 0.0 0.0 110044 820 tty1 Ss+ 21:44 0:00 /sbin/agetty --noclear tty1 linux postfix 1282 0.0 0.2 89648 3996 ? S 21:44 0:00 pickup -l -t unix -u postfix 1283 0.0 0.2 89716 4028 ? S 21:44 0:00 qmgr -l -t unix -u root 1377 0.0 0.1 115524 2156 pts/0 Ss 21:44 0:00 -bash root 1454 0.0 0.0 0 0 ? S 21:54 0:00 [kworker/1:0] root 1484 0.0 0.0 0 0 ? S 22:01 0:00 [kworker/0:0] root 1485 0.0 0.0 0 0 ? S 22:06 0:00 [kworker/0:1] root 1487 0.0 0.0 151064 1816 pts/0 R+ 22:07 0:00 ps aux
能夠配合grep,具體查找進程是否運行
[root@lgs-01 ~]# ps aux|grep mysql root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pid mysql 1180 0.2 24.2 1300776 452360 ? Sl 21:44 0:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data/mysql --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/data/mysql/lgs-01.err --pid-file=/data/mysql/lgs-01.pid root 1491 0.0 0.0 112680 984 pts/0 S+ 22:08 0:00 grep --color=auto mysql
ps -elf選項:與aux相似
[root@lgs-01 ~]# ps -elf F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD 4 S root 1 0 0 80 0 - 32041 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 1 S root 2 0 0 80 0 - 0 kthrea 21:44 ? 00:00:00 [kthreadd] 1 S root 3 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/0] 1 S root 5 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:0H] 1 S root 6 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:0] 1 S root 7 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/0] 1 S root 8 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_bh] 1 S root 9 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_sched] 5 S root 10 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/0] 5 S root 11 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/1] 1 S root 12 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/1] 1 S root 13 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/1] 1 S root 15 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:0H] 5 S root 17 2 0 80 0 - 0 devtmp 21:44 ? 00:00:00 [kdevtmpfs] 1 S root 18 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [netns] 1 S root 19 2 0 80 0 - 0 watchd 21:44 ? 00:00:00 [khungtaskd] 1 S root 20 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [writeback] 1 S root 21 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kintegrityd] 1 S root 22 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset] 1 S root 23 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kblockd] 1 S root 24 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [md] 1 S root 30 2 0 80 0 - 0 kswapd 21:44 ? 00:00:00 [kswapd0] 1 S root 31 2 0 85 5 - 0 ksm_sc 21:44 ? 00:00:00 [ksmd] 1 S root 32 2 0 99 19 - 0 khugep 21:44 ? 00:00:00 [khugepaged] 1 S root 33 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [crypto] 1 S root 41 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kthrotld] 1 S root 43 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:1] 1 S root 44 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kmpath_rdacd] 1 S root 45 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kpsmoused] 1 R root 46 2 0 80 0 - 0 - 21:44 ? 00:00:00 [kworker/0:2] 1 S root 47 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ipv6_addrconf] 1 S root 66 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [deferwq] 1 S root 99 2 0 80 0 - 0 kaudit 21:44 ? 00:00:00 [kauditd] 1 S root 236 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/1:2] 1 S root 238 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ata_sff] 1 S root 239 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_0] 1 S root 240 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_0] 1 S root 241 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_1] 1 S root 242 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_1] 1 S root 245 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt_poll_0] 1 S root 246 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt/0] 1 S root 254 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_2] 1 S root 255 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_2] 1 S root 257 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ttm_swap] 1 S root 285 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset] 1 S root 286 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfsalloc] 1 S root 287 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs_mru_cache] 1 S root 288 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda3] 1 S root 289 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda3] 1 S root 290 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda3] 1 S root 291 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda3] 1 S root 292 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda] 1 S root 293 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda3] 1 S root 294 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s] 1 S root 295 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda3] 4 S root 363 1 0 80 0 - 9208 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-journald 4 S root 381 1 0 80 0 - 85638 poll_s 21:44 ? 00:00:00 /usr/sbin/lvmetad -f 4 S root 391 1 0 80 0 - 11968 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-udevd 1 S root 414 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [nfit] 1 S root 451 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:1H] 1 S root 500 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda1] 1 S root 501 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda1] 1 S root 502 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kdmflush] 1 S root 503 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda1] 1 S root 504 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset] 1 S root 505 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda1] 1 S root 507 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda] 1 S root 508 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda1] 1 S root 509 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s] 1 S root 512 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda1] 5 S root 535 1 0 76 -4 - 13863 ep_pol 21:44 ? 00:00:00 /sbin/auditd 4 S dbus 561 1 0 80 0 - 8217 ep_pol 21:44 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --sy 4 S root 566 1 0 80 0 - 24902 poll_s 21:44 ? 00:00:00 /usr/bin/VGAuthService -s 4 S root 567 1 0 80 0 - 76324 poll_s 21:44 ? 00:00:01 /usr/bin/vmtoolsd 4 S root 568 1 0 80 0 - 5405 hrtime 21:44 ? 00:00:00 /usr/sbin/irqbalance --foreground 4 S polkitd 569 1 0 80 0 - 133772 poll_s 21:44 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug 4 S root 570 1 0 80 0 - 54097 poll_s 21:44 ? 00:00:00 /usr/sbin/rsyslogd -n 4 S root 573 1 0 80 0 - 6051 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-logind 4 S root 576 1 0 80 0 - 31559 hrtime 21:44 ? 00:00:00 /usr/sbin/crond -n 5 S chrony 580 1 0 80 0 - 28910 poll_s 21:44 ? 00:00:00 /usr/sbin/chronyd 4 S root 601 1 0 80 0 - 83559 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid 4 S root 617 1 0 80 0 - 118063 poll_s 21:44 ? 00:00:00 /usr/sbin/NetworkManager --no-daemon 1 S root 679 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:1H] 4 S root 918 1 0 80 0 - 26499 poll_s 21:44 ? 00:00:00 /usr/sbin/sshd -D 4 S root 921 1 0 80 0 - 140598 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/tuned -l -P 4 S root 956 1 0 80 0 - 28847 do_wai 21:44 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-f 4 S mysql 1180 956 0 80 0 - 325194 poll_s 21:44 ? 00:00:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data 4 D root 1227 918 0 80 0 - 36961 flush_ 21:44 ? 00:00:00 sshd: root@pts/0 5 S root 1278 1 0 80 0 - 22386 ep_pol 21:44 ? 00:00:00 /usr/libexec/postfix/master -w 4 S root 1281 1 0 80 0 - 27511 n_tty_ 21:44 tty1 00:00:00 /sbin/agetty --noclear tty1 linux 4 S postfix 1282 1278 0 80 0 - 22412 ep_pol 21:44 ? 00:00:00 pickup -l -t unix -u 4 S postfix 1283 1278 0 80 0 - 22429 ep_pol 21:44 ? 00:00:00 qmgr -l -t unix -u 4 S root 1377 1227 0 80 0 - 28881 do_wai 21:44 pts/0 00:00:00 -bash 1 S root 1454 2 0 80 0 - 0 worker 21:54 ? 00:00:00 [kworker/1:0] 1 S root 1484 2 0 80 0 - 0 worker 22:01 ? 00:00:00 [kworker/0:0] 1 S root 1485 2 0 80 0 - 0 worker 22:06 ? 00:00:00 [kworker/0:1] 1 S root 1492 2 0 80 0 - 0 worker 22:09 ? 00:00:00 [kworker/0:3] 0 R root 1493 1377 0 80 0 - 37766 - 22:09 pts/0 00:00:00 ps -elf
當系統被入侵了,看到一個陌生的進程,能夠查他的pid,如956
[root@lgs-01 ~]# ps aux|grep 956 root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pid root 1503 0.0 0.0 112676 988 pts/0 R+ 22:11 0:00 grep --color=auto 956
每一個進程都有一個進程的目錄,以pid命名的,在/proc/ 下
[root@lgs-01 ~]# ls /proc/ 1 1283 17 238 255 292 363 46 507 569 679 asound diskstats ioports loadavg net stat version 10 13 18 239 257 293 381 47 508 570 7 buddyinfo dma irq locks pagetypeinfo swaps vmallocinfo 11 1377 19 24 285 294 391 5 509 573 8 bus driver kallsyms mdstat partitions sys vmstat 1180 1454 2 240 286 295 41 500 512 576 9 cgroups execdomains kcore meminfo sched_debug sysrq-trigger zoneinfo 12 1484 20 241 287 3 414 501 535 580 918 cmdline fb keys misc schedstat sysvipc 1227 1485 21 242 288 30 43 502 561 6 921 consoles filesystems key-users modules scsi timer_list 1278 1492 22 245 289 31 44 503 566 601 956 cpuinfo fs kmsg mounts self timer_stats 1281 15 23 246 290 32 45 504 567 617 99 crypto interrupts kpagecount mpt slabinfo tty 1282 1506 236 254 291 33 451 505 568 66 acpi devices iomem kpageflags mtrr softirqs uptime
進入 /proc/956/ 目錄,查看具體有哪些文件,能夠知道該進程的目錄所在,就能夠把入侵的陌生進程給刪除掉。 如該進程 956 的目錄是 /usr/local/mysql
[root@lgs-01 ~]# ls -l /proc/956 總用量 0 dr-xr-xr-x. 2 root root 0 5月 7 22:12 attr -rw-r--r--. 1 root root 0 5月 7 22:12 autogroup -r--------. 1 root root 0 5月 7 22:12 auxv -r--r--r--. 1 root root 0 5月 7 22:12 cgroup --w-------. 1 root root 0 5月 7 22:12 clear_refs -r--r--r--. 1 root root 0 5月 7 22:07 cmdline -rw-r--r--. 1 root root 0 5月 7 22:12 comm -rw-r--r--. 1 root root 0 5月 7 22:12 coredump_filter -r--r--r--. 1 root root 0 5月 7 22:12 cpuset lrwxrwxrwx. 1 root root 0 5月 7 22:12 cwd -> /usr/local/mysql -r--------. 1 root root 0 5月 7 22:12 environ lrwxrwxrwx. 1 root root 0 5月 7 22:12 exe -> /usr/bin/bash dr-x------. 2 root root 0 5月 7 22:12 fd dr-x------. 2 root root 0 5月 7 22:12 fdinfo -rw-r--r--. 1 root root 0 5月 7 22:12 gid_map -r--------. 1 root root 0 5月 7 22:12 io -r--r--r--. 1 root root 0 5月 7 22:12 limits -rw-r--r--. 1 root root 0 5月 7 22:12 loginuid dr-x------. 2 root root 0 5月 7 22:12 map_files -r--r--r--. 1 root root 0 5月 7 22:12 maps -rw-------. 1 root root 0 5月 7 22:12 mem -r--r--r--. 1 root root 0 5月 7 22:12 mountinfo -r--r--r--. 1 root root 0 5月 7 22:12 mounts -r--------. 1 root root 0 5月 7 22:12 mountstats dr-xr-xr-x. 5 root root 0 5月 7 22:12 net dr-x--x--x. 2 root root 0 5月 7 22:12 ns -r--r--r--. 1 root root 0 5月 7 22:12 numa_maps -rw-r--r--. 1 root root 0 5月 7 22:12 oom_adj -r--r--r--. 1 root root 0 5月 7 22:12 oom_score -rw-r--r--. 1 root root 0 5月 7 22:12 oom_score_adj -r--r--r--. 1 root root 0 5月 7 22:12 pagemap -r--r--r--. 1 root root 0 5月 7 22:12 personality -rw-r--r--. 1 root root 0 5月 7 22:12 projid_map lrwxrwxrwx. 1 root root 0 5月 7 22:12 root -> / -rw-r--r--. 1 root root 0 5月 7 22:12 sched -r--r--r--. 1 root root 0 5月 7 22:12 schedstat -r--r--r--. 1 root root 0 5月 7 22:12 sessionid -rw-r--r--. 1 root root 0 5月 7 22:12 setgroups -r--r--r--. 1 root root 0 5月 7 22:12 smaps -r--r--r--. 1 root root 0 5月 7 22:12 stack -r--r--r--. 1 root root 0 5月 7 22:07 stat -r--r--r--. 1 root root 0 5月 7 22:12 statm -r--r--r--. 1 root root 0 5月 7 22:07 status -r--r--r--. 1 root root 0 5月 7 22:12 syscall dr-xr-xr-x. 3 root root 0 5月 7 21:54 task -r--r--r--. 1 root root 0 5月 7 22:12 timers -rw-r--r--. 1 root root 0 5月 7 22:12 uid_map -r--r--r--. 1 root root 0 5月 7 22:09 wchan
VSZ:是虛擬內存。 RSS:物理內存剩餘大小
STAT:進程的狀態
D:不能中斷的進程,比較少見;若是運行不少,會影響系統cpu的負載,若是此時cpu使用率不高,能夠不用特別在乎 R:運行狀態的進程,某一時間段內在使用cpu的進程 S:sleep休眠狀態的進程,運算完暫停休息,在過一會再激活使用cpu T:暫停的進程,ctrl+Z ,被暫停放到後臺去的進程 Z:殭屍進程,太多的話要殺死清理掉 <:高優先級的進程,優先使用cpu資源 N:低優先級的進程,不着急使用cpu L:內存中被鎖了內存分頁的進程 小s:主進程 如 nginx: master process Ss 就是主進程 小l:多線程進程,包含多個線程的,線程之間能夠共享內存空間。 +:前臺進程,在終端上前臺運行的進程。
10.9 查看網絡狀態
netstat命令:查看各個通訊協議的詳細通訊信息
通常用-lnp選項,查看端口通訊信息,關注監聽的端口,sockets段不用留意。
[root@lgs-01 ~]# netstat -lnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd udp6 0 0 ::1:323 :::* 580/chronyd raw6 0 0 :::58 :::* 7 617/NetworkManager Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 20318 1278/master private/anvil unix 2 [ ACC ] STREAM LISTENING 20321 1278/master private/scache unix 2 [ ACC ] STREAM LISTENING 20267 1278/master private/rewrite unix 2 [ ACC ] STREAM LISTENING 20270 1278/master private/bounce unix 2 [ ACC ] STREAM LISTENING 14906 1/systemd /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 1347 1/systemd /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 19309 1180/mysqld /tmp/mysql.sock unix 2 [ ACC ] STREAM LISTENING 20238 1278/master public/pickup unix 2 [ ACC ] STREAM LISTENING 20242 1278/master public/cleanup unix 2 [ ACC ] STREAM LISTENING 20245 1278/master public/qmgr unix 2 [ ACC ] STREAM LISTENING 20282 1278/master public/flush unix 2 [ ACC ] STREAM LISTENING 20297 1278/master public/showq unix 2 [ ACC ] STREAM LISTENING 12701 1/systemd /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 12723 1/systemd /run/lvm/lvmpolld.socket unix 2 [ ACC ] STREAM LISTENING 20249 1278/master private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 20273 1278/master private/defer unix 2 [ ACC ] SEQPACKET LISTENING 12736 1/systemd /run/udev/control unix 2 [ ACC ] STREAM LISTENING 20276 1278/master private/trace unix 2 [ ACC ] STREAM LISTENING 20279 1278/master private/verify unix 2 [ ACC ] STREAM LISTENING 20285 1278/master private/proxymap unix 2 [ ACC ] STREAM LISTENING 12741 1/systemd /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 20306 1278/master private/discard unix 2 [ ACC ] STREAM LISTENING 20303 1278/master private/retry unix 2 [ ACC ] STREAM LISTENING 20309 1278/master private/local unix 2 [ ACC ] STREAM LISTENING 20312 1278/master private/virtual unix 2 [ ACC ] STREAM LISTENING 20315 1278/master private/lmtp unix 2 [ ACC ] STREAM LISTENING 16599 566/VGAuthService /var/run/vmware/guestServicePipe unix 2 [ ACC ] STREAM LISTENING 20294 1278/master private/relay unix 2 [ ACC ] STREAM LISTENING 20300 1278/master private/error unix 2 [ ACC ] STREAM LISTENING 20288 1278/master private/proxywrite unix 2 [ ACC ] STREAM LISTENING 20291 1278/master private/smtp
-lntp:只看tcp協議
root@lgs-01 ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld
-lntup:只看tcp與udp協議,關注Local Address的端口
[root@lgs-01 ~]# netstat -lnutp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master tcp6 0 0 :::22 :::* LISTEN 918/sshd tcp6 0 0 ::1:25 :::* LISTEN 1278/master tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd udp6 0 0 ::1:323 :::* 580/chronyd
netstat -an:查看全部鏈接狀態
[root@lgs-01 ~]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 192.168.87.130:22 192.168.87.1:55741 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::3306 :::* LISTEN udp 0 0 127.0.0.1:323 0.0.0.0:* udp6 0 0 ::1:323 :::* raw6 0 0 :::58 :::* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 20318 private/anvil unix 2 [ ACC ] STREAM LISTENING 20321 private/scache unix 2 [ ACC ] STREAM LISTENING 20267 private/rewrite unix 2 [ ACC ] STREAM LISTENING 20270 private/bounce unix 2 [ ] DGRAM 1337 /run/systemd/notify unix 2 [ ACC ] STREAM LISTENING 14906 /var/run/dbus/system_bus_socket unix 2 [ ] DGRAM 1339 /run/systemd/cgroups-agent unix 2 [ ACC ] STREAM LISTENING 1347 /run/systemd/journal/stdout unix 5 [ ] DGRAM 1350 /run/systemd/journal/socket unix 14 [ ] DGRAM 1352 /dev/log unix 2 [ ACC ] STREAM LISTENING 19309 /tmp/mysql.sock unix 2 [ ACC ] STREAM LISTENING 20238 public/pickup unix 2 [ ACC ] STREAM LISTENING 20242 public/cleanup unix 2 [ ACC ] STREAM LISTENING 20245 public/qmgr unix 2 [ ACC ] STREAM LISTENING 20282 public/flush unix 2 [ ACC ] STREAM LISTENING 20297 public/showq unix 2 [ ] DGRAM 15247 /var/run/chrony/chronyd.sock unix 2 [ ACC ] STREAM LISTENING 12701 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 12723 /run/lvm/lvmpolld.socket unix 2 [ ACC ] STREAM LISTENING 20249 private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 20273 private/defer unix 2 [ ACC ] SEQPACKET LISTENING 12736 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 20276 private/trace unix 2 [ ACC ] STREAM LISTENING 20279 private/verify unix 2 [ ACC ] STREAM LISTENING 20285 private/proxymap unix 2 [ ACC ] STREAM LISTENING 12741 /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 20306 private/discard unix 2 [ ACC ] STREAM LISTENING 20303 private/retry unix 2 [ ACC ] STREAM LISTENING 20309 private/local unix 2 [ ACC ] STREAM LISTENING 20312 private/virtual unix 2 [ ] DGRAM 12754 /run/systemd/shutdownd unix 2 [ ACC ] STREAM LISTENING 20315 private/lmtp unix 2 [ ACC ] STREAM LISTENING 16599 /var/run/vmware/guestServicePipe unix 2 [ ACC ] STREAM LISTENING 20294 private/relay unix 2 [ ACC ] STREAM LISTENING 20300 private/error unix 2 [ ACC ] STREAM LISTENING 20288 private/proxywrite unix 2 [ ACC ] STREAM LISTENING 20291 private/smtp unix 3 [ ] STREAM CONNECTED 20243 unix 2 [ ] DGRAM 20354 unix 3 [ ] STREAM CONNECTED 19583 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20271 unix 3 [ ] STREAM CONNECTED 16085 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20246 unix 3 [ ] STREAM CONNECTED 16066 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20239 unix 3 [ ] STREAM CONNECTED 20292 unix 2 [ ] DGRAM 16573 unix 3 [ ] STREAM CONNECTED 16380 unix 3 [ ] STREAM CONNECTED 20240 unix 2 [ ] DGRAM 16597 unix 3 [ ] STREAM CONNECTED 16381 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20278 unix 3 [ ] STREAM CONNECTED 15029 unix 2 [ ] DGRAM 20206 unix 3 [ ] STREAM CONNECTED 15075 unix 3 [ ] STREAM CONNECTED 20302 unix 2 [ ] DGRAM 16544 unix 3 [ ] STREAM CONNECTED 20322 unix 3 [ ] STREAM CONNECTED 20274 unix 3 [ ] STREAM CONNECTED 20293 unix 3 [ ] STREAM CONNECTED 20323 unix 3 [ ] STREAM CONNECTED 20277 unix 3 [ ] STREAM CONNECTED 16047 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20244 unix 3 [ ] STREAM CONNECTED 16044 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 20316 unix 3 [ ] STREAM CONNECTED 17470 unix 3 [ ] STREAM CONNECTED 20317 unix 3 [ ] STREAM CONNECTED 13914 /run/systemd/journal/stdout unix 3 [ ] DGRAM 13070 unix 3 [ ] STREAM CONNECTED 20319 unix 3 [ ] STREAM CONNECTED 13913 unix 3 [ ] STREAM CONNECTED 20275 unix 3 [ ] STREAM CONNECTED 16808 /var/run/dbus/system_bus_socket unix 3 [ ] DGRAM 13069 unix 3 [ ] STREAM CONNECTED 20320 unix 3 [ ] STREAM CONNECTED 20314 unix 3 [ ] STREAM CONNECTED 20247 unix 3 [ ] STREAM CONNECTED 14925 unix 2 [ ] DGRAM 13916 unix 3 [ ] STREAM CONNECTED 20272 unix 2 [ ] DGRAM 16720 unix 3 [ ] STREAM CONNECTED 20313 unix 3 [ ] STREAM CONNECTED 14969 unix 3 [ ] STREAM CONNECTED 20310 unix 3 [ ] STREAM CONNECTED 20311 unix 3 [ ] STREAM CONNECTED 18944 unix 2 [ ] DGRAM 12864 unix 3 [ ] STREAM CONNECTED 20308 unix 3 [ ] STREAM CONNECTED 16589 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 16030 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20307 unix 3 [ ] STREAM CONNECTED 20280 unix 3 [ ] STREAM CONNECTED 15121 unix 3 [ ] STREAM CONNECTED 20304 unix 3 [ ] STREAM CONNECTED 16588 unix 3 [ ] STREAM CONNECTED 20305 unix 2 [ ] DGRAM 18043 unix 3 [ ] STREAM CONNECTED 16700 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 14814 unix 3 [ ] STREAM CONNECTED 20286 unix 3 [ ] STREAM CONNECTED 18409 unix 3 [ ] STREAM CONNECTED 20237 unix 3 [ ] STREAM CONNECTED 20236 unix 3 [ ] STREAM CONNECTED 20298 unix 3 [ ] STREAM CONNECTED 19256 /var/run/dbus/system_bus_socket unix 2 [ ] DGRAM 20571 unix 3 [ ] STREAM CONNECTED 20295 unix 3 [ ] STREAM CONNECTED 15326 unix 3 [ ] STREAM CONNECTED 20268 unix 2 [ ] DGRAM 15225 unix 3 [ ] STREAM CONNECTED 19530 unix 3 [ ] STREAM CONNECTED 14813 unix 3 [ ] STREAM CONNECTED 16042 unix 3 [ ] STREAM CONNECTED 20269 unix 3 [ ] STREAM CONNECTED 20289 unix 3 [ ] STREAM CONNECTED 20265 unix 2 [ ] DGRAM 20375 unix 3 [ ] STREAM CONNECTED 15357 unix 2 [ ] DGRAM 15234 unix 3 [ ] STREAM CONNECTED 16043 unix 2 [ ] DGRAM 14812 unix 2 [ ] DGRAM 17415 unix 3 [ ] STREAM CONNECTED 13773 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 18410 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 20296 unix 3 [ ] STREAM CONNECTED 16263 unix 3 [ ] STREAM CONNECTED 20283 unix 3 [ ] STREAM CONNECTED 20266 unix 3 [ ] STREAM CONNECTED 19531 /run/systemd/journal/stdout unix 3 [ ] STREAM CONNECTED 16414 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 15275 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 13772 unix 3 [ ] STREAM CONNECTED 20301 unix 3 [ ] STREAM CONNECTED 20299 unix 3 [ ] STREAM CONNECTED 20290 unix 2 [ ] DGRAM 16392 unix 3 [ ] STREAM CONNECTED 16413 unix 3 [ ] STREAM CONNECTED 20281 unix 3 [ ] STREAM CONNECTED 20287 unix 3 [ ] STREAM CONNECTED 16737 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 19903 unix 3 [ ] STREAM CONNECTED 16690 unix 3 [ ] STREAM CONNECTED 20284 unix 3 [ ] STREAM CONNECTED 16264 /run/systemd/journal/stdout
擴展知識:熟悉 tcpip協議的三次握手四次揮手的過程。
分享小技巧:netstat -an的特殊用法
netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'
[root@lgs-01 ~]# netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'
LISTEN 5
ESTABLISHED 1
統計state狀態的個數,重點關注ESTABLISHED 的值,表明併發鏈接的數。若是值在1000之內都可以接受。
ss -an命令:與netstat相似
[root@lgs-01 ~]# ss -an Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 0 0 0:0 * nl UNCONN 0 0 0:629146217 * nl UNCONN 0 0 0:629146217 * nl UNCONN 4352 0 4:1553 * nl UNCONN 768 0 4:0 * nl UNCONN 0 0 6:0 * nl UNCONN 0 0 7:561 * nl UNCONN 0 0 7:1 * nl UNCONN 0 0 7:0 * nl UNCONN 0 0 7:561 * nl UNCONN 0 0 7:1 * nl UNCONN 0 0 9:535 * nl UNCONN 0 0 9:1 * nl UNCONN 0 0 9:0 * nl UNCONN 0 0 10:0 * nl UNCONN 0 0 11:0 * nl UNCONN 0 0 12:0 * nl UNCONN 768 0 15:-4109 * nl UNCONN 0 0 15:573 * nl UNCONN 0 0 15:-4123 * nl UNCONN 0 0 15:-4121 * nl UNCONN 0 0 15:921 * nl UNCONN 0 0 15:-4124 * nl UNCONN 0 0 15:-4122 * nl UNCONN 0 0 15:1 * nl UNCONN 0 0 15:617 * nl UNCONN 0 0 15:0 * nl UNCONN 0 0 15:921 * nl UNCONN 0 0 15:-4124 * nl UNCONN 0 0 15:617 * nl UNCONN 0 0 15:-4123 * nl UNCONN 0 0 15:-4122 * nl UNCONN 0 0 15:-4121 * nl UNCONN 0 0 15:573 * nl UNCONN 768 0 15:-4109 * nl UNCONN 0 0 15:1 * nl UNCONN 0 0 16:0 * nl UNCONN 0 0 18:0 * u_str LISTEN 0 100 private/anvil 20318 * 0 u_str LISTEN 0 100 private/scache 20321 * 0 u_str LISTEN 0 100 private/rewrite 20267 * 0 u_str LISTEN 0 100 private/bounce 20270 * 0 u_dgr UNCONN 0 0 /run/systemd/notify 1337 * 0 u_str LISTEN 0 128 /var/run/dbus/system_bus_socket 14906 * 0 u_dgr UNCONN 0 0 /run/systemd/cgroups-agent 1339 * 0 u_str LISTEN 0 128 /run/systemd/journal/stdout 1347 * 0 u_dgr UNCONN 0 0 /run/systemd/journal/socket 1350 * 0 u_dgr UNCONN 0 0 /dev/log 1352 * 0 u_str LISTEN 0 80 /tmp/mysql.sock 19309 * 0 u_str LISTEN 0 100 public/pickup 20238 * 0 u_str LISTEN 0 100 public/cleanup 20242 * 0 u_str LISTEN 0 100 public/qmgr 20245 * 0 u_str LISTEN 0 100 public/flush 20282 * 0 u_str LISTEN 0 100 public/showq 20297 * 0 u_dgr UNCONN 0 0 /var/run/chrony/chronyd.sock 15247 * 0 u_str LISTEN 0 128 /run/systemd/private 12701 * 0 u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 12723 * 0 u_str LISTEN 0 100 private/tlsmgr 20249 * 0 u_str LISTEN 0 100 private/defer 20273 * 0 u_seq LISTEN 0 128 /run/udev/control 12736 * 0 u_str LISTEN 0 100 private/trace 20276 * 0 u_str LISTEN 0 100 private/verify 20279 * 0 u_str LISTEN 0 100 private/proxymap 20285 * 0 u_str LISTEN 0 128 /run/lvm/lvmetad.socket 12741 * 0 u_str LISTEN 0 100 private/discard 20306 * 0 u_str LISTEN 0 100 private/retry 20303 * 0 u_str LISTEN 0 100 private/local 20309 * 0 u_str LISTEN 0 100 private/virtual 20312 * 0 u_dgr UNCONN 0 0 /run/systemd/shutdownd 12754 * 0 u_str LISTEN 0 100 private/lmtp 20315 * 0 u_str LISTEN 0 32 /var/run/vmware/guestServicePipe 16599 * 0 u_str LISTEN 0 100 private/relay 20294 * 0 u_str LISTEN 0 100 private/error 20300 * 0 u_str LISTEN 0 100 private/proxywrite 20288 * 0 u_str LISTEN 0 100 private/smtp 20291 * 0 u_str ESTAB 0 0 * 20243 * 20244 u_dgr UNCONN 0 0 * 20354 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 19583 * 18944 u_str ESTAB 0 0 * 20271 * 20272 u_str ESTAB 0 0 /run/systemd/journal/stdout 16085 * 15121 u_str ESTAB 0 0 * 20246 * 20247 u_str ESTAB 0 0 /run/systemd/journal/stdout 16066 * 15075 u_str ESTAB 0 0 * 20239 * 20240 u_str ESTAB 0 0 * 20292 * 20293 u_dgr UNCONN 0 0 * 16573 * 0 u_str ESTAB 0 0 * 16380 * 16381 u_str ESTAB 0 0 * 20240 * 20239 u_dgr UNCONN 0 0 * 16597 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 16381 * 16380 u_str ESTAB 0 0 * 20278 * 20277 u_str ESTAB 0 0 * 15029 * 16047 u_dgr UNCONN 0 0 * 20206 * 1352 u_str ESTAB 0 0 * 15075 * 16066 u_str ESTAB 0 0 * 20302 * 20301 u_dgr UNCONN 0 0 * 16544 * 1352 u_str ESTAB 0 0 * 20322 * 20323 u_str ESTAB 0 0 * 20274 * 20275 u_str ESTAB 0 0 * 20293 * 20292 u_str ESTAB 0 0 * 20323 * 20322 u_str ESTAB 0 0 * 20277 * 20278 u_str ESTAB 0 0 /run/systemd/journal/stdout 16047 * 15029 u_str ESTAB 0 0 * 20244 * 20243 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16044 * 14925 u_str ESTAB 0 0 * 20316 * 20317 u_str ESTAB 0 0 * 17470 * 16808 u_str ESTAB 0 0 * 20317 * 20316 u_str ESTAB 0 0 /run/systemd/journal/stdout 13914 * 13913 u_dgr UNCONN 0 0 * 13070 * 13069 u_str ESTAB 0 0 * 20319 * 20320 u_str ESTAB 0 0 * 13913 * 13914 u_str ESTAB 0 0 * 20275 * 20274 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16808 * 17470 u_dgr UNCONN 0 0 * 13069 * 13070 u_str ESTAB 0 0 * 20320 * 20319 u_str ESTAB 0 0 * 20314 * 20313 u_str ESTAB 0 0 * 20247 * 20246 u_str ESTAB 0 0 * 14925 * 16044 u_dgr UNCONN 0 0 * 13916 * 1350 u_str ESTAB 0 0 * 20272 * 20271 u_dgr UNCONN 0 0 * 16720 * 1352 u_str ESTAB 0 0 * 20313 * 20314 u_str ESTAB 0 0 * 14969 * 16030 u_str ESTAB 0 0 * 20310 * 20311 u_str ESTAB 0 0 * 20311 * 20310 u_str ESTAB 0 0 * 18944 * 19583 u_dgr UNCONN 0 0 * 12864 * 1350 u_str ESTAB 0 0 * 20308 * 20307 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16589 * 16588 u_str ESTAB 0 0 /run/systemd/journal/stdout 16030 * 14969 u_str ESTAB 0 0 * 20307 * 20308 u_str ESTAB 0 0 * 20280 * 20281 u_str ESTAB 0 0 * 15121 * 16085 u_str ESTAB 0 0 * 20304 * 20305 u_str ESTAB 0 0 * 16588 * 16589 u_str ESTAB 0 0 * 20305 * 20304 u_dgr UNCONN 0 0 * 18043 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 16700 * 15326 u_str ESTAB 0 0 * 14814 * 14813 u_str ESTAB 0 0 * 20286 * 20287 u_str ESTAB 0 0 * 18409 * 18410 u_str ESTAB 0 0 * 20237 * 20236 u_str ESTAB 0 0 * 20236 * 20237 u_str ESTAB 0 0 * 20298 * 20299 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 19256 * 19903 u_dgr UNCONN 0 0 * 20571 * 1352 u_str ESTAB 0 0 * 20295 * 20296 u_str ESTAB 0 0 * 15326 * 16700 u_str ESTAB 0 0 * 20268 * 20269 u_dgr UNCONN 0 0 * 15225 * 1352 u_str ESTAB 0 0 * 19530 * 19531 u_str ESTAB 0 0 * 14813 * 14814 u_str ESTAB 0 0 * 16042 * 16043 u_str ESTAB 0 0 * 20269 * 20268 u_str ESTAB 0 0 * 20289 * 20290 u_str ESTAB 0 0 * 20265 * 20266 u_dgr UNCONN 0 0 * 20375 * 1352 u_str ESTAB 0 0 * 15357 * 16737 u_dgr UNCONN 0 0 * 15234 * 1352 u_str ESTAB 0 0 * 16043 * 16042 u_dgr UNCONN 0 0 * 14812 * 1352 u_dgr UNCONN 0 0 * 17415 * 1352 u_str ESTAB 0 0 /run/systemd/journal/stdout 13773 * 13772 u_str ESTAB 0 0 /run/systemd/journal/stdout 18410 * 18409 u_str ESTAB 0 0 * 20296 * 20295 u_str ESTAB 0 0 * 16263 * 16264 u_str ESTAB 0 0 * 20283 * 20284 u_str ESTAB 0 0 * 20266 * 20265 u_str ESTAB 0 0 /run/systemd/journal/stdout 19531 * 19530 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16414 * 16413 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 15275 * 16690 u_str ESTAB 0 0 * 13772 * 13773 u_str ESTAB 0 0 * 20301 * 20302 u_str ESTAB 0 0 * 20299 * 20298 u_str ESTAB 0 0 * 20290 * 20289 u_dgr UNCONN 0 0 * 16392 * 1350 u_str ESTAB 0 0 * 16413 * 16414 u_str ESTAB 0 0 * 20281 * 20280 u_str ESTAB 0 0 * 20287 * 20286 u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16737 * 15357 u_str ESTAB 0 0 * 19903 * 19256 u_str ESTAB 0 0 * 16690 * 15275 u_str ESTAB 0 0 * 20284 * 20283 u_str ESTAB 0 0 /run/systemd/journal/stdout 16264 * 16263 udp UNCONN 0 0 :::58 :::* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 ::1:323 :::* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp ESTAB 0 356 192.168.87.130:22 192.168.87.1:55741 tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 100 ::1:25 :::* tcp LISTEN 0 80 :::3306 :::*
10.10 linux下抓包
當網卡流量異常,用tcpdump抓包分析哪異常,進入包超過一萬,就可用抓包工具看看是什麼包信息進來
tcpdump:查看進出網卡的流量包,源ip到目標ip的數據流向
通常用選項 -nn -i:i 是指定網卡,n表明ip以數字顯示不然顯示主機名
[root@lgs-01 ~]# tcpdump -nn -i ens33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 22:55:22.543456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1123041043:1123041255, ack 2103498148, win 42480, length 212 22:55:22.543859 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64911, length 0 22:55:22.544095 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292 22:55:22.553492 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164 22:55:22.553568 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64455, length 0 22:55:22.553810 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276 22:55:22.554135 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164 22:55:22.554225 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65535, length 0 22:55:22.554385 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276 22:55:22.555297 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180 22:55:22.555553 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65079, length 0 22:55:22.555845 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276 ^C 407 packets captured 410 packets received by filter 0 packets dropped by kernel
當是udp類型的數據包,有多是udp flood 被DDos攻擊了。國內防DDos攻擊的公司:知道創宇比較出名
-nn port 22:指定端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:00:29.162602 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1124966907:1124967119, ack 2103510156, win 42480, length 212 23:00:29.162738 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64251, length 0 23:00:29.162993 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292 23:00:29.163219 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164 23:00:29.163301 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 65535, length 0 23:00:29.163445 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276 23:00:29.163622 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164 23:00:29.163692 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65095, length 0 23:00:29.163835 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276 23:00:29.164121 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180 23:00:29.164259 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 64639, length 0 23:00:29.165500 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276 23:00:29.166456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 180
-nn not port 22:不要22端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:01:34.896216 ARP, Request who-has 192.168.87.2 tell 192.168.87.130, length 28 23:01:34.896723 ARP, Reply 192.168.87.2 is-at 00:50:56:fc:02:e0, length 46 23:01:48.122694 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:48.125085 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:48.184388 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:48.186000 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:48.190795 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:48.190849 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:48.203298 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:48.203671 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:48.307289 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:48.307322 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:48.324302 IP6 fe80::712f:1717:5c59:3eb5.52043 > ff02::1:3.5355: UDP, length 33 23:01:48.324446 IP 192.168.87.1.53236 > 224.0.0.252.5355: UDP, length 33 23:01:52.233741 ARP, Request who-has 192.168.87.254 tell 192.168.87.1, length 46 23:01:52.233860 IP 192.168.87.1.68 > 192.168.87.254.67: BOOTP/DHCP, Request from 00:50:56:c0:00:08, length 314 23:01:52.233864 ARP, Reply 192.168.87.254 is-at 00:50:56:eb:bf:de, length 46 23:01:52.233867 IP 192.168.87.254.67 > 192.168.87.1.68: BOOTP/DHCP, Reply, length 300 23:01:52.263986 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:52.264013 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.295529 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:52.295579 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.298609 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:52.298649 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.307283 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.307318 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:52.321085 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:52.321109 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.420653 IP6 fe80::712f:1717:5c59:3eb5.60038 > ff02::1:3.5355: UDP, length 33 23:01:52.420685 IP 192.168.87.1.64363 > 224.0.0.252.5355: UDP, length 33 23:01:52.807692 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s) 23:01:52.807734 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28 23:01:54.291363 ARP, Request who-has 192.168.87.2 tell 192.168.87.1, length 46
-nn not port 22 and host 192.168.87.130:指定ip
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22 and host 192.168.87.130 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 23:04:10.183507 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1125389995:1125390207, ack 2103516588, win 42480, length 212 23:04:10.183691 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 65155, length 0 23:04:10.184014 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292 23:04:10.184535 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164 23:04:10.184626 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64699, length 0 23:04:10.184840 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276 23:04:10.185036 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164 23:04:10.185105 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 64259, length 0 23:04:10.206582 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276 23:04:10.218205 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180 23:04:10.218394 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65535, length 0 23:04:10.219680 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276 23:04:10.219865 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 180 23:04:10.219931 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2020, win 65079, length 0 23:04:10.220033 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2020:2296, ack 1, win 42480, length 276 23:04:10.220254 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2296:2476, ack 1, win 42480, length 180 23:04:10.220342 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2476, win 64623, length 0 23:04:10.220866 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2476:2752, ack 1, win 42480, length 276 23:04:10.228644 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2752:2932, ack 1, win 42480, length 180 23:04:10.228856 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2932, win 64167, length 0 23:04:10.228960 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2932:3112, ack 1, win 42480, length 180 23:04:10.229180 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3112:3388, ack 1, win 42480, length 276 23:04:10.229261 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3388, win 65535, length 0 23:04:10.229440 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3388:3664, ack 1, win 42480, length 276 23:04:10.235245 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3664:3844, ack 1, win 42480, length 180 23:04:10.235547 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3844, win 65079, length 0 23:04:10.235873 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3844:4120, ack 1, win 42480, length 276 23:04:10.236032 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4120:4300, ack 1, win 42480, length 180 23:04:10.236091 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4300, win 64623, length 0 23:04:10.236161 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4300:4576, ack 1, win 42480, length 276 23:04:10.236246 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4576:4756, ack 1, win 42480, length 180 23:04:10.236290 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4756, win 64167, length 0 23:04:10.236333 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4756:5032, ack 1, win 42480, length 276 23:04:10.236402 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 5032:5212, ack 1, win 42480, length 180
-c 100 -w /tmp/1.cap:指定100個包,並寫入到文件裏
[root@lgs-01 ~]# tcpdump -nn -i ens33 -c 100 -w /tmp/1.cap tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 100 packets captured 100 packets received by filter 0 packets dropped by kernel
1.cap文件不能直接cat查看,cat是亂碼,用tcpdump查看
[root@lgs-01 ~]# ls -l /tmp/1.cap
-rw-r--r--. 1 tcpdump tcpdump 16415 5月 7 23:06 /tmp/1.cap
[root@lgs-01 ~]# file /tmp/1.cap
/tmp/1.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
[root@lgs-01 ~]# cat /tmp/1.cap
Ճ²¡7kˊPV
p l8x✉$NO_¼#@@湀¨W(WٽC
h欴ۖ¬݂㢕)B؏¦ӥC£vٵg%~sº%"¢þ¶¯٥_ 낚A^®fٽHH˒_$a䃧韖2,|¼~¹4¯½Ҵ¨&䄸{B炷k<<
)Ѣ¸E(
n@@(W(Wٽ}a)C#Pþ¯ؿk33Pܠgþq/\Y>µÿ"#gҁƲځ .⫍TKDa
PV'MS-20170122YATWMSFT 5.'@kjj
)Ѣ¸E\
o@@Y(W(Wٽ}a)C#Pþۆ@K¼詀G�DɁ5i̠𐰥4
ųMRs@k66PV
1.cap就是捕獲的網卡的原始通訊數據包信息。
[root@lgs-01 ~]# tcpdump -r /tmp/1.cap reading from file /tmp/1.cap, link-type EN10MB (Ethernet) 23:05:27.975940 IP lgs-01.ssh > 192.168.87.1.55741: Flags [P.], seq 1125453199:1125453347, ack 2103519516, win 42480, length 148 23:05:27.976575 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [.], ack 148, win 65179, length 0 23:05:35.530558 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 23:05:36.310133 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [P.], seq 1:53, ack 148, win 65179, length 52 23:05:36.375497 IP lgs-01.ssh > 192.168.87.1.55741: Flags [.], ack 53, win 42480, length 0 23:05:48.280605 IP lgs-01.58175 > 61-216-153-104.HINET-IP.hinet.net.ntp: NTPv4, Client, length 48 23:05:48.337106 IP 61-216-153-104.HINET-IP.hinet.net.ntp > lgs-01.58175: NTPv4, Server, length 48 23:05:51.530722 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit 23:05:53.296589 ARP, Request who-has gateway tell lgs-01, length 28 23:05:53.296809 ARP, Reply gateway is-at 00:50:56:fc:02:e0 (oui Unknown), length 46 23:05:54.290567 ARP, Request who-has gateway tell 192.168.87.1, length 46 23:05:54.806558 ARP, Request who-has gateway tell 192.168.87.1, length 46 23:05:55.806633 ARP, Request who-has gateway tell 192.168.87.1, length 46
tshark命令:安裝包wireshark獲得,比較實用的命令,可以查看什麼ip訪問網站的具體什麼資源文件。
相似Web網站的訪問日誌。
[root@lgs-01 ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.requset.uri"tshark: -R without -2 is deprecated. For single-pass filtering use -Y. Running as user "root" and group "root". This could be dangerous. Capturing on 'nflog' ^C0 packets captured
相關文章
- 1. Linux之基礎知識學習筆記
- 2. Linux學習筆記:基礎知識學習整理【圖】
- 3. Hibernate學習筆記之基礎知識
- 4. Java基礎知識學習筆記五
- 5. Struts2學習筆記1——基礎知識
- 6. WireShark學習筆記(一)基礎知識
- 7. HTML基礎知識學習筆記
- 8. Python學習筆記(1)——基礎知識
- 9. Redis學習筆記:基礎知識
- 10. san學習筆記(二)--基礎知識
- 更多相關文章...
- • Kotlin 基礎語法 - Kotlin 教程
- • Scala 基礎語法 - Scala教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Kotlin學習(二)基本類型
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. eclipse設置粘貼字符串自動轉義
- 2. android客戶端學習-啓動模擬器異常Emulator: failed to initialize HAX: Invalid argument
- 3. android.view.InflateException: class com.jpardogo.listbuddies.lib.views.ListBuddiesLayout問題
- 4. MYSQL8.0數據庫恢復 MYSQL8.0ibd數據恢復 MYSQL8.0恢復數據庫
- 5. 你本是一個肉體,是什麼驅使你前行【1】
- 6. 2018.04.30
- 7. 2018.04.30
- 8. 你本是一個肉體,是什麼驅使你前行【3】
- 9. 你本是一個肉體,是什麼驅使你前行【2】
- 10. 【資訊】LocalBitcoins達到每週交易比特幣的7年低點
歡迎關注本站公眾號,獲取更多信息
相關文章