2019独角兽企业重金招聘Python工程师标准>>> 
10.6 监控io性能
iostat命令:监控磁盘详细io信息。安装sysstat包得到。
当你用vmstat命令查看,b列或者wa列很大时,有可能就是磁盘遇到瓶颈了,用iostat进一步分析磁盘瓶颈在哪里。能看到每个磁盘对应的情况。
[root@lgs-01 ~]# iostat 1 3
Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.49 0.00 1.80 0.13 0.00 97.59
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 67.30 1074.56 76.33 164784 11705
sdb 1.61 23.55 0.00 3612 0
dm-0 0.28 6.76 0.00 1036 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.50 0.00 0.00 99.50
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
与sar -b 13 相似的结果
[root@lgs-01 ~]# sar -b 1 3
Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)
21时47分49秒 tps rtps wtps bread/s bwrtn/s
21时47分50秒 0.00 0.00 0.00 0.00 0.00
21时47分51秒 0.00 0.00 0.00 0.00 0.00
21时47分52秒 0.00 0.00 0.00 0.00 0.00
平均时间: 0.00 0.00 0.00 0.00 0.00
重点看iostat -x 命令:其中有个重要的参数 %util ,代表1秒内有多少百分比的时间在等待io的请求,大于60%就要小心异常了。
[root@lgs-01 ~]# iostat -x
Linux 3.10.0-693.el7.x86_64 (lgs-01) 2018年05月07日 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.20 0.00 0.84 0.05 0.00 98.91
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.01 0.38 14.76 11.38 415.94 30.41 34.14 0.04 1.47 0.58 2.63 0.22 0.57
sdb 0.00 0.00 0.62 0.00 9.11 0.00 29.25 0.00 0.34 0.34 0.00 0.26 0.02
dm-0 0.00 0.00 0.11 0.00 2.61 0.00 48.19 0.00 0.35 0.35 0.00 0.21 0.00
iotop命令:能够查看具体进程的磁盘读写情况,以IO> 排序
[root@lgs-01 ~]# iotop
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
512 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfsaild/sda1]
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-root --system --deserialize 21
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H]
6 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:0]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1]
12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1]
13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1]
15 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0H]
17 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
18 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
19 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback]
21 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd]
22 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset]
23 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd]
24 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md]
25 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:1]
30 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kswapd0]
31 be/5 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksmd]
32 be/7 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khugepaged]
33 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [crypto]
41 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthrotld]
42 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:1]
43 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:1]
44 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kmpath_rdacd]
45 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kpsmoused]
46 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:2]
47 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ipv6_addrconf]
561 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
565 be/4 dbus 0.00 B/s 0.00 B/s 0.00 % 0.00 % dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
566 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % VGAuthService -s
567 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % vmtoolsd
568 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % irqbalance --foreground
569 be/4 polkitd 0.00 B/s 0.00 B/s 0.00 % 0.00 % polkitd --no-debug
10.7 free命令
free命令:查看内存总体的使用情况
[root@lgs-01 ~]# free
total used free shared buff/cache available
Mem: 1867048 584212 758824 8784 524012 1091040
Swap: 4194300 0 4194300
-m选项:以mb单位显示
[root@lgs-01 ~]# free -m
total used free shared buff/cache available
Mem: 1823 570 741 8 511 1065
Swap: 4095 0 4095
-h选项:以易读的方式显示
[root@lgs-01 ~]# free -h
total used free shared buff/cache available
Mem: 1.8G 570M 741M 8.6M 511M 1.0G
Swap: 4.0G 0B 4.0G
total=used+free+buff/cache
available=free+buff/cache的剩余部分
因为cpu和磁盘的读写速度差距太大,所以需要引入cache和buff来协调
cache的概念: data(磁盘内的数据) ---> 内存中(叫cache缓存)---> cpu(计算)
buff的概念: cpu(data 计算后的数据)---> 内存(缓冲buff)---> data(结算结果保存到磁盘)
10.8 ps命令
ps命令:当前全部进程情况的快照信息,是静态的
一般使用 ps aux: 与Windows的任务管理器类似
[root@lgs-01 ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 128164 6828 ? Ss 21:44 0:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root 2 0.0 0.0 0 0 ? S 21:44 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:0]
root 7 0.0 0.0 0 0 ? S 21:44 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 21:44 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S 21:44 0:00 [watchdog/1]
root 12 0.0 0.0 0 0 ? S 21:44 0:00 [migration/1]
root 13 0.0 0.0 0 0 ? S 21:44 0:00 [ksoftirqd/1]
root 15 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:0H]
root 17 0.0 0.0 0 0 ? S 21:44 0:00 [kdevtmpfs]
root 18 0.0 0.0 0 0 ? S< 21:44 0:00 [netns]
root 19 0.0 0.0 0 0 ? S 21:44 0:00 [khungtaskd]
root 20 0.0 0.0 0 0 ? S< 21:44 0:00 [writeback]
root 21 0.0 0.0 0 0 ? S< 21:44 0:00 [kintegrityd]
root 22 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]
root 23 0.0 0.0 0 0 ? S< 21:44 0:00 [kblockd]
root 24 0.0 0.0 0 0 ? S< 21:44 0:00 [md]
root 30 0.0 0.0 0 0 ? S 21:44 0:00 [kswapd0]
root 31 0.0 0.0 0 0 ? SN 21:44 0:00 [ksmd]
root 32 0.0 0.0 0 0 ? SN 21:44 0:00 [khugepaged]
root 33 0.0 0.0 0 0 ? S< 21:44 0:00 [crypto]
root 41 0.0 0.0 0 0 ? S< 21:44 0:00 [kthrotld]
root 43 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/u256:1]
root 44 0.0 0.0 0 0 ? S< 21:44 0:00 [kmpath_rdacd]
root 45 0.0 0.0 0 0 ? S< 21:44 0:00 [kpsmoused]
root 46 0.0 0.0 0 0 ? R 21:44 0:00 [kworker/0:2]
root 47 0.0 0.0 0 0 ? S< 21:44 0:00 [ipv6_addrconf]
root 66 0.0 0.0 0 0 ? S< 21:44 0:00 [deferwq]
root 99 0.0 0.0 0 0 ? S 21:44 0:00 [kauditd]
root 236 0.0 0.0 0 0 ? S 21:44 0:00 [kworker/1:2]
root 238 0.0 0.0 0 0 ? S< 21:44 0:00 [ata_sff]
root 239 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_0]
root 240 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_0]
root 241 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_1]
root 242 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_1]
root 245 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt_poll_0]
root 246 0.0 0.0 0 0 ? S< 21:44 0:00 [mpt/0]
root 254 0.0 0.0 0 0 ? S 21:44 0:00 [scsi_eh_2]
root 255 0.0 0.0 0 0 ? S< 21:44 0:00 [scsi_tmf_2]
root 257 0.0 0.0 0 0 ? S< 21:44 0:00 [ttm_swap]
root 285 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]
root 286 0.0 0.0 0 0 ? S< 21:44 0:00 [xfsalloc]
root 287 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs_mru_cache]
root 288 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda3]
root 289 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda3]
root 290 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda3]
root 291 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda3]
root 292 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda]
root 293 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda3]
root 294 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s]
root 295 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda3]
root 363 0.0 0.1 36832 2840 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-journald
root 381 0.0 0.3 342552 6012 ? Ss 21:44 0:00 /usr/sbin/lvmetad -f
root 391 0.0 0.3 47872 5896 ? Ss 21:44 0:00 /usr/lib/systemd/systemd-udevd
root 414 0.0 0.0 0 0 ? S< 21:44 0:00 [nfit]
root 451 0.0 0.0 0 0 ? S< 21:44 0:00 [kworker/1:1H]
root 500 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-buf/sda1]
root 501 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-data/sda1]
root 502 0.0 0.0 0 0 ? S< 21:44 0:00 [kdmflush]
root 503 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-conv/sda1]
root 504 0.0 0.0 0 0 ? S< 21:44 0:00 [bioset]
root 505 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-cil/sda1]
root 507 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-reclaim/sda]
root 508 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-log/sda1]
root 509 0.0 0.0 0 0 ? S< 21:44 0:00 [xfs-eofblocks/s]
root 512 0.0 0.0 0 0 ? S 21:44 0:00 [xfsaild/sda1]
root 535 0.0 0.0 55452 892 ? S可以配合grep,具体查找进程是否运行
[root@lgs-01 ~]# ps aux|grep mysql
root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pid
mysql 1180 0.2 24.2 1300776 452360 ? Sl 21:44 0:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data/mysql --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/data/mysql/lgs-01.err --pid-file=/data/mysql/lgs-01.pid
root 1491 0.0 0.0 112680 984 pts/0 S+ 22:08 0:00 grep --color=auto mysql
ps -elf选项:与aux类似
[root@lgs-01 ~]# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 32041 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
1 S root 2 0 0 80 0 - 0 kthrea 21:44 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/0]
1 S root 5 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:0H]
1 S root 6 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:0]
1 S root 7 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/0]
1 S root 8 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_bh]
1 S root 9 2 0 80 0 - 0 rcu_gp 21:44 ? 00:00:00 [rcu_sched]
5 S root 10 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/0]
5 S root 11 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [watchdog/1]
1 S root 12 2 0 -40 - - 0 smpboo 21:44 ? 00:00:00 [migration/1]
1 S root 13 2 0 80 0 - 0 smpboo 21:44 ? 00:00:00 [ksoftirqd/1]
1 S root 15 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:0H]
5 S root 17 2 0 80 0 - 0 devtmp 21:44 ? 00:00:00 [kdevtmpfs]
1 S root 18 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [netns]
1 S root 19 2 0 80 0 - 0 watchd 21:44 ? 00:00:00 [khungtaskd]
1 S root 20 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [writeback]
1 S root 21 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kintegrityd]
1 S root 22 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]
1 S root 23 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kblockd]
1 S root 24 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [md]
1 S root 30 2 0 80 0 - 0 kswapd 21:44 ? 00:00:00 [kswapd0]
1 S root 31 2 0 85 5 - 0 ksm_sc 21:44 ? 00:00:00 [ksmd]
1 S root 32 2 0 99 19 - 0 khugep 21:44 ? 00:00:00 [khugepaged]
1 S root 33 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [crypto]
1 S root 41 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kthrotld]
1 S root 43 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/u256:1]
1 S root 44 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kmpath_rdacd]
1 S root 45 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kpsmoused]
1 R root 46 2 0 80 0 - 0 - 21:44 ? 00:00:00 [kworker/0:2]
1 S root 47 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ipv6_addrconf]
1 S root 66 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [deferwq]
1 S root 99 2 0 80 0 - 0 kaudit 21:44 ? 00:00:00 [kauditd]
1 S root 236 2 0 80 0 - 0 worker 21:44 ? 00:00:00 [kworker/1:2]
1 S root 238 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ata_sff]
1 S root 239 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_0]
1 S root 240 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_0]
1 S root 241 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_1]
1 S root 242 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_1]
1 S root 245 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt_poll_0]
1 S root 246 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [mpt/0]
1 S root 254 2 0 80 0 - 0 scsi_e 21:44 ? 00:00:00 [scsi_eh_2]
1 S root 255 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [scsi_tmf_2]
1 S root 257 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [ttm_swap]
1 S root 285 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]
1 S root 286 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfsalloc]
1 S root 287 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs_mru_cache]
1 S root 288 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda3]
1 S root 289 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda3]
1 S root 290 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda3]
1 S root 291 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda3]
1 S root 292 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda]
1 S root 293 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda3]
1 S root 294 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s]
1 S root 295 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda3]
4 S root 363 1 0 80 0 - 9208 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-journald
4 S root 381 1 0 80 0 - 85638 poll_s 21:44 ? 00:00:00 /usr/sbin/lvmetad -f
4 S root 391 1 0 80 0 - 11968 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-udevd
1 S root 414 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [nfit]
1 S root 451 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/1:1H]
1 S root 500 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-buf/sda1]
1 S root 501 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-data/sda1]
1 S root 502 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [kdmflush]
1 S root 503 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-conv/sda1]
1 S root 504 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [bioset]
1 S root 505 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-cil/sda1]
1 S root 507 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-reclaim/sda]
1 S root 508 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-log/sda1]
1 S root 509 2 0 60 -20 - 0 rescue 21:44 ? 00:00:00 [xfs-eofblocks/s]
1 S root 512 2 0 80 0 - 0 xfsail 21:44 ? 00:00:00 [xfsaild/sda1]
5 S root 535 1 0 76 -4 - 13863 ep_pol 21:44 ? 00:00:00 /sbin/auditd
4 S dbus 561 1 0 80 0 - 8217 ep_pol 21:44 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --sy
4 S root 566 1 0 80 0 - 24902 poll_s 21:44 ? 00:00:00 /usr/bin/VGAuthService -s
4 S root 567 1 0 80 0 - 76324 poll_s 21:44 ? 00:00:01 /usr/bin/vmtoolsd
4 S root 568 1 0 80 0 - 5405 hrtime 21:44 ? 00:00:00 /usr/sbin/irqbalance --foreground
4 S polkitd 569 1 0 80 0 - 133772 poll_s 21:44 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug
4 S root 570 1 0 80 0 - 54097 poll_s 21:44 ? 00:00:00 /usr/sbin/rsyslogd -n
4 S root 573 1 0 80 0 - 6051 ep_pol 21:44 ? 00:00:00 /usr/lib/systemd/systemd-logind
4 S root 576 1 0 80 0 - 31559 hrtime 21:44 ? 00:00:00 /usr/sbin/crond -n
5 S chrony 580 1 0 80 0 - 28910 poll_s 21:44 ? 00:00:00 /usr/sbin/chronyd
4 S root 601 1 0 80 0 - 83559 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
4 S root 617 1 0 80 0 - 118063 poll_s 21:44 ? 00:00:00 /usr/sbin/NetworkManager --no-daemon
1 S root 679 2 0 60 -20 - 0 worker 21:44 ? 00:00:00 [kworker/0:1H]
4 S root 918 1 0 80 0 - 26499 poll_s 21:44 ? 00:00:00 /usr/sbin/sshd -D
4 S root 921 1 0 80 0 - 140598 poll_s 21:44 ? 00:00:00 /usr/bin/python -Es /usr/sbin/tuned -l -P
4 S root 956 1 0 80 0 - 28847 do_wai 21:44 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-f
4 S mysql 1180 956 0 80 0 - 325194 poll_s 21:44 ? 00:00:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data
4 D root 1227 918 0 80 0 - 36961 flush_ 21:44 ? 00:00:00 sshd: root@pts/0
5 S root 1278 1 0 80 0 - 22386 ep_pol 21:44 ? 00:00:00 /usr/libexec/postfix/master -w
4 S root 1281 1 0 80 0 - 27511 n_tty_ 21:44 tty1 00:00:00 /sbin/agetty --noclear tty1 linux
4 S postfix 1282 1278 0 80 0 - 22412 ep_pol 21:44 ? 00:00:00 pickup -l -t unix -u
4 S postfix 1283 1278 0 80 0 - 22429 ep_pol 21:44 ? 00:00:00 qmgr -l -t unix -u
4 S root 1377 1227 0 80 0 - 28881 do_wai 21:44 pts/0 00:00:00 -bash
1 S root 1454 2 0 80 0 - 0 worker 21:54 ? 00:00:00 [kworker/1:0]
1 S root 1484 2 0 80 0 - 0 worker 22:01 ? 00:00:00 [kworker/0:0]
1 S root 1485 2 0 80 0 - 0 worker 22:06 ? 00:00:00 [kworker/0:1]
1 S root 1492 2 0 80 0 - 0 worker 22:09 ? 00:00:00 [kworker/0:3]
0 R root 1493 1377 0 80 0 - 37766 - 22:09 pts/0 00:00:00 ps -elf
当系统被入侵了,看到一个陌生的进程,可以查他的pid,如956
[root@lgs-01 ~]# ps aux|grep 956
root 956 0.0 0.0 115388 1700 ? S 21:44 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/lgs-01.pid
root 1503 0.0 0.0 112676 988 pts/0 R+ 22:11 0:00 grep --color=auto 956
每个进程都有一个进程的目录,以pid命名的,在/proc/ 下
[root@lgs-01 ~]# ls /proc/
1 1283 17 238 255 292 363 46 507 569 679 asound diskstats ioports loadavg net stat version
10 13 18 239 257 293 381 47 508 570 7 buddyinfo dma irq locks pagetypeinfo swaps vmallocinfo
11 1377 19 24 285 294 391 5 509 573 8 bus driver kallsyms mdstat partitions sys vmstat
1180 1454 2 240 286 295 41 500 512 576 9 cgroups execdomains kcore meminfo sched_debug sysrq-trigger zoneinfo
12 1484 20 241 287 3 414 501 535 580 918 cmdline fb keys misc schedstat sysvipc
1227 1485 21 242 288 30 43 502 561 6 921 consoles filesystems key-users modules scsi timer_list
1278 1492 22 245 289 31 44 503 566 601 956 cpuinfo fs kmsg mounts self timer_stats
1281 15 23 246 290 32 45 504 567 617 99 crypto interrupts kpagecount mpt slabinfo tty
1282 1506 236 254 291 33 451 505 568 66 acpi devices iomem kpageflags mtrr softirqs uptime
进入 /proc/956/ 目录,查看具体有哪些文件,可以知道该进程的目录所在,就可以把入侵的陌生进程给删除掉。 如该进程 956 的目录是 /usr/local/mysql
[root@lgs-01 ~]# ls -l /proc/956
总用量 0
dr-xr-xr-x. 2 root root 0 5月 7 22:12 attr
-rw-r--r--. 1 root root 0 5月 7 22:12 autogroup
-r--------. 1 root root 0 5月 7 22:12 auxv
-r--r--r--. 1 root root 0 5月 7 22:12 cgroup
--w-------. 1 root root 0 5月 7 22:12 clear_refs
-r--r--r--. 1 root root 0 5月 7 22:07 cmdline
-rw-r--r--. 1 root root 0 5月 7 22:12 comm
-rw-r--r--. 1 root root 0 5月 7 22:12 coredump_filter
-r--r--r--. 1 root root 0 5月 7 22:12 cpuset
lrwxrwxrwx. 1 root root 0 5月 7 22:12 cwd -> /usr/local/mysql
-r--------. 1 root root 0 5月 7 22:12 environ
lrwxrwxrwx. 1 root root 0 5月 7 22:12 exe -> /usr/bin/bash
dr-x------. 2 root root 0 5月 7 22:12 fd
dr-x------. 2 root root 0 5月 7 22:12 fdinfo
-rw-r--r--. 1 root root 0 5月 7 22:12 gid_map
-r--------. 1 root root 0 5月 7 22:12 io
-r--r--r--. 1 root root 0 5月 7 22:12 limits
-rw-r--r--. 1 root root 0 5月 7 22:12 loginuid
dr-x------. 2 root root 0 5月 7 22:12 map_files
-r--r--r--. 1 root root 0 5月 7 22:12 maps
-rw-------. 1 root root 0 5月 7 22:12 mem
-r--r--r--. 1 root root 0 5月 7 22:12 mountinfo
-r--r--r--. 1 root root 0 5月 7 22:12 mounts
-r--------. 1 root root 0 5月 7 22:12 mountstats
dr-xr-xr-x. 5 root root 0 5月 7 22:12 net
dr-x--x--x. 2 root root 0 5月 7 22:12 ns
-r--r--r--. 1 root root 0 5月 7 22:12 numa_maps
-rw-r--r--. 1 root root 0 5月 7 22:12 oom_adj
-r--r--r--. 1 root root 0 5月 7 22:12 oom_score
-rw-r--r--. 1 root root 0 5月 7 22:12 oom_score_adj
-r--r--r--. 1 root root 0 5月 7 22:12 pagemap
-r--r--r--. 1 root root 0 5月 7 22:12 personality
-rw-r--r--. 1 root root 0 5月 7 22:12 projid_map
lrwxrwxrwx. 1 root root 0 5月 7 22:12 root -> /
-rw-r--r--. 1 root root 0 5月 7 22:12 sched
-r--r--r--. 1 root root 0 5月 7 22:12 schedstat
-r--r--r--. 1 root root 0 5月 7 22:12 sessionid
-rw-r--r--. 1 root root 0 5月 7 22:12 setgroups
-r--r--r--. 1 root root 0 5月 7 22:12 smaps
-r--r--r--. 1 root root 0 5月 7 22:12 stack
-r--r--r--. 1 root root 0 5月 7 22:07 stat
-r--r--r--. 1 root root 0 5月 7 22:12 statm
-r--r--r--. 1 root root 0 5月 7 22:07 status
-r--r--r--. 1 root root 0 5月 7 22:12 syscall
dr-xr-xr-x. 3 root root 0 5月 7 21:54 task
-r--r--r--. 1 root root 0 5月 7 22:12 timers
-rw-r--r--. 1 root root 0 5月 7 22:12 uid_map
-r--r--r--. 1 root root 0 5月 7 22:09 wchan
VSZ:是虚拟内存。 RSS:物理内存剩余大小
STAT:进程的状态
D:不能中断的进程,比较少见;如果运行很多,会影响系统cpu的负载,如果此时cpu使用率不高,可以不用特别在意
R:运行状态的进程,某一时间段内在使用cpu的进程
S:sleep休眠状态的进程,运算完暂停休息,在过一会再激活使用cpu
T:暂停的进程,ctrl+Z ,被暂停放到后台去的进程
Z:僵尸进程,太多的话要杀死清理掉
<:高优先级的进程,优先使用cpu资源
N:低优先级的进程,不着急使用cpu
L:内存中被锁了内存分页的进程
小s:主进程 如 nginx: master process Ss 就是主进程
小l:多线程进程,包含多个线程的,线程之间可以共享内存空间。
+:前台进程,在终端上前台运行的进程。
10.9 查看网络状态
netstat命令:查看各个通信协议的详细通信信息
一般用-lnp选项,查看端口通信信息,关注监听的端口,sockets段不用留意。
[root@lgs-01 ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master
tcp6 0 0 :::22 :::* LISTEN 918/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1278/master
tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld
udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd
udp6 0 0 ::1:323 :::* 580/chronyd
raw6 0 0 :::58 :::* 7 617/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 20318 1278/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 20321 1278/master private/scache
unix 2 [ ACC ] STREAM LISTENING 20267 1278/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 20270 1278/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 14906 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 1347 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 19309 1180/mysqld /tmp/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 20238 1278/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 20242 1278/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 20245 1278/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 20282 1278/master public/flush
unix 2 [ ACC ] STREAM LISTENING 20297 1278/master public/showq
unix 2 [ ACC ] STREAM LISTENING 12701 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 12723 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 20249 1278/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 20273 1278/master private/defer
unix 2 [ ACC ] SEQPACKET LISTENING 12736 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 20276 1278/master private/trace
unix 2 [ ACC ] STREAM LISTENING 20279 1278/master private/verify
unix 2 [ ACC ] STREAM LISTENING 20285 1278/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12741 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 20306 1278/master private/discard
unix 2 [ ACC ] STREAM LISTENING 20303 1278/master private/retry
unix 2 [ ACC ] STREAM LISTENING 20309 1278/master private/local
unix 2 [ ACC ] STREAM LISTENING 20312 1278/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 20315 1278/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 16599 566/VGAuthService /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 20294 1278/master private/relay
unix 2 [ ACC ] STREAM LISTENING 20300 1278/master private/error
unix 2 [ ACC ] STREAM LISTENING 20288 1278/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 20291 1278/master private/smtp
-lntp:只看tcp协议
root@lgs-01 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master
tcp6 0 0 :::22 :::* LISTEN 918/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1278/master
tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld
-lntup:只看tcp与udp协议,关注Local Address的端口
[root@lgs-01 ~]# netstat -lnutp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 918/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1278/master
tcp6 0 0 :::22 :::* LISTEN 918/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1278/master
tcp6 0 0 :::3306 :::* LISTEN 1180/mysqld
udp 0 0 127.0.0.1:323 0.0.0.0:* 580/chronyd
udp6 0 0 ::1:323 :::* 580/chronyd
netstat -an:查看所有连接状态
[root@lgs-01 ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.87.130:22 192.168.87.1:55741 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 20318 private/anvil
unix 2 [ ACC ] STREAM LISTENING 20321 private/scache
unix 2 [ ACC ] STREAM LISTENING 20267 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 20270 private/bounce
unix 2 [ ] DGRAM 1337 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 14906 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 1339 /run/systemd/cgroups-agent
unix 2 [ ACC ] STREAM LISTENING 1347 /run/systemd/journal/stdout
unix 5 [ ] DGRAM 1350 /run/systemd/journal/socket
unix 14 [ ] DGRAM 1352 /dev/log
unix 2 [ ACC ] STREAM LISTENING 19309 /tmp/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 20238 public/pickup
unix 2 [ ACC ] STREAM LISTENING 20242 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 20245 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 20282 public/flush
unix 2 [ ACC ] STREAM LISTENING 20297 public/showq
unix 2 [ ] DGRAM 15247 /var/run/chrony/chronyd.sock
unix 2 [ ACC ] STREAM LISTENING 12701 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 12723 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 20249 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 20273 private/defer
unix 2 [ ACC ] SEQPACKET LISTENING 12736 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 20276 private/trace
unix 2 [ ACC ] STREAM LISTENING 20279 private/verify
unix 2 [ ACC ] STREAM LISTENING 20285 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12741 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 20306 private/discard
unix 2 [ ACC ] STREAM LISTENING 20303 private/retry
unix 2 [ ACC ] STREAM LISTENING 20309 private/local
unix 2 [ ACC ] STREAM LISTENING 20312 private/virtual
unix 2 [ ] DGRAM 12754 /run/systemd/shutdownd
unix 2 [ ACC ] STREAM LISTENING 20315 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 16599 /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 20294 private/relay
unix 2 [ ACC ] STREAM LISTENING 20300 private/error
unix 2 [ ACC ] STREAM LISTENING 20288 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 20291 private/smtp
unix 3 [ ] STREAM CONNECTED 20243
unix 2 [ ] DGRAM 20354
unix 3 [ ] STREAM CONNECTED 19583 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20271
unix 3 [ ] STREAM CONNECTED 16085 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20246
unix 3 [ ] STREAM CONNECTED 16066 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20239
unix 3 [ ] STREAM CONNECTED 20292
unix 2 [ ] DGRAM 16573
unix 3 [ ] STREAM CONNECTED 16380
unix 3 [ ] STREAM CONNECTED 20240
unix 2 [ ] DGRAM 16597
unix 3 [ ] STREAM CONNECTED 16381 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20278
unix 3 [ ] STREAM CONNECTED 15029
unix 2 [ ] DGRAM 20206
unix 3 [ ] STREAM CONNECTED 15075
unix 3 [ ] STREAM CONNECTED 20302
unix 2 [ ] DGRAM 16544
unix 3 [ ] STREAM CONNECTED 20322
unix 3 [ ] STREAM CONNECTED 20274
unix 3 [ ] STREAM CONNECTED 20293
unix 3 [ ] STREAM CONNECTED 20323
unix 3 [ ] STREAM CONNECTED 20277
unix 3 [ ] STREAM CONNECTED 16047 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20244
unix 3 [ ] STREAM CONNECTED 16044 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 20316
unix 3 [ ] STREAM CONNECTED 17470
unix 3 [ ] STREAM CONNECTED 20317
unix 3 [ ] STREAM CONNECTED 13914 /run/systemd/journal/stdout
unix 3 [ ] DGRAM 13070
unix 3 [ ] STREAM CONNECTED 20319
unix 3 [ ] STREAM CONNECTED 13913
unix 3 [ ] STREAM CONNECTED 20275
unix 3 [ ] STREAM CONNECTED 16808 /var/run/dbus/system_bus_socket
unix 3 [ ] DGRAM 13069
unix 3 [ ] STREAM CONNECTED 20320
unix 3 [ ] STREAM CONNECTED 20314
unix 3 [ ] STREAM CONNECTED 20247
unix 3 [ ] STREAM CONNECTED 14925
unix 2 [ ] DGRAM 13916
unix 3 [ ] STREAM CONNECTED 20272
unix 2 [ ] DGRAM 16720
unix 3 [ ] STREAM CONNECTED 20313
unix 3 [ ] STREAM CONNECTED 14969
unix 3 [ ] STREAM CONNECTED 20310
unix 3 [ ] STREAM CONNECTED 20311
unix 3 [ ] STREAM CONNECTED 18944
unix 2 [ ] DGRAM 12864
unix 3 [ ] STREAM CONNECTED 20308
unix 3 [ ] STREAM CONNECTED 16589 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 16030 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20307
unix 3 [ ] STREAM CONNECTED 20280
unix 3 [ ] STREAM CONNECTED 15121
unix 3 [ ] STREAM CONNECTED 20304
unix 3 [ ] STREAM CONNECTED 16588
unix 3 [ ] STREAM CONNECTED 20305
unix 2 [ ] DGRAM 18043
unix 3 [ ] STREAM CONNECTED 16700 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14814
unix 3 [ ] STREAM CONNECTED 20286
unix 3 [ ] STREAM CONNECTED 18409
unix 3 [ ] STREAM CONNECTED 20237
unix 3 [ ] STREAM CONNECTED 20236
unix 3 [ ] STREAM CONNECTED 20298
unix 3 [ ] STREAM CONNECTED 19256 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 20571
unix 3 [ ] STREAM CONNECTED 20295
unix 3 [ ] STREAM CONNECTED 15326
unix 3 [ ] STREAM CONNECTED 20268
unix 2 [ ] DGRAM 15225
unix 3 [ ] STREAM CONNECTED 19530
unix 3 [ ] STREAM CONNECTED 14813
unix 3 [ ] STREAM CONNECTED 16042
unix 3 [ ] STREAM CONNECTED 20269
unix 3 [ ] STREAM CONNECTED 20289
unix 3 [ ] STREAM CONNECTED 20265
unix 2 [ ] DGRAM 20375
unix 3 [ ] STREAM CONNECTED 15357
unix 2 [ ] DGRAM 15234
unix 3 [ ] STREAM CONNECTED 16043
unix 2 [ ] DGRAM 14812
unix 2 [ ] DGRAM 17415
unix 3 [ ] STREAM CONNECTED 13773 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 18410 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20296
unix 3 [ ] STREAM CONNECTED 16263
unix 3 [ ] STREAM CONNECTED 20283
unix 3 [ ] STREAM CONNECTED 20266
unix 3 [ ] STREAM CONNECTED 19531 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16414 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15275 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 13772
unix 3 [ ] STREAM CONNECTED 20301
unix 3 [ ] STREAM CONNECTED 20299
unix 3 [ ] STREAM CONNECTED 20290
unix 2 [ ] DGRAM 16392
unix 3 [ ] STREAM CONNECTED 16413
unix 3 [ ] STREAM CONNECTED 20281
unix 3 [ ] STREAM CONNECTED 20287
unix 3 [ ] STREAM CONNECTED 16737 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19903
unix 3 [ ] STREAM CONNECTED 16690
unix 3 [ ] STREAM CONNECTED 20284
unix 3 [ ] STREAM CONNECTED 16264 /run/systemd/journal/stdout
扩展知识:熟悉 tcpip协议的三次握手四次挥手的过程。
分享小技巧:netstat -an的特殊用法
netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'
[root@lgs-01 ~]# netstat -an |awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key ,"\t" ,sta[key]}'
LISTEN 5
ESTABLISHED 1
统计state状态的个数,重点关注ESTABLISHED 的值,代表并发连接的数。如果值在1000以内都能够接受。
ss -an命令:与netstat类似
[root@lgs-01 ~]# ss -an
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 0 0 0:0 *
nl UNCONN 0 0 0:629146217 *
nl UNCONN 0 0 0:629146217 *
nl UNCONN 4352 0 4:1553 *
nl UNCONN 768 0 4:0 *
nl UNCONN 0 0 6:0 *
nl UNCONN 0 0 7:561 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 7:0 *
nl UNCONN 0 0 7:561 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 9:535 *
nl UNCONN 0 0 9:1 *
nl UNCONN 0 0 9:0 *
nl UNCONN 0 0 10:0 *
nl UNCONN 0 0 11:0 *
nl UNCONN 0 0 12:0 *
nl UNCONN 768 0 15:-4109 *
nl UNCONN 0 0 15:573 *
nl UNCONN 0 0 15:-4123 *
nl UNCONN 0 0 15:-4121 *
nl UNCONN 0 0 15:921 *
nl UNCONN 0 0 15:-4124 *
nl UNCONN 0 0 15:-4122 *
nl UNCONN 0 0 15:1 *
nl UNCONN 0 0 15:617 *
nl UNCONN 0 0 15:0 *
nl UNCONN 0 0 15:921 *
nl UNCONN 0 0 15:-4124 *
nl UNCONN 0 0 15:617 *
nl UNCONN 0 0 15:-4123 *
nl UNCONN 0 0 15:-4122 *
nl UNCONN 0 0 15:-4121 *
nl UNCONN 0 0 15:573 *
nl UNCONN 768 0 15:-4109 *
nl UNCONN 0 0 15:1 *
nl UNCONN 0 0 16:0 *
nl UNCONN 0 0 18:0 *
u_str LISTEN 0 100 private/anvil 20318 * 0
u_str LISTEN 0 100 private/scache 20321 * 0
u_str LISTEN 0 100 private/rewrite 20267 * 0
u_str LISTEN 0 100 private/bounce 20270 * 0
u_dgr UNCONN 0 0 /run/systemd/notify 1337 * 0
u_str LISTEN 0 128 /var/run/dbus/system_bus_socket 14906 * 0
u_dgr UNCONN 0 0 /run/systemd/cgroups-agent 1339 * 0
u_str LISTEN 0 128 /run/systemd/journal/stdout 1347 * 0
u_dgr UNCONN 0 0 /run/systemd/journal/socket 1350 * 0
u_dgr UNCONN 0 0 /dev/log 1352 * 0
u_str LISTEN 0 80 /tmp/mysql.sock 19309 * 0
u_str LISTEN 0 100 public/pickup 20238 * 0
u_str LISTEN 0 100 public/cleanup 20242 * 0
u_str LISTEN 0 100 public/qmgr 20245 * 0
u_str LISTEN 0 100 public/flush 20282 * 0
u_str LISTEN 0 100 public/showq 20297 * 0
u_dgr UNCONN 0 0 /var/run/chrony/chronyd.sock 15247 * 0
u_str LISTEN 0 128 /run/systemd/private 12701 * 0
u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 12723 * 0
u_str LISTEN 0 100 private/tlsmgr 20249 * 0
u_str LISTEN 0 100 private/defer 20273 * 0
u_seq LISTEN 0 128 /run/udev/control 12736 * 0
u_str LISTEN 0 100 private/trace 20276 * 0
u_str LISTEN 0 100 private/verify 20279 * 0
u_str LISTEN 0 100 private/proxymap 20285 * 0
u_str LISTEN 0 128 /run/lvm/lvmetad.socket 12741 * 0
u_str LISTEN 0 100 private/discard 20306 * 0
u_str LISTEN 0 100 private/retry 20303 * 0
u_str LISTEN 0 100 private/local 20309 * 0
u_str LISTEN 0 100 private/virtual 20312 * 0
u_dgr UNCONN 0 0 /run/systemd/shutdownd 12754 * 0
u_str LISTEN 0 100 private/lmtp 20315 * 0
u_str LISTEN 0 32 /var/run/vmware/guestServicePipe 16599 * 0
u_str LISTEN 0 100 private/relay 20294 * 0
u_str LISTEN 0 100 private/error 20300 * 0
u_str LISTEN 0 100 private/proxywrite 20288 * 0
u_str LISTEN 0 100 private/smtp 20291 * 0
u_str ESTAB 0 0 * 20243 * 20244
u_dgr UNCONN 0 0 * 20354 * 1352
u_str ESTAB 0 0 /run/systemd/journal/stdout 19583 * 18944
u_str ESTAB 0 0 * 20271 * 20272
u_str ESTAB 0 0 /run/systemd/journal/stdout 16085 * 15121
u_str ESTAB 0 0 * 20246 * 20247
u_str ESTAB 0 0 /run/systemd/journal/stdout 16066 * 15075
u_str ESTAB 0 0 * 20239 * 20240
u_str ESTAB 0 0 * 20292 * 20293
u_dgr UNCONN 0 0 * 16573 * 0
u_str ESTAB 0 0 * 16380 * 16381
u_str ESTAB 0 0 * 20240 * 20239
u_dgr UNCONN 0 0 * 16597 * 1352
u_str ESTAB 0 0 /run/systemd/journal/stdout 16381 * 16380
u_str ESTAB 0 0 * 20278 * 20277
u_str ESTAB 0 0 * 15029 * 16047
u_dgr UNCONN 0 0 * 20206 * 1352
u_str ESTAB 0 0 * 15075 * 16066
u_str ESTAB 0 0 * 20302 * 20301
u_dgr UNCONN 0 0 * 16544 * 1352
u_str ESTAB 0 0 * 20322 * 20323
u_str ESTAB 0 0 * 20274 * 20275
u_str ESTAB 0 0 * 20293 * 20292
u_str ESTAB 0 0 * 20323 * 20322
u_str ESTAB 0 0 * 20277 * 20278
u_str ESTAB 0 0 /run/systemd/journal/stdout 16047 * 15029
u_str ESTAB 0 0 * 20244 * 20243
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16044 * 14925
u_str ESTAB 0 0 * 20316 * 20317
u_str ESTAB 0 0 * 17470 * 16808
u_str ESTAB 0 0 * 20317 * 20316
u_str ESTAB 0 0 /run/systemd/journal/stdout 13914 * 13913
u_dgr UNCONN 0 0 * 13070 * 13069
u_str ESTAB 0 0 * 20319 * 20320
u_str ESTAB 0 0 * 13913 * 13914
u_str ESTAB 0 0 * 20275 * 20274
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16808 * 17470
u_dgr UNCONN 0 0 * 13069 * 13070
u_str ESTAB 0 0 * 20320 * 20319
u_str ESTAB 0 0 * 20314 * 20313
u_str ESTAB 0 0 * 20247 * 20246
u_str ESTAB 0 0 * 14925 * 16044
u_dgr UNCONN 0 0 * 13916 * 1350
u_str ESTAB 0 0 * 20272 * 20271
u_dgr UNCONN 0 0 * 16720 * 1352
u_str ESTAB 0 0 * 20313 * 20314
u_str ESTAB 0 0 * 14969 * 16030
u_str ESTAB 0 0 * 20310 * 20311
u_str ESTAB 0 0 * 20311 * 20310
u_str ESTAB 0 0 * 18944 * 19583
u_dgr UNCONN 0 0 * 12864 * 1350
u_str ESTAB 0 0 * 20308 * 20307
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16589 * 16588
u_str ESTAB 0 0 /run/systemd/journal/stdout 16030 * 14969
u_str ESTAB 0 0 * 20307 * 20308
u_str ESTAB 0 0 * 20280 * 20281
u_str ESTAB 0 0 * 15121 * 16085
u_str ESTAB 0 0 * 20304 * 20305
u_str ESTAB 0 0 * 16588 * 16589
u_str ESTAB 0 0 * 20305 * 20304
u_dgr UNCONN 0 0 * 18043 * 1352
u_str ESTAB 0 0 /run/systemd/journal/stdout 16700 * 15326
u_str ESTAB 0 0 * 14814 * 14813
u_str ESTAB 0 0 * 20286 * 20287
u_str ESTAB 0 0 * 18409 * 18410
u_str ESTAB 0 0 * 20237 * 20236
u_str ESTAB 0 0 * 20236 * 20237
u_str ESTAB 0 0 * 20298 * 20299
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 19256 * 19903
u_dgr UNCONN 0 0 * 20571 * 1352
u_str ESTAB 0 0 * 20295 * 20296
u_str ESTAB 0 0 * 15326 * 16700
u_str ESTAB 0 0 * 20268 * 20269
u_dgr UNCONN 0 0 * 15225 * 1352
u_str ESTAB 0 0 * 19530 * 19531
u_str ESTAB 0 0 * 14813 * 14814
u_str ESTAB 0 0 * 16042 * 16043
u_str ESTAB 0 0 * 20269 * 20268
u_str ESTAB 0 0 * 20289 * 20290
u_str ESTAB 0 0 * 20265 * 20266
u_dgr UNCONN 0 0 * 20375 * 1352
u_str ESTAB 0 0 * 15357 * 16737
u_dgr UNCONN 0 0 * 15234 * 1352
u_str ESTAB 0 0 * 16043 * 16042
u_dgr UNCONN 0 0 * 14812 * 1352
u_dgr UNCONN 0 0 * 17415 * 1352
u_str ESTAB 0 0 /run/systemd/journal/stdout 13773 * 13772
u_str ESTAB 0 0 /run/systemd/journal/stdout 18410 * 18409
u_str ESTAB 0 0 * 20296 * 20295
u_str ESTAB 0 0 * 16263 * 16264
u_str ESTAB 0 0 * 20283 * 20284
u_str ESTAB 0 0 * 20266 * 20265
u_str ESTAB 0 0 /run/systemd/journal/stdout 19531 * 19530
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16414 * 16413
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 15275 * 16690
u_str ESTAB 0 0 * 13772 * 13773
u_str ESTAB 0 0 * 20301 * 20302
u_str ESTAB 0 0 * 20299 * 20298
u_str ESTAB 0 0 * 20290 * 20289
u_dgr UNCONN 0 0 * 16392 * 1350
u_str ESTAB 0 0 * 16413 * 16414
u_str ESTAB 0 0 * 20281 * 20280
u_str ESTAB 0 0 * 20287 * 20286
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 16737 * 15357
u_str ESTAB 0 0 * 19903 * 19256
u_str ESTAB 0 0 * 16690 * 15275
u_str ESTAB 0 0 * 20284 * 20283
u_str ESTAB 0 0 /run/systemd/journal/stdout 16264 * 16263
udp UNCONN 0 0 :::58 :::*
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 ::1:323 :::*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp ESTAB 0 356 192.168.87.130:22 192.168.87.1:55741
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 100 ::1:25 :::*
tcp LISTEN 0 80 :::3306 :::*
10.10 linux下抓包
当网卡流量异常,用tcpdump抓包分析哪异常,进入包超过一万,就可用抓包工具看看是什么包信息进来
tcpdump:查看进出网卡的流量包,源ip到目标ip的数据流向
一般用选项 -nn -i:i 是指定网卡,n代表ip以数字显示否则显示主机名
[root@lgs-01 ~]# tcpdump -nn -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:55:22.543456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1123041043:1123041255, ack 2103498148, win 42480, length 212
22:55:22.543859 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64911, length 0
22:55:22.544095 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292
22:55:22.553492 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164
22:55:22.553568 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64455, length 0
22:55:22.553810 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276
22:55:22.554135 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164
22:55:22.554225 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65535, length 0
22:55:22.554385 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276
22:55:22.555297 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180
22:55:22.555553 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65079, length 0
22:55:22.555845 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276
^C
407 packets captured
410 packets received by filter
0 packets dropped by kernel
当是udp类型的数据包,有可能是udp flood 被DDos攻击了。国内防DDos攻击的公司:知道创宇比较出名
-nn port 22:指定端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:00:29.162602 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1124966907:1124967119, ack 2103510156, win 42480, length 212
23:00:29.162738 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 64251, length 0
23:00:29.162993 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292
23:00:29.163219 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164
23:00:29.163301 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 65535, length 0
23:00:29.163445 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276
23:00:29.163622 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164
23:00:29.163692 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 65095, length 0
23:00:29.163835 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276
23:00:29.164121 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180
23:00:29.164259 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 64639, length 0
23:00:29.165500 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276
23:00:29.166456 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 180
-nn not port 22:不要22端口
[root@lgs-01 ~]# tcpdump -nn -i ens33 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:01:34.896216 ARP, Request who-has 192.168.87.2 tell 192.168.87.130, length 28
23:01:34.896723 ARP, Reply 192.168.87.2 is-at 00:50:56:fc:02:e0, length 46
23:01:48.122694 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:48.125085 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:48.184388 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:48.186000 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:48.190795 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:48.190849 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:48.203298 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:48.203671 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:48.307289 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:48.307322 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:48.324302 IP6 fe80::712f:1717:5c59:3eb5.52043 > ff02::1:3.5355: UDP, length 33
23:01:48.324446 IP 192.168.87.1.53236 > 224.0.0.252.5355: UDP, length 33
23:01:52.233741 ARP, Request who-has 192.168.87.254 tell 192.168.87.1, length 46
23:01:52.233860 IP 192.168.87.1.68 > 192.168.87.254.67: BOOTP/DHCP, Request from 00:50:56:c0:00:08, length 314
23:01:52.233864 ARP, Reply 192.168.87.254 is-at 00:50:56:eb:bf:de, length 46
23:01:52.233867 IP 192.168.87.254.67 > 192.168.87.1.68: BOOTP/DHCP, Reply, length 300
23:01:52.263986 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:52.264013 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.295529 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:52.295579 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.298609 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:52.298649 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.307283 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.307318 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:52.321085 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:52.321109 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.420653 IP6 fe80::712f:1717:5c59:3eb5.60038 > ff02::1:3.5355: UDP, length 33
23:01:52.420685 IP 192.168.87.1.64363 > 224.0.0.252.5355: UDP, length 33
23:01:52.807692 IP 192.168.87.1 > 224.0.0.22: igmp v3 report, 1 group record(s)
23:01:52.807734 IP6 fe80::712f:1717:5c59:3eb5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:01:54.291363 ARP, Request who-has 192.168.87.2 tell 192.168.87.1, length 46
-nn not port 22 and host 192.168.87.130:指定ip
[root@lgs-01 ~]# tcpdump -nn -i ens33 port 22 and host 192.168.87.130
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:04:10.183507 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1125389995:1125390207, ack 2103516588, win 42480, length 212
23:04:10.183691 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 212, win 65155, length 0
23:04:10.184014 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 212:504, ack 1, win 42480, length 292
23:04:10.184535 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 504:668, ack 1, win 42480, length 164
23:04:10.184626 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 668, win 64699, length 0
23:04:10.184840 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 668:944, ack 1, win 42480, length 276
23:04:10.185036 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 944:1108, ack 1, win 42480, length 164
23:04:10.185105 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1108, win 64259, length 0
23:04:10.206582 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1108:1384, ack 1, win 42480, length 276
23:04:10.218205 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1384:1564, ack 1, win 42480, length 180
23:04:10.218394 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 1564, win 65535, length 0
23:04:10.219680 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1564:1840, ack 1, win 42480, length 276
23:04:10.219865 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 1840:2020, ack 1, win 42480, length 180
23:04:10.219931 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2020, win 65079, length 0
23:04:10.220033 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2020:2296, ack 1, win 42480, length 276
23:04:10.220254 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2296:2476, ack 1, win 42480, length 180
23:04:10.220342 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2476, win 64623, length 0
23:04:10.220866 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2476:2752, ack 1, win 42480, length 276
23:04:10.228644 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2752:2932, ack 1, win 42480, length 180
23:04:10.228856 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 2932, win 64167, length 0
23:04:10.228960 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 2932:3112, ack 1, win 42480, length 180
23:04:10.229180 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3112:3388, ack 1, win 42480, length 276
23:04:10.229261 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3388, win 65535, length 0
23:04:10.229440 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3388:3664, ack 1, win 42480, length 276
23:04:10.235245 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3664:3844, ack 1, win 42480, length 180
23:04:10.235547 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 3844, win 65079, length 0
23:04:10.235873 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 3844:4120, ack 1, win 42480, length 276
23:04:10.236032 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4120:4300, ack 1, win 42480, length 180
23:04:10.236091 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4300, win 64623, length 0
23:04:10.236161 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4300:4576, ack 1, win 42480, length 276
23:04:10.236246 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4576:4756, ack 1, win 42480, length 180
23:04:10.236290 IP 192.168.87.1.55741 > 192.168.87.130.22: Flags [.], ack 4756, win 64167, length 0
23:04:10.236333 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 4756:5032, ack 1, win 42480, length 276
23:04:10.236402 IP 192.168.87.130.22 > 192.168.87.1.55741: Flags [P.], seq 5032:5212, ack 1, win 42480, length 180
-c 100 -w /tmp/1.cap:指定100个包,并写入到文件里
[root@lgs-01 ~]# tcpdump -nn -i ens33 -c 100 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
1.cap文件不能直接cat查看,cat是乱码,用tcpdump查看
[root@lgs-01 ~]# ls -l /tmp/1.cap
-rw-r--r--. 1 tcpdump tcpdump 16415 5月 7 23:06 /tmp/1.cap
[root@lgs-01 ~]# file /tmp/1.cap
/tmp/1.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
[root@lgs-01 ~]# cat /tmp/1.cap
Ճ²¡7k?ˊPV
p l8x✉$NO_¼#@@湀¨W(WٽC
h欴ۖ¬݂㢕)B؏¦ӥC?£v?ٵg%~sº%"¢þ¶¯٥_ 낚A^®fٽHH˒_$a䃧韖2,|¼~¹4¯½Ҵ¨&䄸{B炷k?<<
)Ѣ¸E(
n@@(W(Wٽ}a)C#Pþ¯ؿk33Pܠgþq/\Y>µÿ"#gҁƲځ .⫍TKDa
PV'MS-20170122YATWMSFT 5.'@k?jj
)Ѣ¸E\
o@@Y(W(Wٽ}a)C#Pþ?ۆ@K¼詀G�DɁ?5i̠?4
ųM?Rs@k?66PV
1.cap就是捕获的网卡的原始通信数据包信息。
[root@lgs-01 ~]# tcpdump -r /tmp/1.cap
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
23:05:27.975940 IP lgs-01.ssh > 192.168.87.1.55741: Flags [P.], seq 1125453199:1125453347, ack 2103519516, win 42480, length 148
23:05:27.976575 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [.], ack 148, win 65179, length 0
23:05:35.530558 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
23:05:36.310133 IP 192.168.87.1.55741 > lgs-01.ssh: Flags [P.], seq 1:53, ack 148, win 65179, length 52
23:05:36.375497 IP lgs-01.ssh > 192.168.87.1.55741: Flags [.], ack 53, win 42480, length 0
23:05:48.280605 IP lgs-01.58175 > 61-216-153-104.HINET-IP.hinet.net.ntp: NTPv4, Client, length 48
23:05:48.337106 IP 61-216-153-104.HINET-IP.hinet.net.ntp > lgs-01.58175: NTPv4, Server, length 48
23:05:51.530722 IP6 fe80::712f:1717:5c59:3eb5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
23:05:53.296589 ARP, Request who-has gateway tell lgs-01, length 28
23:05:53.296809 ARP, Reply gateway is-at 00:50:56:fc:02:e0 (oui Unknown), length 46
23:05:54.290567 ARP, Request who-has gateway tell 192.168.87.1, length 46
23:05:54.806558 ARP, Request who-has gateway tell 192.168.87.1, length 46
23:05:55.806633 ARP, Request who-has gateway tell 192.168.87.1, length 46
tshark命令:安装包wireshark得到,比较实用的命令,能够查看什么ip访问网站的具体什么资源文件。
类似Web网站的访问日志。
[root@lgs-01 ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.requset.uri"tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'nflog'
^C0 packets captured