监控工具使用


---------------------------------------------------------------------------------------------------
iptraf一个iftop更强大的工具。
yum install iptraf -y
注意在iptraf INSTALL
IPTraf需要引用/usr/share/terminfo目录中的终端信息数据库,因此如果这个目录位于其它的位置,IPTraf将输出"Error opening terminal"错误信息之后,启动失败。一般在Slackware中可能出现这种错误,因为在Slackware发布中,terminfo一般位于/usr/lib/terminfo。这种情况可以通过如下方式解决:
#TERMINFO=/usr/lib/terminfo
#export TERMINFO
或者填加一个连接:
#ln -s /usr/lib/terminfo /usr/share/terminfo
iptraf的特点:
 IP流量监控,监控通过在您的网络上的IP流量的信息。包括TCP标志信息,数据包和字节计数,ICMP的细节,OSPF数据包类型。
 全面和详细的接口统计数据显示IP,TCP,UDP,ICMP,非IP和其他IP数据包的数量,IP校验和错误,接口状态,数据包大小。
 利用内置在Linux内核的原始套接字接口,可以支持更多类型网络接口,如下面:
    Local loopback
    All Linux-supported Ethernet interfaces
    All Linux-supported FDDI interfaces
    SLIP
    Asynchronous PPP
    Synchronous PPP over ISDN
    ISDN with Raw IP encapsulation
    ISDN with Cisco HDLC encapsulation
    Parallel Line IP
iptraf
                                                  x IP traffic monitor              x
                                                  x General interface statistics    x
                                                  x Detailed interface statistics   x
                                                  x Statistical breakdowns...       x
                                                  x LAN station monitor             x
                                                 
                                                  x Filters...                      x
                                                
                                                  x Configure...                    x
                                                
                                                  x Exit    
执行iptraf命令按任意键会出现上面界面:
IP流量监视 (IP traffic monitor )
网络接口的一般信息统计(General Interface Statistics)
网络接口的细节信息统计(Detailed Interface Statistics)
统计分析(Statistical Breakdowns)
局域网工作站统计(LAN Station Statistics)
过滤器(Filters)
iptraf配置项(Configure)
主要是Configure配置说明
 
                                             x Current Settings                x
     x Reverse DNS lookups                  xx Reverse DNS lookups:        Off x
     x TCP/UDP service names                xx Service names:               On x
     x Force promiscuous mode               xx Promiscuous:                 On x
     x Color                                xx Color:                       On x    x
     x Logging                              xx Logging:                     On x    x
     x Activity mode                        xx Activity mode:          kbits/s x    x
     x Source MAC addrs in traffic monitor  xx MAC addresses:               On x    x
     x Show v6-in-v4 traffic as IPv6        xx v6-in-v4 as IPv6:            On x    x
     x Timers...                            xx TCP timeout:            15 mins x    x //设置空闲连接条目保留的时间,超过这个时间就被一个新的连接代替。
                                             x Log interval:           60 mins x    x // 设置每个多少分钟保存日志信息,默认值是60分钟
     x Additional ports...                  xx Update interval:         0 secs x    x//设置每间隔多少秒钟刷新屏幕。默认值是0,表示尽可能快地刷新屏幕
     x Delete port/range...                 xx Closed/idle persist:     0 mins x    x//这个参数决定关闭、空闲和超时的TCP连接在IP流量监视器显示窗口中保留多少分钟。默认值是0,表示一直保留这些连接,直到被新的连接代替。
 
     x Ethernet/PLIP host descriptions...   x   
     x FDDI/Token Ring host descriptions... x
     x Exit configuration    
 
 Reverse DNS Lookups 选项,对IP地址反查 DNS名,默认是关闭的 ,开启这项,在使用IP流量监视功能时,IPTraf会启动一个精灵进程/usr/bin/rvnamed来加速域名反查的速度。
 在rvnamed的域名反查完成之后,IPTraf就会使用报文来源的域名来代替IP地址。之所以在IPTraf中使用独一的域名反查程序是因为标准的域名反查调用会阻塞进程,直到域名反查功能完成,比较浪费时间。
 TCP/UDP service names 选项:会把对应端口改成对应服务名字显示。
 Force promiscuous mode :在混杂模式下工作,监视局域网的连接状态
 Logging :日志功能,如果打开每次监控都可以指定日志位置,默认在/var/log/iptraf目录下。
 Activity mode:切换速率单位(kbits/s和kbytes/s),默认的速率单位是kbits/s。
 Source MAC addrs in traffic monitor:决定是否在IP流量监视器中显示报文的MAC源地址,对于以太网、FDDI或者PLIP网络接口有效。对于非TCP报文(IP流量监视器的下部分显示窗口)报文的MAC源地址直接在窗口中显示,对
 于TCP报文(IP流量监视器的上部分显示窗),需要按M键
 Timers:用Timers子菜单设置iptraf的各种时间间隔和超时时间。
 Additional ports:默认情况下,iptraf只对小于1024的端口号进行流量分析,使用这个选项可以填加你需要进行流量分析的端口。
 Delete port/range:删除不想监听的端口。
 Ethernet/PLIP host descriptions:十六进制的MAC地址非常难以记忆,因此iptraf引入了局域网工作站标志符(LAN Station Identifiers)。使用局域网工作站标志符(LAN Station Identifiers)可以帮助你更好地区别局域网内的工作站。
 
 Filters功能也是很强大大,只是用法过于复杂,且所需功能都可以用tcpdump来实现。
------------------------------------------------------------------------------------------------
iftop,查看主机网卡流量信息。这个用法比tcpdum简单多,iftop就一点内容。
iftop安装:
yum install libpcap    libpcap-devel ncurses-devel libcurses    wget -y
yum install gcc gcc-c++ make automake autoconf -y    
wget http://www.ex-parrot.com/~pdw/iftop/download/iftop-0.17.tar.gz
tar xf iftop-0.17.tar.gz    
cd iftop-0.17
./configure
make && make install
# iftop -h
iftop: display bandwidth usage on an interface by host

Synopsis: iftop -h | [-npbBP] [-i interface] [-f filter code] [-N net/mask]

     -h                                    display this message
     -n                                    don't do hostname lookups
     -N                                    don't convert port numbers to services
     -p                                    run in promiscuous mode (show traffic between other
                                             hosts on the same network segment)
     -b                                    don't display a bar graph of traffic
     -B                                    Display bandwidth in bytes
     -i interface                listen on named interface
     -f filter code            use filter code to select packets to count
                                             (default: none, but only IP packets are counted)
     -F net/mask                 show traffic flows in/out of network
     -P                                    show ports as well as hosts
     -m limit                        sets the upper limit for the bandwidth scale
     -c config file            specifies an alternative configuration file

TX:发送流量
RX:接收流量
TOTAL:总流量
Cumm:运行iftop到目前时间的总流量
peak:流量峰值
rates:分别表示过去 2s 10s 40s 的平均流量
 
--------------------------------------------------------------------------------------------------------------------
tcpdump  linux很有用的抓包工具,man文件可以看到其很详细用法。常见用法有:
三种关键字:
    类型关键字: 主要包括host,net,port
    传输方向的关键字:主要包括src,dst,dst or src,dst and src
      协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型
-i       指定监听的网络接口;
-r       从指定的文件中读取包(这些包一般通过-w选项产生);
-w       直接将包写入文件中,并不分析和打印出来;
-T       将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理)
-nn     直接以 IP 及 port number 显示,而非主机名服务器名
-q      仅列出较为简短的封包资讯,每一行的内容比较精简
-d       将匹配信息包的代码以人们能够理解的汇编格式给出;
-dd      将匹配信息包的代码以c语言程序段的格式给出;
-ddd     将匹配信息包的代码以十进制的形式给出;
-e       在输出行打印出数据链路层的头部信息;
-f       将外部的Internet地址以数字的形式打印出来;
-l       使标准输出变为缓冲行形式;
-n       不把网络地址转换成名字;
-t       在输出的每一行不打印时间戳;
-v       输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息;
-vv      输出详细的报文信息;
-c       监听的封包数,如果没有这个参数, tcpdump 会持续不断的监听,直到使用者输入 [ctrl]-c 为止。
-F       从指定的文件中读取表达式,忽略其它的表达式;

1>监听本机对应通迅端口。
[root@localhost ~]# tcpdump -i eth2 'udp port 53'  (ping  www.baidu.com)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:34:54.801224 IP 192.168.1.104.45156 > 192.168.1.1.domain: 50721+ PTR? 100.1.168.192.in-addr.arpa. (44)
23:34:54.802927 IP 192.168.1.104.42689 > 192.168.1.1.domain: 9495+ PTR? 1.1.168.192.in-addr.arpa. (42)
23:34:54.827455 IP 192.168.1.1.domain > 192.168.1.104.45156: 50721 NXDomain 0/0/0 (44)
23:34:54.828570 IP 192.168.1.1.domain > 192.168.1.104.42689: 9495 NXDomain 0/0/0 (42)
23:34:54.830756 IP 192.168.1.104.39701 > 192.168.1.1.domain: 24573+ PTR? 104.1.168.192.in-addr.arpa. (44)
23:34:54.850243 IP 192.168.1.1.domain > 192.168.1.104.39701: 24573 NXDomain 0/0/0 (44)
23:35:01.797459 IP 192.168.1.104.42501 > 192.168.1.1.domain: 47317+ A? www.baidu.com. (31)
23:35:01.812636 IP 192.168.1.1.domain > 192.168.1.104.42501: 47317 2/0/0 CNAME www.a.shifen.com., A 220.181.111.147 (74)
[root@localhost ~]#  tcpdump -n -i eth2 port 80  (curl -I http://www.google.com/ 80)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:11:07.165561 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [S], seq 3772457204, win 14600, options [mss 1460,sackOK,TS val 147995298 ecr 0,nop,wscale 5], length 0
00:11:07.182011 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [S.], seq 3970420755, ack 3772457205, win 14180, options [mss 1430,sackOK,TS val 2889730437 ecr 147995298,nop,wscale 6], length 0
00:11:07.182077 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [.], ack 1, win 457, options [nop,nop,TS val 147995314 ecr 2889730437], length 0
00:11:07.182406 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [P.], seq 1:171, ack 1, win 457, options [nop,nop,TS val 147995314 ecr 2889730437], length 170
00:11:07.203192 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [.], ack 171, win 239, options [nop,nop,TS val 2889730458 ecr 147995314], length 0
00:11:07.207352 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [P.], seq 1:904, ack 171, win 239, options [nop,nop,TS val 2889730462 ecr 147995314], length 903
00:11:07.207369 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [.], ack 904, win 513, options [nop,nop,TS val 147995340 ecr 2889730462], length 0
00:11:07.208429 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [F.], seq 171, ack 904, win 513, options [nop,nop,TS val 147995340 ecr 2889730462], length 0
2>监听本机和对应主机的通迅(curl -I http://www.baidu.com/ 80)
[root@localhost ~]# tcpdump -i eth2  host  220.181.111.147
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:45:33.074071 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [S], seq 381045890, win 14600, options [mss 1460,sackOK,TS val 146461206 ecr 0,nop,wscale 5], length 0
23:45:33.116185 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [S.], seq 755347942, ack 381045891, win 14600, options [mss 1440,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop], length 0
23:45:33.116245 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 1, win 14600, length 0
23:45:33.116753 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [P.], seq 1:170, ack 1, win 14600, length 169
23:45:33.162199 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [.], ack 170, win 6432, length 0
23:45:33.166012 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [P.], seq 1:385, ack 170, win 6432, length 384
23:45:33.166046 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 385, win 15544, length 0
23:45:33.167787 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [F.], seq 170, ack 385, win 15544, length 0
23:45:33.209245 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [.], ack 171, win 6432, length 0
23:45:33.209313 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [F.], seq 385, ack 171, win 6432, length 0
23:45:33.209329 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 386, win 15544, length 0
3>telnet  220.181.111.147  20
[root@localhost ~]# tcpdump -i eth2  'dst  220.181.111.147 and (port 21 or 20)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:55:45.831050 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147073963 ecr 0,nop,wscale 5], length 0
23:55:46.832802 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147074965 ecr 0,nop,wscale 5], length 0
23:55:48.833624 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147076966 ecr 0,nop,wscale 5], length 0
23:55:52.835319 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147080967 ecr 0,nop,wscale 5], length 0
23:56:00.836306 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147088968 ecr 0,nop,wscale 5], length 0
23:56:16.836495 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147104969 ecr 0,nop,wscale 5], length 0
4> 监控网络协议 arp和icmp
[root@localhost ~]#  tcpdump -n -i eth2 icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:15:09.021481 ARP, Request who-has 192.168.1.1 tell 192.168.1.104, length 28
00:15:09.026080 ARP, Reply 192.168.1.1 is-at ec:88:8f:61:cc:4c, length 46
00:15:22.241411 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 1, length 64
00:15:22.259365 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 1, length 64
00:15:23.243472 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 2, length 64
00:15:23.260798 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 2, length 64
00:15:24.245494 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 3, length 64
00:15:24.263007 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 3, length 64
00:15:24.948703 ARP, Request who-has 192.168.1.104 tell 192.168.1.100, length 46
00:15:24.948737 ARP, Reply 192.168.1.104 is-at 00:0c:29:57:3b:87, length 28
00:16:03.338775 ARP, Request who-has 192.168.1.104 tell 192.168.1.100, length 46
00:16:03.338813 ARP, Reply 192.168.1.104 is-at 00:0c:29:57:3b:87, length 28
5>监控内容写入文本
#tcpdump -i eth0 -s 0 -l -w gaby.cap dst port 443 把本机与目的端口为443的包都写入到gaby.cap文件中,然后我们可以分析工具查看通迅的整个过程。
其他一些用法
抓取45这台主机和192.168.1.1或者192.168.2.1 通讯的包
#tcpdump host 192.168.2.45 and \(192.168.1.1 or 192.168.2.1 \)
显示所有进出80连接埠IPv4 HTTP包,也就是只打印包含数据的包。例如:SYN、FIN包和ACK-only包输入
# tcpdump -i eth2 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
打印出系统可以抓包使用的所有网络接口
# tcpdump -D
1.usbmon1 (USB bus number 1)
2.eth2
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

你可能感兴趣的:(tcpdump)