10.6 监控io性能
当磁盘出现瓶颈的时候,我们可以用iostat命令详细查看。
[root@localhost: ~]# iostat 1 2
Linux 3.10.0-862.3.3.el7.x86_64 (localhost.localdomain) 07/11/2018 _x86_64_ (4 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.01 0.00 0.06 0.05 0.00 99.88
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 1.67 26.12 3.48 154562 20606
sdb 0.06 0.71 0.00 4174 0
scd0 0.00 0.17 0.00 1028 0
dm-0 0.01 0.18 0.00 1036 0
dm-1 0.00 0.06 0.00 328 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
scd0 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
dm-1 0.00 0.00 0.00 0 0
这个用sar -b也是能看到的。
但是iostat最重要的是-x选项,能够查询%util。
[root@localhost: ~]# iostat -x | awk '{print $1,$14}' | tail -7
Device: %util
sda 0.20
sdb 0.01
scd0 0.01
dm-0 0.00
dm-1 0.00
%util
Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.
io请求之后等待的时间很长,这个值会变大,长时间值都很大说明设备肯定出现了问题(多是硬盘损坏)。
那查询是哪个命令在请求读写,可以使用iotop命令。
如果使用iotop出现错误
Traceback (most recent call last): File "/usr/sbin/iotop", line 17, in <module> main() File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 620, in main main_loop() File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 610, in <lambda> main_loop = lambda: run_iotop(options) File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 508, in run_iotop return curses.wrapper(run_iotop_window, options) File "/usr/lib64/python2.7/curses/wrapper.py", line 43, in wrapper return func(stdscr, *args, **kwds) File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 501, in run_iotop_window ui.run() File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 155, in run self.process_list.duration) File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 434, in refresh_display lines = self.get_data() File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 415, in get_data return list(map(format, processes)) File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 388, in format cmdline = p.get_cmdline() File "/usr/lib/python2.7/site-packages/iotop/data.py", line 292, in get_cmdline proc_status = parse_proc_pid_status(self.pid) File "/usr/lib/python2.7/site-packages/iotop/data.py", line 196, in parse_proc_pid_status key, value = line.split(':\t', 1) ValueError: need more than 1 value to unpack修改方法如下,在root下编辑文件/usr/lib/python2.7/site-packages/iotop/data.py
在195行左右更改为如下
def parse_proc_pid_status(pid): result_dict = {} try: for line in open('/proc/%d/status' % pid): if not line.strip(): continue key, value = line.split(':\t', 1) result_dict[key] = value.strip() except IOError: pass # No such process return result_dict#python下一定要注意缩进!
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-root --system --deserialize 22
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H]
6 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u128:0]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [lru-add-drain]
11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1]
13 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1]
14 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1]
15 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0]
16 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0H]
17 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/2]
18 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/2]
19 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/2]
532 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfs-conv/sda1]
21 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/2:0H]
22 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/3]
23 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/3]
24 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/3]
537 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfsaild/sda1]
26 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/3:0H]
28 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
29 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
30 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
31 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback]
32 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd]
33 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset]
34 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd]
35 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md]
36 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [edac-poller]
42 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kswapd0]
43 be/5 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksmd]
44 be/7 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khugepaged]
45 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [crypto]
530 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfs-buf/sda1]iotop显示的和top其实差不多,具体用法可以参考man手册,我们需要关注的就是前两行的内容以及io的百分比。
10.7 free命令
free命令直接查看内存使用情况。
[root@localhost: ~]# free
total used free shared buff/cache available
Mem: 3872600 169524 3519844 8860 183232 3467512
Swap: 4194300 0 4194300第一列是内存的总大小,-m选项指定MB单位,或者-h人性化显示
[root@localhost: ~]# free -m
total used free shared buff/cache available
Mem: 3781 163 3439 8 178 3388
Swap: 4095 0 4095
[root@localhost: ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 163M 3.4G 8.6M 178M 3.3G
Swap: 4.0G 0B 4.0G
total = used + free + buff/cache
available = free +(remainder of buff/cache)
buffer就是缓冲,cache是缓存。
数据从硬盘读出来要去cpu处理,中间会经过内存,这是因为硬盘的读取速度慢,会影响cpu的响应,所以中间会临时把数据缓存下来,随用随取。这部分内存就是cache。
cpu处理完数据,存到磁盘里去,时间比较久,我们会先放到内存中,这部分内存就是buffer。
swap如果不够了,可以添加swap分区,但是这不是最终解决办法,可能是程序吃内存需要加内存了,也可能是程序有bug,内存泄漏了。都需要仔细排查。
10.8 ps命令
ps命令可以查看进程。
ps - report a snapshot of the current processes.
ps aux可以查看内存中的所有进程。
[root@localhost: ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.1 193628 6676 ? Ss 10:47 0:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
root 2 0.0 0.0 0 0 ? S 10:47 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 10:47 0:00 [ksoftirqd/0]
.........
ps常和管道符连用,grep某进程是否存在。
[root@localhost: ~]# ps aux | grep mysql
root 1466 0.0 0.0 112704 976 pts/0 S+ 11:11 0:00 grep --color=auto mysqlps -elf和aux差不多,只不过列不一样。
[root@localhost: ~]# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 48407 ep_pol 10:47 ? 00:00:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
1 S root 2 0 0 80 0 - 0 kthrea 10:47 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo 10:47 ? 00:00:00 [ksoftirqd/0]
对于ps aux,第一列是用户,第二列是pid。
pid知道的时候就可以用kill杀死一个进程。
如果出现了一个我不知道的进程,可能是一个被入侵的进程,通过pid可以查看这个进程是从哪里启动的。就是在/proc/目录下,pid就是一个目录名。
STAT是我们需要关注的一列。其他的不再赘述。
进程的状态有这么几种 。
- D 不能中断的进程>>>直接影响负载,D多了负载也许会高,但是cpu占用也许并不高
- R run状态的进程>>>现在一段时间内正在使用cpu
- S sleep状态的进程
- T 暂停的进程>>>Ctrl-z可以暂停一个前台任务
- Z 僵尸进程>>>主程序消失,余下的进程就是僵尸进程
- < 高优先级进程>>>cpu使用率高的时候,这类进程优先使用。
- N 低优先级进程
- L 内存中被锁了内存分页
- s 主进程
- l 多线程进程>>多个线程共享一块内存
- + 前台进程
10.9 查看网络状态
netstat命令查看的就是tcp/ip通信的状态。
正常情况下,一台主机不会监听任何端口,但是为了提供网络服务就必须提供一个端口。
-lnp可以列出所有正在监听的端口
[root@localhost: ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 608/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1007/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1244/master
tcp6 0 0 :::111 :::* LISTEN 608/rpcbind
tcp6 0 0 :::22 :::* LISTEN 1007/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1244/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 622/chronyd
udp 0 0 0.0.0.0:766 0.0.0.0:* 608/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 608/rpcbind
udp6 0 0 ::1:323 :::* 622/chronyd
udp6 0 0 :::766 :::* 608/rpcbind
udp6 0 0 :::111 :::* 608/rpcbind
raw6 0 0 :::58 :::* 7 692/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 15136 1/systemd /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 15139 1/systemd /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 17971 591/lsmd /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 17973 591/lsmd /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 17976 600/VGAuthService /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 20870 1244/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19180 1244/master private/defer
unix 2 [ ACC ] STREAM LISTENING 18004 639/abrtd /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 10080 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 1399 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12665 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 10106 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 20867 1244/master private/tlsmgr
unix 2 [ ACC ] SEQPACKET LISTENING 10120 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 20873 1244/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 19186 1244/master private/verify
unix 2 [ ACC ] STREAM LISTENING 19192 1244/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 19195 1244/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19183 1244/master private/trace
unix 2 [ ACC ] STREAM LISTENING 19198 1244/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 19201 1244/master private/relay
unix 2 [ ACC ] STREAM LISTENING 19207 1244/master private/error
unix 2 [ ACC ] STREAM LISTENING 19210 1244/master private/retry
unix 2 [ ACC ] STREAM LISTENING 19213 1244/master private/discard
unix 2 [ ACC ] STREAM LISTENING 20856 1244/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 19216 1244/master private/local
unix 2 [ ACC ] STREAM LISTENING 20860 1244/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 19219 1244/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 20863 1244/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19222 1244/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19189 1244/master public/flush
unix 2 [ ACC ] STREAM LISTENING 19225 1244/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 19204 1244/master public/showq
unix 2 [ ACC ] STREAM LISTENING 19228 1244/master private/scache
unix行是列出的socket文件通信。
-an查看所有的链接状态
[root@localhost: ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 52 192.168.16.100:22 192.168.16.1:14464 ESTABLISHED
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 192.168.16.100:33287 85.199.214.100:123 ESTABLISHED
udp 0 0 0.0.0.0:766 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::766 :::*
udp6 0 0 :::111 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 15136 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 15139 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 17971 /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 17973 /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 17976 /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 20870 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19180 private/defer
unix 2 [ ACC ] STREAM LISTENING 18004 /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 10080 /run/lvm/lvmpolld.socket
unix 3 [ ] DGRAM 1379 /run/systemd/notify
unix 2 [ ] DGRAM 1381 /run/systemd/cgroups-agent
unix 2 [ ] DGRAM 17524 /var/run/chrony/chronyd.sock
unix 2 [ ACC ] STREAM LISTENING 1399 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12665 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 10106 /run/lvm/lvmetad.socket
unix 5 [ ] DGRAM 1402 /run/systemd/journal/socket
unix 15 [ ] DGRAM 1404 /dev/log
unix 2 [ ACC ] STREAM LISTENING 20867 private/tlsmgr
unix 2 [ ] DGRAM 10118 /run/systemd/shutdownd
unix 2 [ ACC ] SEQPACKET LISTENING 10120 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 20873 private/bounce
unix 2 [ ACC ] STREAM LISTENING 19186 private/verify
unix 2 [ ACC ] STREAM LISTENING 19192 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 19195 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19183 private/trace
unix 2 [ ACC ] STREAM LISTENING 19198 private/smtp
unix 2 [ ACC ] STREAM LISTENING 19201 private/relay
unix 2 [ ACC ] STREAM LISTENING 19207 private/error
unix 2 [ ACC ] STREAM LISTENING 19210 private/retry
unix 2 [ ACC ] STREAM LISTENING 19213 private/discard
unix 2 [ ACC ] STREAM LISTENING 20856 public/pickup
unix 2 [ ACC ] STREAM LISTENING 19216 private/local
unix 2 [ ACC ] STREAM LISTENING 20860 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 19219 private/virtual
unix 2 [ ACC ] STREAM LISTENING 20863 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19222 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19189 public/flush
unix 2 [ ACC ] STREAM LISTENING 19225 private/anvil
unix 2 [ ACC ] STREAM LISTENING 19204 public/showq
unix 2 [ ACC ] STREAM LISTENING 19228 private/scache
unix 3 [ ] STREAM CONNECTED 17559 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16723
unix 3 [ ] STREAM CONNECTED 20864
unix 2 [ ] DGRAM 15269
unix 3 [ ] STREAM CONNECTED 17613
unix 3 [ ] STREAM CONNECTED 19215
unix 3 [ ] STREAM CONNECTED 20862
unix 3 [ ] STREAM CONNECTED 20861
unix 3 [ ] STREAM CONNECTED 13576 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16157 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17667 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16608
unix 3 [ ] STREAM CONNECTED 16781
unix 3 [ ] STREAM CONNECTED 17556
unix 3 [ ] STREAM CONNECTED 13231 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 15958
unix 3 [ ] STREAM CONNECTED 19199
unix 3 [ ] STREAM CONNECTED 16930 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19196
unix 2 [ ] DGRAM 23595
unix 3 [ ] STREAM CONNECTED 19197
unix 3 [ ] STREAM CONNECTED 20865
unix 3 [ ] STREAM CONNECTED 19493
unix 3 [ ] STREAM CONNECTED 17453
unix 3 [ ] STREAM CONNECTED 15237 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 18143
unix 3 [ ] STREAM CONNECTED 16724 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16132 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 20842
unix 3 [ ] STREAM CONNECTED 19211
unix 3 [ ] STREAM CONNECTED 20855
unix 2 [ ] DGRAM 21918
unix 3 [ ] STREAM CONNECTED 16960 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 20854
unix 3 [ ] STREAM CONNECTED 19208
unix 3 [ ] STREAM CONNECTED 17773
unix 2 [ ] DGRAM 16948
unix 3 [ ] STREAM CONNECTED 20381 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19214
unix 3 [ ] STREAM CONNECTED 20871
unix 3 [ ] STREAM CONNECTED 20872
unix 3 [ ] STREAM CONNECTED 19206
unix 3 [ ] STREAM CONNECTED 19202
unix 2 [ ] DGRAM 16964
unix 3 [ ] STREAM CONNECTED 19212
unix 3 [ ] STREAM CONNECTED 20857
unix 3 [ ] STREAM CONNECTED 15874
unix 2 [ ] DGRAM 15873
unix 3 [ ] STREAM CONNECTED 20383 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 20858
unix 3 [ ] STREAM CONNECTED 20804
unix 3 [ ] STREAM CONNECTED 15414
unix 3 [ ] STREAM CONNECTED 22666 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19200
unix 3 [ ] STREAM CONNECTED 19209
unix 3 [ ] STREAM CONNECTED 17555
unix 3 [ ] STREAM CONNECTED 17558 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 20868
unix 3 [ ] STREAM CONNECTED 18432
unix 3 [ ] STREAM CONNECTED 16669
unix 3 [ ] STREAM CONNECTED 20869
unix 3 [ ] STREAM CONNECTED 15875
unix 3 [ ] STREAM CONNECTED 19205
unix 3 [ ] STREAM CONNECTED 18368
unix 3 [ ] STREAM CONNECTED 18647
unix 3 [ ] STREAM CONNECTED 19220
unix 3 [ ] STREAM CONNECTED 19182
unix 2 [ ] DGRAM 21715
unix 3 [ ] STREAM CONNECTED 19194
unix 3 [ ] STREAM CONNECTED 19193
unix 2 [ ] DGRAM 17970
unix 3 [ ] STREAM CONNECTED 18726
unix 3 [ ] STREAM CONNECTED 15351 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 16222
unix 3 [ ] STREAM CONNECTED 18727 /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 12690
unix 3 [ ] STREAM CONNECTED 17557 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19203
unix 3 [ ] STREAM CONNECTED 19217
unix 3 [ ] STREAM CONNECTED 18602 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 13230 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17825
unix 3 [ ] STREAM CONNECTED 18072
unix 3 [ ] STREAM CONNECTED 15957
unix 3 [ ] STREAM CONNECTED 19178
unix 3 [ ] STREAM CONNECTED 19224
unix 3 [ ] STREAM CONNECTED 19218
unix 3 [ ] STREAM CONNECTED 19191
unix 3 [ ] STREAM CONNECTED 19223
unix 2 [ ] DGRAM 21696
unix 3 [ ] STREAM CONNECTED 19221
unix 2 [ ] DGRAM 14492
unix 3 [ ] STREAM CONNECTED 19179
unix 3 [ ] DGRAM 14623
unix 3 [ ] STREAM CONNECTED 19187
unix 3 [ ] STREAM CONNECTED 19227
unix 2 [ ] DGRAM 18462
unix 3 [ ] DGRAM 14624
unix 3 [ ] STREAM CONNECTED 19181
unix 3 [ ] STREAM CONNECTED 19226
unix 2 [ ] DGRAM 16148
unix 3 [ ] STREAM CONNECTED 12848
unix 3 [ ] STREAM CONNECTED 14569 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 15359 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15343 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 17489
unix 2 [ ] DGRAM 18006
unix 3 [ ] STREAM CONNECTED 19185
unix 3 [ ] STREAM CONNECTED 19230
unix 2 [ ] DGRAM 15286
unix 3 [ ] STREAM CONNECTED 19188
unix 3 [ ] STREAM CONNECTED 19229
unix 3 [ ] STREAM CONNECTED 18472
unix 3 [ ] STREAM CONNECTED 19190
unix 3 [ ] STREAM CONNECTED 19184
unix 2 [ ] DGRAM 18491
unix 2 [ ] DGRAM 14610 -lutnp就是只列出tcp和udp
[root@localhost: ~]# netstat -lutnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 608/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1007/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1244/master
tcp6 0 0 :::111 :::* LISTEN 608/rpcbind
tcp6 0 0 :::22 :::* LISTEN 1007/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1244/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 622/chronyd
udp 0 0 0.0.0.0:766 0.0.0.0:* 608/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 608/rpcbind
udp6 0 0 ::1:323 :::* 622/chronyd
udp6 0 0 :::766 :::* 608/rpcbind
udp6 0 0 :::111 :::* 608/rpcbind 对于一个线上的服务器,这里的状态会有很多。用netstat查看网络状态详解
可以写一句简单的命令,查看所有的状态的个数。
[root@localhost: ~]# netstat -an | awk '/^tcp/ {++sta[$NF]} END {for (key in sta) print key,"\t",sta[key]}'
LISTEN 6
ESTABLISHED 1我们关注的就是ESTABLISHED状态数。
如果这个值很大,说明这个服务器很忙,它表征并发连接数。
还有一个命令是ss,和netstat相仿,但是不能显示进程的名字。
[root@localhost: ~]# ss -an
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 0 0 0:1006633652 *
nl UNCONN 0 0 0:0 *
nl UNCONN 0 0 0:1006633652 *
nl UNCONN 768 0 4:0 *
nl UNCONN 4352 0 4:1650 *
nl UNCONN 0 0 6:0 *
nl UNCONN 0 0 7:612 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 7:0 *
nl UNCONN 0 0 7:612 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 9:0 *
nl UNCONN 0 0 9:1 *
nl UNCONN 0 0 9:567 *
nl UNCONN 0 0 10:0 *
nl UNCONN 0 0 11:0 *
nl UNCONN 0 0 12:0 *
nl UNCONN 0 0 15:692 *
nl UNCONN 0 0 15:-4113 *
nl UNCONN 0 0 15:-4131 *
nl UNCONN 0 0 15:1 *
nl UNCONN 0 0 15:637 *
nl UNCONN 0 0 15:1006 *
nl UNCONN 0 0 15:-4130 *
nl UNCONN 0 0 15:-4129 *
nl UNCONN 0 0 15:0 *
nl UNCONN 0 0 15:-4132 *
nl UNCONN 0 0 15:1006 *
nl UNCONN 0 0 15:-4132 *
nl UNCONN 0 0 15:692 *
nl UNCONN 0 0 15:-4131 *
nl UNCONN 0 0 15:-4130 *
nl UNCONN 0 0 15:-4129 *
nl UNCONN 0 0 15:637 *
nl UNCONN 0 0 15:-4113 *
nl UNCONN 0 0 15:1 *
nl UNCONN 0 0 16:0 *
nl UNCONN 0 0 18:0 *
u_str LISTEN 0 128 /run/dbus/system_bus_socket 15136 * 0
u_str LISTEN 0 128 /var/run/rpcbind.sock 15139 * 0
u_str LISTEN 0 5 /var/run/lsm/ipc/sim 17971 * 0
u_str LISTEN 0 5 /var/run/lsm/ipc/simc 17973 * 0
u_str LISTEN 0 32 /var/run/vmware/guestServicePipe 17976 * 0
u_str LISTEN 0 100 private/rewrite 20870 * 0
u_str LISTEN 0 100 private/defer 19180 * 0
u_str LISTEN 0 10 /var/run/abrt/abrt.socket 18004 * 0
u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 10080 * 0
u_dgr UNCONN 0 0 /run/systemd/notify 1379 * 0
u_dgr UNCONN 0 0 /run/systemd/cgroups-agent 1381 * 0
u_dgr UNCONN 0 0 /var/run/chrony/chronyd.sock 17524 * 0
u_str LISTEN 0 128 /run/systemd/journal/stdout 1399 * 0
u_str LISTEN 0 128 /run/systemd/private 12665 * 0
u_str LISTEN 0 128 /run/lvm/lvmetad.socket 10106 * 0
u_dgr UNCONN 0 0 /run/systemd/journal/socket 1402 * 0
u_dgr UNCONN 0 0 /dev/log 1404 * 0
u_str LISTEN 0 100 private/tlsmgr 20867 * 0
u_dgr UNCONN 0 0 /run/systemd/shutdownd 10118 * 0
u_seq LISTEN 0 128 /run/udev/control 10120 * 0
u_str LISTEN 0 100 private/bounce 20873 * 0
u_str LISTEN 0 100 private/verify 19186 * 0
u_str LISTEN 0 100 private/proxymap 19192 * 0
u_str LISTEN 0 100 private/proxywrite 19195 * 0
u_str LISTEN 0 100 private/trace 19183 * 0
u_str LISTEN 0 100 private/smtp 19198 * 0
u_str LISTEN 0 100 private/relay 19201 * 0
u_str LISTEN 0 100 private/error 19207 * 0
u_str LISTEN 0 100 private/retry 19210 * 0
u_str LISTEN 0 100 private/discard 19213 * 0
u_str LISTEN 0 100 public/pickup 20856 * 0
u_str LISTEN 0 100 private/local 19216 * 0
u_str LISTEN 0 100 public/cleanup 20860 * 0
u_str LISTEN 0 100 private/virtual 19219 * 0
u_str LISTEN 0 100 public/qmgr 20863 * 0
u_str LISTEN 0 100 private/lmtp 19222 * 0
u_str LISTEN 0 100 public/flush 19189 * 0
u_str LISTEN 0 100 private/anvil 19225 * 0
u_str LISTEN 0 100 public/showq 19204 * 0
u_str LISTEN 0 100 private/scache 19228 * 0
u_str ESTAB 0 0 /run/systemd/journal/stdout 17559 * 16723
u_str ESTAB 0 0 * 16723 * 17559
u_str ESTAB 0 0 * 20864 * 20865
u_dgr UNCONN 0 0 * 15269 * 1404
u_str ESTAB 0 0 * 17613 * 16724
u_str ESTAB 0 0 * 19215 * 19214
u_str ESTAB 0 0 * 20862 * 20861
u_str ESTAB 0 0 * 20861 * 20862
u_str ESTAB 0 0 /run/systemd/journal/stdout 13576 * 15414
u_str ESTAB 0 0 /run/systemd/journal/stdout 16157 * 17773
u_str ESTAB 0 0 /run/systemd/journal/stdout 17667 * 16781
u_str ESTAB 0 0 * 16608 * 16132
u_str ESTAB 0 0 * 16781 * 17667
u_str ESTAB 0 0 * 17556 * 17555
u_str ESTAB 0 0 /run/systemd/journal/stdout 13231 * 15958
u_str ESTAB 0 0 * 15958 * 13231
u_str ESTAB 0 0 * 19199 * 19200
u_str ESTAB 0 0 /run/dbus/system_bus_socket 16930 * 19493
u_str ESTAB 0 0 * 19196 * 19197
u_dgr UNCONN 0 0 * 23595 * 1404
u_str ESTAB 0 0 * 19197 * 19196
u_str ESTAB 0 0 * 20865 * 20864
u_str ESTAB 0 0 * 19493 * 16930
u_str ESTAB 0 0 * 17453 * 15237
u_str ESTAB 0 0 /run/systemd/journal/stdout 15237 * 17453
u_dgr UNCONN 0 0 * 18143 * 1404
u_str ESTAB 0 0 /run/systemd/journal/stdout 16724 * 17613
u_str ESTAB 0 0 /run/systemd/journal/stdout 16132 * 16608
u_dgr UNCONN 0 0 * 20842 * 1404
u_str ESTAB 0 0 * 19211 * 19212
u_str ESTAB 0 0 * 20855 * 20854
u_dgr UNCONN 0 0 * 21918 * 1404
u_str ESTAB 0 0 /run/dbus/system_bus_socket 16960 * 18647
u_str ESTAB 0 0 * 20854 * 20855
u_str ESTAB 0 0 * 19208 * 19209
u_str ESTAB 0 0 * 17773 * 16157
u_dgr UNCONN 0 0 * 16948 * 1404
u_str ESTAB 0 0 /run/systemd/journal/stdout 20381 * 18368
u_str ESTAB 0 0 * 19214 * 19215
u_str ESTAB 0 0 * 20871 * 20872
u_str ESTAB 0 0 * 20872 * 20871
u_str ESTAB 0 0 * 19206 * 19205
u_str ESTAB 0 0 * 19202 * 19203
u_dgr UNCONN 0 0 * 16964 * 1404
u_str ESTAB 0 0 * 19212 * 19211
u_str ESTAB 0 0 * 20857 * 20858
u_str ESTAB 0 0 * 15874 * 15875
u_dgr UNCONN 0 0 * 15873 * 1404
u_str ESTAB 0 0 /run/systemd/journal/stdout 20383 * 18432
u_str ESTAB 0 0 * 20858 * 20857
u_str ESTAB 0 0 * 20804 * 22666
u_str ESTAB 0 0 * 15414 * 13576
u_str ESTAB 0 0 /run/dbus/system_bus_socket 22666 * 20804
u_str ESTAB 0 0 * 19200 * 19199
u_str ESTAB 0 0 * 19209 * 19208
u_str ESTAB 0 0 * 17555 * 17556
u_str ESTAB 0 0 /run/dbus/system_bus_socket 17558 * 16669
u_str ESTAB 0 0 * 20868 * 20869
u_str ESTAB 0 0 * 18432 * 20383
u_str ESTAB 0 0 * 16669 * 17558
u_str ESTAB 0 0 * 20869 * 20868
u_str ESTAB 0 0 * 15875 * 15874
u_str ESTAB 0 0 * 19205 * 19206
u_str ESTAB 0 0 * 18368 * 20381
u_str ESTAB 0 0 * 18647 * 16960
u_str ESTAB 0 0 * 19220 * 19221
u_str ESTAB 0 0 * 19182 * 19181
u_dgr UNCONN 0 0 * 21715 * 1404
u_str ESTAB 0 0 * 19194 * 19193
u_str ESTAB 0 0 * 19193 * 19194
u_dgr UNCONN 0 0 * 17970 * 1404
u_str ESTAB 0 0 * 18726 * 18727
u_str ESTAB 0 0 /run/systemd/journal/stdout 15351 * 16222
u_str ESTAB 0 0 * 16222 * 15351
u_str ESTAB 0 0 /run/dbus/system_bus_socket 18727 * 18726
u_dgr UNCONN 0 0 * 12690 * 1379
u_str ESTAB 0 0 /run/dbus/system_bus_socket 17557 * 17489
u_str ESTAB 0 0 * 19203 * 19202
u_str ESTAB 0 0 * 19217 * 19218
u_str ESTAB 0 0 /run/systemd/journal/stdout 18602 * 18072
u_str ESTAB 0 0 /run/systemd/journal/stdout 13230 * 15957
u_str ESTAB 0 0 * 17825 * 15343
u_str ESTAB 0 0 * 18072 * 18602
u_str ESTAB 0 0 * 15957 * 13230
u_str ESTAB 0 0 * 19178 * 19179
u_str ESTAB 0 0 * 19224 * 19223
u_str ESTAB 0 0 * 19218 * 19217
u_str ESTAB 0 0 * 19191 * 19190
u_str ESTAB 0 0 * 19223 * 19224
u_dgr UNCONN 0 0 * 21696 * 1404
u_str ESTAB 0 0 * 19221 * 19220
u_dgr UNCONN 0 0 * 14492 * 1402
u_str ESTAB 0 0 * 19179 * 19178
u_dgr UNCONN 0 0 * 14623 * 14624
u_str ESTAB 0 0 * 19187 * 19188
u_str ESTAB 0 0 * 19227 * 19226
u_dgr UNCONN 0 0 * 18462 * 1402
u_dgr UNCONN 0 0 * 14624 * 14623
u_str ESTAB 0 0 * 19181 * 19182
u_str ESTAB 0 0 * 19226 * 19227
u_dgr UNCONN 0 0 * 16148 * 0
u_str ESTAB 0 0 * 12848 * 14569
u_str ESTAB 0 0 /run/systemd/journal/stdout 14569 * 12848
u_str ESTAB 0 0 /run/dbus/system_bus_socket 15359 * 18472
u_str ESTAB 0 0 /run/systemd/journal/stdout 15343 * 17825
u_str ESTAB 0 0 * 17489 * 17557
u_dgr UNCONN 0 0 * 18006 * 0
u_str ESTAB 0 0 * 19185 * 19184
u_str ESTAB 0 0 * 19230 * 19229
u_dgr UNCONN 0 0 * 15286 * 1404
u_str ESTAB 0 0 * 19188 * 19187
u_str ESTAB 0 0 * 19229 * 19230
u_str ESTAB 0 0 * 18472 * 15359
u_str ESTAB 0 0 * 19190 * 19191
u_str ESTAB 0 0 * 19184 * 19185
u_dgr UNCONN 0 0 * 18491 * 1404
u_dgr UNCONN 0 0 * 14610 * 1402
udp UNCONN 0 0 :::58 :::*
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 *:766 *:*
udp UNCONN 0 0 *:111 *:*
udp UNCONN 0 0 ::1:323 :::*
udp UNCONN 0 0 :::766 :::*
udp UNCONN 0 0 :::111 :::*
tcp LISTEN 0 128 *:111 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp ESTAB 0 4148 192.168.16.100:22 192.168.16.1:14464
tcp LISTEN 0 128 :::111 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 100 ::1:25 :::*10.10 Linux下抓包
tcpdump命令是一个抓包工具。
[root@localhost: ~]# tcpdump -nn -i ens33
11:49:31.741798 IP 192.168.16.100.22 > 192.168.16.1.14464: Flags [P.], seq 85760:85940, ack 1, win 251, length 180
11:49:31.741998 IP 192.168.16.100.22 > 192.168.16.1.14464: Flags [P.], seq 85940:86120, ack 1, win 251, length 180
11:49:31.742145 IP 192.168.16.1.14464 > 192.168.16.100.22: Flags [.], ack 85760, win 2053, length 0
11:49:31.742199 IP 192.168.16.1.14464 > 192.168.16.100.22: Flags [.], ack 85940, win 2052, length 0
11:49:31.742558 IP 192.168.16.100.22 > 192.168.16.1.14464: Flags [P.], seq 86120:86492, ack 1, win 251, length 372
^C
559 packets captured
561 packets received by filter
0 packets dropped by kernel
-nn可以让主机名使用数字显示。
第二列是ip流向(因为不是线上服务器,我的主机多是22端口的ssh连接),最后一列是长度。这是我们需要关注的。
DDos攻击会向目标主机发送空的udp的包,如果接到大量的长度为0的空包,很有可能就是DDos攻击。
[root@localhost: ~]# tcpdump -nn -i ens33 not port 22 and host 192.168.16.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel支持关键字not和and,可以指定port和host。
写脚本可以用-c选项,指定有多少包,-w写入某个文件。
[root@localhost: ~]# tcpdump -nn -i ens33 port 22 and host 192.168.16.100 -c 10 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
11 packets received by filter
0 packets dropped by kernel
[root@localhost: ~]# ll /tmp/1.cap
-rw-r--r--. 1 tcpdump tcpdump 2400 Jul 12 11:58 /tmp/1.cap这个文件是不能直接使用cat看得。
tcpdump的-r(read)选项可以查看内容,但是写入的数据包是真真正正的数据。
[root@localhost: ~]# tcpdump -r /tmp/1.cap
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
11:58:08.597248 IP localhost.localdomain.ssh > 192.168.16.1.14464: Flags [P.], seq 4007341688:4007341836, ack 1086060991, win 251, length 148
11:58:08.597651 IP 192.168.16.1.14464 > localhost.localdomain.ssh: Flags [.], ack 148, win 2047, length 0
11:58:12.905268 IP 192.168.16.1.airsync > localhost.localdomain.ssh: Flags [S], seq 1520958004, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:58:12.905395 IP localhost.localdomain.ssh > 192.168.16.1.airsync: Flags [S.], seq 1696239456, ack 1520958005, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:58:12.906034 IP 192.168.16.1.airsync > localhost.localdomain.ssh: Flags [.], ack 1, win 2053, length 0
11:58:12.926426 IP localhost.localdomain.ssh > 192.168.16.1.airsync: Flags [P.], seq 1:22, ack 1, win 229, length 21
11:58:12.966906 IP 192.168.16.1.airsync > localhost.localdomain.ssh: Flags [.], ack 22, win 2053, length 0
11:58:12.971792 IP 192.168.16.1.airsync > localhost.localdomain.ssh: Flags [P.], seq 1:50, ack 22, win 2053, length 49
11:58:12.971948 IP localhost.localdomain.ssh > 192.168.16.1.airsync: Flags [.], ack 50, win 229, length 0
11:58:12.972663 IP 192.168.16.1.airsync > localhost.localdomain.ssh: Flags [P.], seq 50:1466, ack 22, win 2053, length 1416
tshark命令
tshark - Dump and analyze network traffic
分享一条命令,查看网页请求的具体信息。
tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "htto.request.url"
扫一扫
407
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
