标签:10.6 监控io性能 - 10.7 free命令 - 10.8 ps命令 - 10.9 查看网络状态 - 10.10 linux下抓包
- 10.6 监控io性能
- 10.7 free命令
- 10.8 ps命令
- 10.9 查看网络状态
- 10.10 linux下抓包
- 扩展tcp三次握手四次挥手 http://www.doc88.com/p-9913773324388.html
- tshark几个用法:http://www.aminglinux.com/bbs/thread-995-1-1.html
# 10.6 监控io性能
- iostat命令 实际在安装sysstat 的包的时候 就已经包含iostat包了,iostat包和sar 属于同一个包
- sysstat --> iostat / sar
```
[root@aminglinux-01 ~]# iostat 1
Linux 3.10.0-514.el7.x86_64 (aminglinux-01) 2017年08月31日 _x86_64_ (1 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.24 0.00 0.39 0.09 0.00 99.28
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 1.65 33.94 9.01 223609 59376
sdb 0.05 0.28 0.00 1840 0
scd0 0.00 0.01 0.00 44 0
dm-0 0.01 0.07 0.00 456 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
scd0 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0
scd0 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
^C
[root@aminglinux-01 ~]#
```
- 用sar -b 也是可以查看到到的
```
[root@aminglinux-01 ~]# sar -b
Linux 3.10.0-514.el7.x86_64 (aminglinux-01) 2017年08月31日 _x86_64_ (1 CPU)
22时00分01秒 tps rtps wtps bread/s bwrtn/s
22时10分01秒 0.13 0.02 0.11 0.29 1.71
22时20分01秒 0.06 0.01 0.05 0.13 0.80
22时30分01秒 0.84 0.04 0.80 1.27 20.27
22时40分01秒 0.04 0.00 0.04 0.00 0.45
22时50分01秒 0.05 0.00 0.04 0.03 0.53
平均时间: 0.22 0.01 0.21 0.35 4.75
[root@aminglinux-01 ~]#
```
- 命令 iostat -x
```
[root@aminglinux-01 ~]# iostat -x
Linux 3.10.0-514.el7.x86_64 (aminglinux-01) 2017年08月31日 _x86_64_ (1 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.23 0.00 0.39 0.08 0.00 99.30
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.05 1.05 0.56 33.16 8.81 52.01 0.03 18.89 3.92 46.99 1.73 0.28
sdb 0.00 0.00 0.04 0.00 0.27 0.00 12.35 0.00 0.30 0.30 0.00 0.28 0.00
scd0 0.00 0.00 0.00 0.00 0.01 0.00 8.00 0.00 0.64 0.64 0.00 0.64 0.00
dm-0 0.00 0.00 0.01 0.00 0.07 0.00 15.20 0.00 0.18 0.18 0.00 0.17 0.00
```
- 这里有个非常重要的指标就是%util,它首先是一个百分比,这一列表示你的io等待,你这个磁盘使用,有多少时间,占用你的cpu的,cpu有一部分时间是给进程处理计算的, 也有一部分时间 等待io的,数据读写,时间比是多少 占比多大,
- 如果占比50%-60%,磁盘io太差了,很忙,如果数字很大,读和写 这俩列很大,如果这俩列不大 ,但是这个数字大,说明硬盘存在问题,有故障,
- 如果硬盘很慢,肯定影响性能,即使你的cpu再快,硬盘跟不上 也是存在很大的瓶颈
-命令iotop
-发现磁盘io很忙,很频繁,想知道那个进程在读写,可以使用iotop
-没有这个命令 需要安装yum install -y iotop
```
[root@aminglinux-01 ~]# iotop
-bash: iotop: 未找到命令
[root@aminglinux-01 ~]# yum install -y iotop
已安装:
iotop.noarch 0:0.6-2.el7
完毕!
[root@aminglinux-01 ~]#
```
- iotop 也是一个动态显示,排序排行榜
```
[root@aminglinux-01 ~]# iotop
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-~em --deserialize 21
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
516 be/4 polkitd 0.00 B/s 0.00 B/s 0.00 % 0.00 % polkitd --no-debug [gdbus]
517 be/4 polkitd 0.00 B/s 0.00 B/s 0.00 % 0.00 % polkitd --no-debug [JS GC Helper]
6 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/u256:0]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
523 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % python -Es /usr/sbi~ld --nofork --nopid
12 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khelper]
13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
14 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
15 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
16 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback]
17 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd]
18 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset]
19 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd]
20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md]
21 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:1]
536 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % NetworkManager --no-daemon
```
# 10.7 free命令
```
[root@aminglinux-01 ~]# free
total used free shared buff/cache available
Mem: 999936 118224 568292 6840 313420 697752
Swap: 2097148 0 2097148
[root@aminglinux-01 ~]#
```
-有三行 第一行一个说明 第二行是内存的使用情况 第三行是swap 交换分区的使用情况
- 第一列 内存总大小 999936 单位kb 这里是差不多 1个g
- 可以使用命令 free -m 查看内存的使用情况 单位 兆 m
- 命令 free -h 在具体的数字后面加上单位
```
[root@aminglinux-01 ~]# free -m
total used free shared buff/cache available
Mem: 976 115 555 6 306 681
Swap: 2047 0 2047
[root@aminglinux-01 ~]# free -h
total used free shared buff/cache available
Mem: 976M 115M 555M 6.7M 306M 681M
Swap: 2.0G 0B 2.0G
[root@aminglinux-01 ~]#
```
- 这里的total为什么不等于 userd + free 呢,因为系统要预留一部分内存分配给了buff和cache
- buff和cache 都是一部分内存
- [ ] 0000(磁盘) --->内存(cache)--> cpu
- [ ] cpu处理完的数据(0000) --> 内存(buff)--> 磁盘
- 公式 total = userd + free + buff/cache
- available包含 free 和 buff/cache 的剩余部分
-也要关注下swap swap如果free 不够了 就要加内存了 swap不够说明内存不够,或者内存泄漏,程序有bug 有问题,需要排查
# 10.8 ps 命令
- 可以先man ps 查看下
```
[root@aminglinux-01 ~]# man ps
PS(1) User Commands PS(1)
NAME
ps - report a snapshot of the current processes.
SYNOPSIS
ps [options]
```
- ps - report a snapshot of the current processes. 当前的进程快照给汇报一下
- ps的俩种用法
1. ps aux 它可以把系统里所有的进程全部列出来
```
[root@aminglinux-01 ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 128092 6704 ? Ss 21:41 0:02 /usr/lib/systemd/systemd --switche
root 2 0.0 0.0 0 0 ? S 21:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:41 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 21:41 0:00 [kworker/u256:0]
root 7 0.0 0.0 0 0 ? S 21:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? R 21:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 21:41 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S< 21:41 0:00 [khelper]
root 13 0.0 0.0 0 0 ? S 21:41 0:00 [kdevtmpfs]
root 14 0.0 0.0 0 0 ? S< 21:41 0:00 [netns]
root 15 0.0 0.0 0 0 ? S 21:41 0:00 [khungtaskd]
root 16 0.0 0.0 0 0 ? S< 21:41 0:00 [writeback]
root 17 0.0 0.0 0 0 ? S< 21:41 0:00 [kintegrityd]
root 18 0.0 0.0 0 0 ? S< 21:41 0:00 [bioset]
root 19 0.0 0.0 0 0 ? S< 21:41 0:00 [kblockd]
root 20 0.0 0.0 0 0 ? S< 21:41 0:00 [md]
root 21 0.1 0.0 0 0 ? R 21:41 0:02 [kworker/0:1]
root 26 0.0 0.0 0 0 ? S 21:41 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 21:41 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 21:41 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 21:41 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S< 21:41 0:00 [crypto]
root 38 0.0 0.0 0 0 ? S< 21:41 0:00 [kthrotld]
root 39 0.0 0.0 0 0 ? S 21:41 0:00 [kworker/u256:1]
root 40 0.0 0.0 0 0 ? S< 21:41 0:00 [kmpath_rdacd]
root 41 0.0 0.0 0 0 ? S< 21:41 0:00 [kpsmoused]
root 43 0.0 0.0 0 0 ? S< 21:41 0:00 [ipv6_addrconf]
root 62 0.0 0.0 0 0 ? S< 21:41 0:00 [deferwq]
root 94 0.0 0.0 0 0 ? S 21:41 0:00 [kauditd]
root 233 0.0 0.0 0 0 ? S< 21:41 0:00 [ata_sff]
root 234 0.0 0.0 0 0 ? S 21:41 0:00 [scsi_eh_0]
root 235 0.0 0.0 0 0 ? S< 21:41 0:00 [scsi_tmf_0]
root 236 0.0 0.0 0 0 ? S 21:41 0:00 [scsi_eh_1]
root 237 0.0 0.0 0 0 ? S< 21:41 0:00 [scsi_tmf_1]
root 238 0.0 0.0 0 0 ? S< 21:41 0:00 [mpt_poll_0]
root 241 0.0 0.0 0 0 ? S< 21:41 0:00 [mpt/0]
root 244 0.0 0.0 0 0 ? S 21:41 0:00 [scsi_eh_2]
root 246 0.0 0.0 0 0 ? S< 21:41 0:00 [scsi_tmf_2]
root 250 0.0 0.0 0 0 ? S< 21:41 0:00 [ttm_swap]
root 277 0.0 0.0 0 0 ? S< 21:41 0:00 [xfsalloc]
root 278 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs_mru_cache]
root 279 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-buf/sda3]
root 280 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-data/sda3]
root 281 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-conv/sda3]
root 282 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-cil/sda3]
root 283 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-reclaim/sda]
root 284 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-log/sda3]
root 285 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-eofblocks/s]
root 286 0.0 0.0 0 0 ? S 21:41 0:00 [xfsaild/sda3]
root 359 0.0 0.2 34876 2756 ? Ss 21:41 0:00 /usr/lib/systemd/systemd-journald
root 374 0.0 0.5 342584 5744 ? Ss 21:41 0:00 /usr/sbin/lvmetad -f
root 381 0.0 0.5 47372 5676 ? Ss 21:41 0:00 /usr/lib/systemd/systemd-udevd
root 399 0.0 0.0 0 0 ? S< 21:41 0:00 [nfit]
root 434 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-buf/sda1]
root 435 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-data/sda1]
root 436 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-conv/sda1]
root 437 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-cil/sda1]
root 440 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-reclaim/sda]
root 441 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-log/sda1]
root 442 0.0 0.0 0 0 ? S< 21:41 0:00 [xfs-eofblocks/s]
root 445 0.0 0.0 0 0 ? S 21:41 0:00 [xfsaild/sda1]
root 449 0.0 0.0 0 0 ? S< 21:41 0:00 [kdmflush]
root 451 0.0 0.0 0 0 ? S< 21:41 0:00 [bioset]
root 470 0.0 0.1 55416 1720 ? S<sl 21:42 0:00 /sbin/auditd -n
root 491 0.1 0.6 302636 6148 ? Ssl 21:42 0:03 /usr/bin/vmtoolsd
root 493 0.0 0.1 24192 1724 ? Ss 21:42 0:00 /usr/lib/systemd/systemd-logind
dbus 494 0.0 0.1 32764 1856 ? Ssl 21:42 0:00 /bin/dbus-daemon --system --addres
polkitd 500 0.0 1.3 528276 13716 ? Ssl 21:42 0:00 /usr/lib/polkit-1/polkitd --no-deb
chrony 503 0.0 0.1 115848 1888 ? S 21:42 0:00 /usr/sbin/chronyd
root 509 0.0 0.1 126220 1672 ? Ss 21:42 0:00 /usr/sbin/crond -n
root 515 0.0 0.2 92316 2420 ? Ss 21:42 0:00 login -- root
root 543 0.0 2.6 327432 26876 ? Ssl 21:42 0:01 /usr/bin/python -Es /usr/sbin/fire
root 544 0.0 0.8 437912 8052 ? Ssl 21:42 0:00 /usr/sbin/NetworkManager --no-daem
root 840 0.0 0.3 222108 3904 ? Ssl 21:42 0:00 /usr/sbin/rsyslogd -n
root 841 0.0 1.8 553152 18460 ? Ssl 21:42 0:00 /usr/bin/python -Es /usr/sbin/tune
root 854 0.0 0.1 82468 1268 ? Ss 21:42 0:00 /usr/sbin/sshd
root 1299 0.0 0.2 88980 2096 ? Ss 21:42 0:00 /usr/libexec/postfix/master -w
postfix 1329 0.0 0.3 89084 3964 ? S 21:42 0:00 pickup -l -t unix -u
postfix 1330 0.0 0.3 89152 3988 ? S 21:42 0:00 qmgr -l -t unix -u
root 2071 0.0 0.2 116308 2812 tty1 Ss+ 21:47 0:00 -bash
root 2092 0.0 0.5 143092 5192 ? Ss 21:47 0:00 sshd: root@pts/0
root 2095 0.0 0.3 116312 3024 pts/0 Ss 21:47 0:00 -bash
root 2128 0.0 0.0 0 0 ? S< 21:59 0:00 [kworker/0:2H]
root 2151 0.0 0.0 0 0 ? S< 22:06 0:00 [kworker/0:0H]
root 2152 0.0 0.0 0 0 ? S 22:07 0:00 [kworker/0:0]
root 2161 0.0 0.0 0 0 ? S 22:12 0:00 [kworker/0:2]
root 2179 0.0 0.0 0 0 ? S< 22:13 0:00 [kworker/0:1H]
root 2180 0.0 0.1 151056 1824 pts/0 R+ 22:16 0:00 ps aux
[root@aminglinux-01 ~]#
```
- ps命令和top命令有点相似,top可以动态的查看看进程,把cpu的内存的做一个排行榜出来,很直观,但是ps是一种静态的,一次性的把当前的进程的使用状况列出来,ps和top 显示的结果非常的像
- ps最多的用法 ps aux | grep 检查系统中有没有某个进程在运行
- ps aux | grep nginx 检查系统中有没有nginx 进程在运行
- ps aux | grep mysql 检查系统中有没有mysql 进程在运行
```
[root@aminglinux-01 ~]# ps aux | grep nginx
root 2200 0.0 0.0 112664 976 pts/0 S+ 22:33 0:00 grep --color=auto nginx
[root@aminglinux-01 ~]# ps aux | grep mysql
root 2202 0.0 0.0 112664 976 pts/0 R+ 22:33 0:00 grep --color=auto mysql
[root@aminglinux-01 ~]#
```
2. 第二种用法 ps - elf
```
[root@aminglinux-01 ~]# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 32023 ep_pol 21:41 ? 00:00:02 /usr/lib/systemd/system
1 S root 2 0 0 80 0 - 0 kthrea 21:41 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo 21:41 ? 00:00:00 [ksoftirqd/0]
1 S root 6 2 0 80 0 - 0 worker 21:41 ? 00:00:00 [kworker/u256:0]
1 S root 7 2 0 -40 - - 0 smpboo 21:41 ? 00:00:00 [migration/0]
1 S root 8 2 0 80 0 - 0 rcu_gp 21:41 ? 00:00:00 [rcu_bh]
1 R root 9 2 0 80 0 - 0 - 21:41 ? 00:00:00 [rcu_sched]
5 S root 10 2 0 -40 - - 0 smpboo 21:41 ? 00:00:00 [watchdog/0]
1 S root 12 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [khelper]
5 S root 13 2 0 80 0 - 0 devtmp 21:41 ? 00:00:00 [kdevtmpfs]
1 S root 14 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [netns]
1 S root 15 2 0 80 0 - 0 watchd 21:41 ? 00:00:00 [khungtaskd]
1 S root 16 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [writeback]
1 S root 17 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kintegrityd]
1 S root 18 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [bioset]
1 S root 19 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kblockd]
1 S root 20 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [md]
1 R root 21 2 0 80 0 - 0 - 21:41 ? 00:00:03 [kworker/0:1]
1 S root 26 2 0 80 0 - 0 kswapd 21:41 ? 00:00:00 [kswapd0]
1 S root 27 2 0 85 5 - 0 ksm_sc 21:41 ? 00:00:00 [ksmd]
1 S root 28 2 0 99 19 - 0 khugep 21:41 ? 00:00:00 [khugepaged]
1 S root 29 2 0 80 0 - 0 fsnoti 21:41 ? 00:00:00 [fsnotify_mark]
1 S root 30 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [crypto]
1 S root 38 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kthrotld]
1 S root 39 2 0 80 0 - 0 worker 21:41 ? 00:00:00 [kworker/u256:1]
1 S root 40 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kmpath_rdacd]
1 S root 41 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kpsmoused]
1 S root 43 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [ipv6_addrconf]
1 S root 62 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [deferwq]
1 S root 94 2 0 80 0 - 0 kaudit 21:41 ? 00:00:00 [kauditd]
1 S root 233 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [ata_sff]
1 S root 234 2 0 80 0 - 0 scsi_e 21:41 ? 00:00:00 [scsi_eh_0]
1 S root 235 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [scsi_tmf_0]
1 S root 236 2 0 80 0 - 0 scsi_e 21:41 ? 00:00:00 [scsi_eh_1]
1 S root 237 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [scsi_tmf_1]
1 S root 238 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [mpt_poll_0]
1 S root 241 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [mpt/0]
1 S root 244 2 0 80 0 - 0 scsi_e 21:41 ? 00:00:00 [scsi_eh_2]
1 S root 246 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [scsi_tmf_2]
1 S root 250 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [ttm_swap]
1 S root 277 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfsalloc]
1 S root 278 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs_mru_cache]
1 S root 279 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-buf/sda3]
1 S root 280 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-data/sda3]
1 S root 281 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-conv/sda3]
1 S root 282 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-cil/sda3]
1 S root 283 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-reclaim/sda]
1 S root 284 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-log/sda3]
1 S root 285 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-eofblocks/s]
1 S root 286 2 0 80 0 - 0 xfsail 21:41 ? 00:00:00 [xfsaild/sda3]
4 S root 359 1 0 80 0 - 8719 ep_pol 21:41 ? 00:00:00 /usr/lib/systemd/system
4 S root 374 1 0 80 0 - 85646 poll_s 21:41 ? 00:00:00 /usr/sbin/lvmetad -f
4 S root 381 1 0 80 0 - 11843 ep_pol 21:41 ? 00:00:00 /usr/lib/systemd/system
1 S root 399 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [nfit]
1 S root 434 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-buf/sda1]
1 S root 435 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-data/sda1]
1 S root 436 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-conv/sda1]
1 S root 437 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-cil/sda1]
1 S root 440 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-reclaim/sda]
1 S root 441 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-log/sda1]
1 S root 442 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [xfs-eofblocks/s]
1 S root 445 2 0 80 0 - 0 xfsail 21:41 ? 00:00:00 [xfsaild/sda1]
1 S root 449 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [kdmflush]
1 S root 451 2 0 60 -20 - 0 rescue 21:41 ? 00:00:00 [bioset]
4 S root 470 1 0 76 -4 - 13854 ep_pol 21:42 ? 00:00:00 /sbin/auditd -n
4 R root 491 1 0 80 0 - 75659 - 21:42 ? 00:00:04 /usr/bin/vmtoolsd
4 S root 493 1 0 80 0 - 6048 ep_pol 21:42 ? 00:00:00 /usr/lib/systemd/system
4 S dbus 494 1 0 80 0 - 8191 ep_pol 21:42 ? 00:00:00 /bin/dbus-daemon --syst
4 S polkitd 500 1 0 80 0 - 132069 poll_s 21:42 ? 00:00:00 /usr/lib/polkit-1/polki
5 S chrony 503 1 0 80 0 - 28962 poll_s 21:42 ? 00:00:00 /usr/sbin/chronyd
4 S root 509 1 0 80 0 - 31555 hrtime 21:42 ? 00:00:00 /usr/sbin/crond -n
4 S root 515 1 0 80 0 - 23079 wait 21:42 ? 00:00:00 login -- root
0 S root 543 1 0 80 0 - 81858 poll_s 21:42 ? 00:00:01 /usr/bin/python -Es /us
4 S root 544 1 0 80 0 - 109478 poll_s 21:42 ? 00:00:00 /usr/sbin/NetworkManage
4 S root 840 1 0 80 0 - 55527 poll_s 21:42 ? 00:00:00 /usr/sbin/rsyslogd -n
4 S root 841 1 0 80 0 - 138288 poll_s 21:42 ? 00:00:01 /usr/bin/python -Es /us
5 S root 854 1 0 80 0 - 20617 poll_s 21:42 ? 00:00:00 /usr/sbin/sshd
5 S root 1299 1 0 80 0 - 22245 ep_pol 21:42 ? 00:00:00 /usr/libexec/postfix/ma
4 S postfix 1329 1299 0 80 0 - 22271 ep_pol 21:42 ? 00:00:00 pickup -l -t unix -u
4 S postfix 1330 1299 0 80 0 - 22288 ep_pol 21:42 ? 00:00:00 qmgr -l -t unix -u
4 S root 2071 515 0 80 0 - 29077 n_tty_ 21:47 tty1 00:00:00 -bash
4 S root 2092 854 0 80 0 - 35773 poll_s 21:47 ? 00:00:00 sshd: root@pts/0
4 S root 2095 2092 0 80 0 - 29078 wait 21:47 pts/0 00:00:00 -bash
1 S root 2179 2 0 60 -20 - 0 worker 22:13 ? 00:00:00 [kworker/0:1H]
1 S root 2188 2 0 60 -20 - 0 worker 22:21 ? 00:00:00 [kworker/0:2H]
1 S root 2190 2 0 80 0 - 0 worker 22:27 ? 00:00:00 [kworker/0:0]
1 S root 2197 2 0 60 -20 - 0 worker 22:31 ? 00:00:00 [kworker/0:0H]
1 S root 2198 2 0 80 0 - 0 worker 22:32 ? 00:00:00 [kworker/0:2]
0 R root 2203 2095 0 80 0 - 37764 - 22:34 pts/0 00:00:00 ps -elf
[root@aminglinux-01 ~]#
```
- ps aux 它可以把系统的所有的进程全部列出来
```
[root@aminglinux-01 ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 128092 6704 ? Ss 21:41 0:02 /usr/lib/systemd/systemd --switche
root 2 0.0 0.0 0 0 ? S 21:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:41 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 21:41 0:00 [kworker/u256:0]
root 7 0.0 0.0 0 0 ? S 21:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? R 21:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 21:41 0:00 [watchdog/0]
...
root 470 0.0 0.1 55416 1720 ? S<sl 21:42 0:00 /sbin/auditd -n
postfix 1330 0.0 0.3 89152 3988 ? S 21:42 0:00 qmgr -l -t unix -u
```
-第一列 进程的运行用户是谁 ,这里是root root比较多
-第二列 PID 表示进程的ID ,关于进程ID 什么时候用到它,杀死一个进程的时候用到,如果想把这个qmgr杀死,可以使用命令 kill + PID 这里对应的是kill 1330
```
[root@aminglinux-01 ~]# kill 1330
[root@aminglinux-01 ~]# ps aux | grep qmgr
root 2214 0.0 0.0 112664 976 pts/0 R+ 22:40 0:00 grep --color=auto qmgr
[root@aminglinux-01 ~]#
```
-杀死之后看到 没有了这个进程 qmgr ,这个时候会用到PID
-当你遇到一个被入侵的进程,非法进程,找到它的PID
-比如root 470 0.0 0.1 55416 1720 ? S<sl 21:42 0:00 /sbin/auditd -n
-这个auditd命令是非法进程,肯定要先看看这个进程在那里启动 这个进程ID 是470
```
[root@aminglinux-01 ~]# ls -l /proc/470/
总用量 0
dr-xr-xr-x. 2 root root 0 9月 1 21:41 attr
-rw-r--r--. 1 root root 0 9月 1 22:48 autogroup
-r--------. 1 root root 0 9月 1 22:48 auxv
-r--r--r--. 1 root root 0 9月 1 21:41 cgroup
--w-------. 1 root root 0 9月 1 22:48 clear_refs
-r--r--r--. 1 root root 0 9月 1 21:41 cmdline
-rw-r--r--. 1 root root 0 9月 1 21:41 comm
-rw-r--r--. 1 root root 0 9月 1 22:48 coredump_filter
-r--r--r--. 1 root root 0 9月 1 22:48 cpuset
lrwxrwxrwx. 1 root root 0 9月 1 22:48 cwd -> /
-r--------. 1 root root 0 9月 1 22:48 environ
lrwxrwxrwx. 1 root root 0 9月 1 21:41 exe -> /usr/sbin/auditd
dr-x------. 2 root root 0 9月 1 21:41 fd
dr-x------. 2 root root 0 9月 1 22:48 fdinfo
-rw-r--r--. 1 root root 0 9月 1 22:48 gid_map
-r--------. 1 root root 0 9月 1 22:48 io
-r--r--r--. 1 root root 0 9月 1 22:48 limits
-rw-r--r--. 1 root root 0 9月 1 21:41 loginuid
dr-x------. 2 root root 0 9月 1 22:48 map_files
-r--r--r--. 1 root root 0 9月 1 22:48 maps
-rw-------. 1 root root 0 9月 1 22:48 mem
-r--r--r--. 1 root root 0 9月 1 22:48 mountinfo
-r--r--r--. 1 root root 0 9月 1 22:48 mounts
-r--------. 1 root root 0 9月 1 22:48 mountstats
dr-xr-xr-x. 5 root root 0 9月 1 22:48 net
dr-x--x--x. 2 root root 0 9月 1 22:48 ns
-r--r--r--. 1 root root 0 9月 1 22:48 numa_maps
-rw-r--r--. 1 root root 0 9月 1 22:48 oom_adj
-r--r--r--. 1 root root 0 9月 1 22:48 oom_score
-rw-r--r--. 1 root root 0 9月 1 21:41 oom_score_adj
-r--r--r--. 1 root root 0 9月 1 22:48 pagemap
-r--r--r--. 1 root root 0 9月 1 22:48 personality
-rw-r--r--. 1 root root 0 9月 1 22:48 projid_map
lrwxrwxrwx. 1 root root 0 9月 1 22:48 root -> /
-rw-r--r--. 1 root root 0 9月 1 22:48 sched
-r--r--r--. 1 root root 0 9月 1 22:48 schedstat
-r--r--r--. 1 root root 0 9月 1 21:41 sessionid
-rw-r--r--. 1 root root 0 9月 1 22:48 setgroups
-r--r--r--. 1 root root 0 9月 1 22:48 smaps
-r--r--r--. 1 root root 0 9月 1 22:48 stack
-r--r--r--. 1 root root 0 9月 1 21:41 stat
-r--r--r--. 1 root root 0 9月 1 22:48 statm
-r--r--r--. 1 root root 0 9月 1 21:41 status
-r--r--r--. 1 root root 0 9月 1 22:48 syscall
dr-xr-xr-x. 4 root root 0 9月 1 22:48 task
-r--r--r--. 1 root root 0 9月 1 22:48 timers
-rw-r--r--. 1 root root 0 9月 1 22:48 uid_map
-r--r--r--. 1 root root 0 9月 1 22:34 wchan
[root@aminglinux-01 ~]#
```
- 可以看到这个进程在哪里启动
- proc目录下有很多数字的目录,这个数字就是进程的PID
```
```
[root@aminglinux-01 ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 128092 6704 ? Ss 21:41 0:02 /usr/lib/systemd/systemd --switche
root 2 0.0 0.0 0 0 ? S 21:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:41 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 21:41 0:00 [kworker/u256:0]
root 7 0.0 0.0 0 0 ? S 21:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? R 21:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 21:41 0:00 [watchdog/0]
...
root 470 0.0 0.1 55416 1720 ? S<sl 21:42 0:00 /sbin/auditd -n
postfix 1330 0.0 0.3 89152 3988 ? S 21:42 0:00 qmgr -l -t unix -u
```
-USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
用户 进程ID cpu 内存 虚拟内存 物理内存 哪个tty上 进程的状态 什么时候启动的 运行时间 命令
-STAT 进程的状态,进程的状态分为几种
- [ ] D 不能中断的进程,如果进程中断了对程序 对结果有影响,只能一直跑着一直运行着,不能中断,这个状态直接回影响系统负载的,但是他们占cpu并不高,
- [ ] R run 正在运行的、正在跑的进程,run不是说这个时刻就使用cpu,而是说某一个时间段内在使用cpu
- [ ] S sleep sleep状态的进程,使用完cpu之后,运算完后,有可能先暂停下,休息一下,过一会儿它再激活,再继续使用cpu
- [ ] T 暂停的进程,什么时候会暂停,比如正在运行vmstat 1 ,突然ctrl Z暂停进程,这个时候它就没有在运行
```
[root@aminglinux-01 ~]# vmstat 1
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
r b swpd free buff cache si so bi bo in cs us sy id wa st
2 0 0 708824 876 171260 0 0 26 3 37 65 0 0 99 0 0
0 0 0 708824 876 171292 0 0 0 0 33 46 0 1 99 0 0
0 0 0 708824 876 171292 0 0 0 1 38 58 0 0 100 0 0
0 0 0 708840 876 171292 0 0 0 0 24 32 0 0 100 0 0
0 0 0 708840 876 171292 0 0 0 0 32 41 0 0 100 0 0
0 0 0 708840 876 171292 0 0 0 0 24 30 0 1 99 0 0
^Z
[1]+ 已停止 vmstat 1
[root@aminglinux-01 ~]# ps aux |grep vmstat
root 2253 0.0 0.1 148308 1356 pts/0 T 23:07 0:00 vmstat 1
root 2255 0.0 0.0 112664 976 pts/0 S+ 23:08 0:00 grep --color=auto vmstat
[root@aminglinux-01 ~]#
```
-还可以把它再调回来,使用命令fg
```
[root@aminglinux-01 ~]# fg
vmstat 1
3 0 0 708428 876 171324 0 0 0 30 3459 5148 0 0 100 0 0
0 0 0 708428 876 171324 0 0 0 0 31 40 0 0 100 0 0
0 0 0 708428 876 171324 0 0 0 0 26 35 0 0 100 0 0
```
- 再打开一个终端 运行下ps aux |grep vmstat 状态是S 或者是 R
- 因为这个工具 仅仅是某一个时刻 抓一下,占用cpu的时间很短很短,运行完就sleep,虽然运行着 但并不是run的状态,这种命令根本就不会耗费cpu资源的
```
[root@aminglinux-01 ~]# ps aux |grep vmstat
root 2253 0.0 0.1 148308 1356 pts/0 S+ 23:07 0:00 vmstat 1
root 2301 0.0 0.0 112664 972 pts/1 R+ 23:12 0:00 grep --color=auto vmstat
[root@aminglinux-01 ~]# ps aux |grep vmstat
root 2253 0.0 0.1 148308 1356 pts/0 S+ 23:07 0:00 vmstat 1
root 2303 0.0 0.0 112664 976 pts/1 S+ 23:12 0:00 grep --color=auto vmstat
[root@aminglinux-01 ~]# ps aux |grep vmstat
root 2253 0.0 0.1 148308 1356 pts/0 S+ 23:07 0:00 vmstat 1
root 2305 0.0 0.0 112664 976 pts/1 S+ 23:12 0:00 grep --color=auto vmstat
[root@aminglinux-01 ~]# ps aux |grep vmstat
root 2253 0.0 0.1 148308 1356 pts/0 S+ 23:07 0:00 vmstat 1
root 2307 0.0 0.0 112664 976 pts/1 S+ 23:12 0:00 grep --color=auto vmstat
[root@aminglinux-01 ~]#
```
- [ ] + 加号表示在前台运行,比如在当前终端pts/0 pts/1
- [ ] Z 僵尸进程 系统很少有僵尸进程,但是也会有 影响不大,但是如果太多的话,就要想办法把它杀死
- [ ] < 小于号,高优先级进程 系统cpu优先给他们用
- [ ] N 低优先级进程
- [ ] L 在内存中被锁了内存分页
- [ ] s 小s 主进程, 小s 是父进程 主进程是有小s的 其他是普通用户子进程
- [ ] l 小l 表示多线程进程 线程是由一个大的进程组成的,一个进程里面有多个线程 涉及到一些内存使用的情况,线程它们使用同一个内存的区域,线程会共享内存区域
# 10.9 查看网络状态
-netstat命令用来查看网络状态的
-netstat命令查看tcp/ip通信的状态
-netstat -lnp l表示listen监听
```
[root@aminglinux-01 ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1299/master
tcp6 0 0 :::22 :::* LISTEN 854/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1299/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 503/chronyd
udp6 0 0 ::1:323 :::* 503/chronyd
raw6 0 0 :::58 :::* 7 544/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 19141 1299/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 19146 1299/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 19149 1299/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19171 1299/master public/flush
unix 2 [ ACC ] STREAM LISTENING 19186 1299/master public/showq
unix 2 [ ACC ] STREAM LISTENING 14898 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 12620 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 8351 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12706 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 12717 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 19201 1299/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 19204 1299/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19207 1299/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 19210 1299/master private/scache
unix 2 [ ACC ] STREAM LISTENING 12518 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 19153 1299/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 19156 1299/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19159 1299/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 19162 1299/master private/defer
unix 2 [ ACC ] STREAM LISTENING 19165 1299/master private/trace
unix 2 [ ACC ] STREAM LISTENING 19168 1299/master private/verify
unix 2 [ ACC ] STREAM LISTENING 19174 1299/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 19177 1299/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19180 1299/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 19183 1299/master private/relay
unix 2 [ ACC ] STREAM LISTENING 19189 1299/master private/error
unix 2 [ ACC ] STREAM LISTENING 19192 1299/master private/retry
unix 2 [ ACC ] STREAM LISTENING 19195 1299/master private/discard
unix 2 [ ACC ] STREAM LISTENING 19198 1299/master private/local
[root@aminglinux-01 ~]#
```
- sshd 远程连接,监听就是22端口
- master 是一个发邮件的端口
- sshd 一个是tcp ipv4 一个是tcp6 ipv6的 除了tcp 还有udp 这些概念可以去查一查资料
- UNIX 、linnux里面 有一种文件叫socket 同一台服务器中,俩个进程之间相互通信 ,使用socket 文件
- netstat也可以查看系统里面有哪些socket文件在监听,主要关注上面的监听端口,tcp tcp6 udp
-netstat -an 命令
-这个命令可以查看你的tcp/ip 状态
```
[root@aminglinux-01 ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 52 192.168.202.130:22 192.168.202.1:53020 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 192.168.202.130:58932 193.228.143.22:123 ESTABLISHED
udp6 0 0 ::1:323 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 19141 public/pickup
unix 2 [ ACC ] STREAM LISTENING 19146 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 19149 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19171 public/flush
unix 2 [ ACC ] STREAM LISTENING 19186 public/showq
unix 2 [ ACC ] STREAM LISTENING 14898 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 12620 /run/udev/control
unix 2 [ ] DGRAM 12629 /run/systemd/shutdownd
unix 2 [ ] DGRAM 8331 /run/systemd/notify
unix 2 [ ] DGRAM 8333 /run/systemd/cgroups-agent
unix 2 [ ACC ] STREAM LISTENING 8351 /run/systemd/journal/stdout
unix 5 [ ] DGRAM 8354 /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 12706 /run/lvm/lvmpolld.socket
unix 12 [ ] DGRAM 8356 /dev/log
unix 2 [ ACC ] STREAM LISTENING 12717 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 19201 private/virtual
unix 2 [ ACC ] STREAM LISTENING 19204 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19207 private/anvil
unix 2 [ ACC ] STREAM LISTENING 19210 private/scache
unix 2 [ ACC ] STREAM LISTENING 12518 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 19153 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 19156 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19159 private/bounce
unix 2 [ ACC ] STREAM LISTENING 19162 private/defer
unix 2 [ ACC ] STREAM LISTENING 19165 private/trace
unix 2 [ ACC ] STREAM LISTENING 19168 private/verify
unix 2 [ ACC ] STREAM LISTENING 19174 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 19177 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19180 private/smtp
unix 2 [ ACC ] STREAM LISTENING 19183 private/relay
unix 2 [ ACC ] STREAM LISTENING 19189 private/error
unix 2 [ ACC ] STREAM LISTENING 19192 private/retry
unix 2 [ ACC ] STREAM LISTENING 19195 private/discard
unix 2 [ ACC ] STREAM LISTENING 19198 private/local
unix 3 [ ] STREAM CONNECTED 19170
unix 2 [ ] DGRAM 25100
unix 3 [ ] STREAM CONNECTED 15151 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19173
unix 3 [ ] STREAM CONNECTED 19172
unix 3 [ ] STREAM CONNECTED 16046 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19167
unix 2 [ ] DGRAM 16037
unix 3 [ ] STREAM CONNECTED 19166
unix 3 [ ] STREAM CONNECTED 19169
unix 3 [ ] STREAM CONNECTED 19163
unix 3 [ ] STREAM CONNECTED 15071 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 13322
unix 3 [ ] STREAM CONNECTED 19164
unix 3 [ ] STREAM CONNECTED 19143
unix 2 [ ] DGRAM 20479
unix 3 [ ] STREAM CONNECTED 15671 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19158
unix 2 [ ] DGRAM 28482
unix 3 [ ] STREAM CONNECTED 19161
unix 3 [ ] STREAM CONNECTED 19160
unix 2 [ ] DGRAM 19096
unix 3 [ ] STREAM CONNECTED 15670
unix 3 [ ] STREAM CONNECTED 19155
unix 3 [ ] STREAM CONNECTED 19139
unix 3 [ ] STREAM CONNECTED 15150 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19157
unix 3 [ ] STREAM CONNECTED 15070
unix 3 [ ] STREAM CONNECTED 19212
unix 3 [ ] STREAM CONNECTED 19154
unix 3 [ ] STREAM CONNECTED 15141
unix 3 [ ] STREAM CONNECTED 19209
unix 3 [ ] STREAM CONNECTED 19148
unix 3 [ ] STREAM CONNECTED 19208
unix 3 [ ] STREAM CONNECTED 19151
unix 3 [ ] STREAM CONNECTED 19211
unix 3 [ ] STREAM CONNECTED 13323 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19150
unix 3 [ ] STREAM CONNECTED 19205
unix 3 [ ] STREAM CONNECTED 15072
unix 2 [ ] DGRAM 15482
unix 3 [ ] STREAM CONNECTED 19147
unix 3 [ ] STREAM CONNECTED 16045
unix 3 [ ] STREAM CONNECTED 19206
unix 3 [ ] DGRAM 13529
unix 2 [ ] DGRAM 14793
unix 2 [ ] DGRAM 15127
unix 3 [ ] STREAM CONNECTED 19203
unix 3 [ ] STREAM CONNECTED 15842 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19202
unix 3 [ ] STREAM CONNECTED 14982
unix 3 [ ] STREAM CONNECTED 16201
unix 3 [ ] STREAM CONNECTED 19197
unix 3 [ ] STREAM CONNECTED 15841
unix 3 [ ] STREAM CONNECTED 19200
unix 3 [ ] DGRAM 13528
unix 3 [ ] STREAM CONNECTED 19199
unix 3 [ ] STREAM CONNECTED 19194
unix 3 [ ] STREAM CONNECTED 15116
unix 3 [ ] STREAM CONNECTED 19193
unix 3 [ ] STREAM CONNECTED 19140
unix 3 [ ] STREAM CONNECTED 19196
unix 3 [ ] STREAM CONNECTED 15149
unix 3 [ ] STREAM CONNECTED 14983 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19190
unix 3 [ ] STREAM CONNECTED 18139
unix 3 [ ] STREAM CONNECTED 18756 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 15726
unix 3 [ ] STREAM CONNECTED 19144
unix 3 [ ] STREAM CONNECTED 15117 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14801
unix 3 [ ] STREAM CONNECTED 19191
unix 3 [ ] STREAM CONNECTED 13479 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19187
unix 2 [ ] DGRAM 13490
unix 2 [ ] DGRAM 16125
unix 3 [ ] STREAM CONNECTED 16202 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19188
unix 3 [ ] STREAM CONNECTED 16005 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 13478
unix 2 [ ] DGRAM 13186
unix 3 [ ] STREAM CONNECTED 19182
unix 3 [ ] STREAM CONNECTED 16004
unix 3 [ ] STREAM CONNECTED 14800
unix 3 [ ] STREAM CONNECTED 19185
unix 3 [ ] STREAM CONNECTED 18755
unix 3 [ ] STREAM CONNECTED 19184
unix 2 [ ] DGRAM 15873
unix 3 [ ] STREAM CONNECTED 19179
unix 3 [ ] STREAM CONNECTED 19178
unix 3 [ ] STREAM CONNECTED 19181
unix 3 [ ] STREAM CONNECTED 19175
unix 3 [ ] STREAM CONNECTED 15946 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15148
unix 3 [ ] STREAM CONNECTED 15945
unix 3 [ ] STREAM CONNECTED 19176
unix 3 [ ] STREAM CONNECTED 18140 /run/systemd/journal/stdout
[root@aminglinux-01 ~]#
```
- netstat -ltnp ltunp 只查看tcp udp 这俩种
```
[root@aminglinux-01 ~]# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1299/master
tcp6 0 0 :::22 :::* LISTEN 854/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1299/master
[root@aminglinux-01 ~]#
[root@aminglinux-01 ~]# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1299/master
tcp6 0 0 :::22 :::* LISTEN 854/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1299/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 503/chronyd
udp6 0 0 ::1:323 :::*
```
- [x] 关于这部分内容 这里涉及到一个扩展知识 tcp/ip 的三次握手,四次挥手
- 大家查下tcp/ip 三次握手的内容,这个在面试上会被问到
- 三次握手都有上面样的状态,listen established timewait
- 大多数状态 TIME_WAIT 客户端服务端 俩台服务器之间相互通信,通信完了之后他们的连接还没有断开,处于一种等待的状态,等待下次俩个机器再一次连接传输数据。
- [ ]netstat an 有一个awk的命令 可以查看所有状态数字的
- netstat -an | awk ‘/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}‘ 命令
```
[root@aminglinux-01 ~]# netstat -an | awk ‘/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}‘
LISTEN 4
ESTABLISHED 1
[root@aminglinux-01 ~]#
```
- LSTEN 监听
- ESTABLISHED 建立连接了 正在传输数据的 通常情况下这个数字 1000以内,
-命令 ss -an 和 netstat 异曲同工 但是不能显示进程的名字 netstat 可以显示
```
[root@aminglinux-01 ~]# ss -an
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 0 0 0:0 *
nl UNCONN 0 0 0:-595590624 *
nl UNCONN 0 0 0:-595590624 *
nl UNCONN 4352 0 4:2392 *
nl UNCONN 768 0 4:0 *
nl UNCONN 0 0 6:0 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 7:494 *
nl UNCONN 0 0 7:0 *
nl UNCONN 0 0 7:494 *
nl UNCONN 0 0 7:1 *
nl UNCONN 0 0 9:470 *
nl UNCONN 0 0 9:1 *
nl UNCONN 0 0 9:0 *
nl UNCONN 0 0 10:0 *
nl UNCONN 0 0 11:0 *
nl UNCONN 0 0 12:0 *
nl UNCONN 0 0 15:544 *
nl UNCONN 0 0 15:-4120 *
nl UNCONN 0 0 15:-4117 *
nl UNCONN 0 0 15:841 *
nl UNCONN 0 0 15:-4118 *
nl UNCONN 0 0 15:1 *
nl UNCONN 0 0 15:493 *
nl UNCONN 0 0 15:381 *
nl UNCONN 0 0 15:-4107 *
nl UNCONN 0 0 15:-4119
[root@aminglinux-01 ~]#
```
-查看LISTEN 监听的 -i不区分大小写
```
[root@aminglinux-01 ~]# ss -an |grep -i listen
u_str LISTEN 0 100 public/pickup 19141 * 0
u_str LISTEN 0 100 public/cleanup 19146 * 0
u_str LISTEN 0 100 public/qmgr 19149 * 0
u_str LISTEN 0 100 public/flush 19171 * 0
u_str LISTEN 0 100 public/showq 19186 * 0
u_str LISTEN 0 128 /var/run/dbus/system_bus_socket 14898 * 0
u_seq LISTEN 0 128 /run/udev/control 12620 * 0
u_str LISTEN 0 128 /run/systemd/journal/stdout 8351 * 0
u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 12706 * 0
u_str LISTEN 0 128 /run/lvm/lvmetad.socket 12717 * 0
u_str LISTEN 0 100 private/virtual 19201 * 0
u_str LISTEN 0 100 private/lmtp 19204 * 0
u_str LISTEN 0 100 private/anvil 19207 * 0
u_str LISTEN 0 100 private/scache 19210 * 0
u_str LISTEN 0 128 /run/systemd/private 12518 * 0
u_str LISTEN 0 100 private/tlsmgr 19153 * 0
u_str LISTEN 0 100 private/rewrite 19156 * 0
u_str LISTEN 0 100 private/bounce 19159 * 0
u_str LISTEN 0 100 private/defer 19162 * 0
u_str LISTEN 0 100 private/trace 19165 * 0
u_str LISTEN 0 100 private/verify 19168 * 0
u_str LISTEN 0 100 private/proxymap 19174 * 0
u_str LISTEN 0 100 private/proxywrite 19177 * 0
u_str LISTEN 0 100 private/smtp 19180 * 0
u_str LISTEN 0 100 private/relay 19183 * 0
u_str LISTEN 0 100 private/error 19189 * 0
u_str LISTEN 0 100 private/retry 19192 * 0
u_str LISTEN 0 100 private/discard 19195 * 0
u_str LISTEN 0 100 private/local 19198 * 0
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 100 ::1:25 :::*
[root@aminglinux-01 ~]#
```
-ss -an有个缺点 不能显示进程的名字 netstat 可以显示
```
[root@aminglinux-01 ~]# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1299/master
tcp6 0 0 :::22 :::* LISTEN 854/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1299/master
[root@aminglinux-01 ~]#
```
# 10.10 linux下抓包
- tcpdump 默认情况没有,安装一些
```
[root@aminglinux-01 ~]# tcpdump
-bash: tcpdump: 未找到命令
[root@aminglinux-01 ~]# yum install -y tcpdump
已安装:
tcpdump.x86_64 14:4.5.1-3.el7
完毕!
[root@aminglinux-01 ~]#
```
- tcpdump -nn -i ens33
- -i选项跟设备名称 ,如果想抓取其他网卡的数据包,后面则要跟其他网卡的名字,-nn表示让第三列和第四列显示成IP+端口号
```
[root@aminglinux-01 ~]# tcpdump -nn -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
15:03:54.414164 IP 192.168.202.130.22 > 192.168.202.1.63536: Flags [P.], seq 3600190501:3600190713, ack 3051495717, win 295, length 212
15:03:54.422371 IP 192.168.202.1.63536 > 192.168.202.130.22: Flags [.], ack 212, win 251, length 0
15:03:54.424001 IP 192.168.202.130.22 > 192.168.202.1.63536: Flags [P.], seq 212:504, ack 1, win 295, length 292
15:03:54.426752 IP 192.168.202.130.22 > 192.168.202.1.63536: Flags [P.], seq 504:668, ack 1, win 295, length 164
```
- 如果不加-nn 显示主机名+服务名称
```
[root@aminglinux-01 ~]# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
15:05:13.593345 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 3600281317:3600281529, ack 3051496641, win 295, length 212
15:05:13.594074 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [.], ack 212, win 252, length 0
15:05:13.602563 IP aminglinux-01.49754 > pdns.dnspod.cn.domain: 16232+ PTR? 1.202.168.192.in-addr.arpa. (44)
15:05:13.672789 IP pdns.dnspod.cn.domain > aminglinux-01.49754: 16232 NXDomain* 0/1/0 (100)
```
-tcpdump -nn -i ens33 -c 100 ,-c的作用是指定抓包数量
```
[root@aminglinux-01 ~]# tcpdump -nn -i ens33 -c 100
15:08:58.936998 IP 192.168.202.130.22 > 192.168.202.1.63536: Flags [P.], seq 14624:14900, ack 53, win 295, length 276
15:08:58.937470 IP 192.168.202.130.22 > 192.168.202.1.63536: Flags [P.], seq 14900:15080, ack 53, win 295, length 180
15:08:58.937715 IP 192.168.202.1.63536 > 192.168.202.130.22: Flags [.], ack 15080, win 253, length 0
100 packets captured
100 packets received by filter
0 packets dropped by kernel
[root@aminglinux-01 ~]#
```
- tcpdump -nn -i ens33 port 22 ,指定只抓22端口的包
- tcpdump -nn -i ens33 not port 22 不要22端口的包
- tcpdump -nn -i ens33 port 22 and port 53 and host 192.168.202.130.22只抓22端口和主机是192.168.202.130.22的包
-tcpdump -nn -i ens33 -c 100 -w /tmp/1.cap 抓100个包 和 10个包并且把抓的包文件放到/tmp/1.cap下,这个时候必须要再打开第二个终端 终端2,运行一些东西,才会有数据产生,这时候打开另一个终端运行vmstat 1 过会儿差不多 终端1 就可以抓到100个包了
```
[root@aminglinux-01 ~]# tcpdump -nn -i ens33 -c 100 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
[root@aminglinux-01 ~]#
[root@aminglinux-01 ~]#
[root@aminglinux-01 ~]# tcpdump -nn -i ens33 -c 10 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@aminglinux-01 ~]#
```
-可以用file /tmp/1.cap看下
```
[root@aminglinux-01 ~]# file /tmp/1.cap
/tmp/1.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
[root@aminglinux-01 ~]#
```
-这个文件不能直接cat,是乱码,因为这个文件实际上是从网卡里捕获的数据包信息,真正的数据通信,这个数据包不能直接解析,不能直接看,包括很多信息 包括源ip 目标ip 真正的数据通信内容,
```
[root@aminglinux-01 ~]# cat /tmp/1.cap
2YˊPV
)U7E 9@@((-μP<p°E,! 1j
`6±μUtr¨2}r
4=|h,R¤xLf%cLKRz6VXY<<
)U7xE(VF@@δ((F]-Yzzz
Eê]§T±‘@§(s )U7xElVG@@((F]-
¥ˉ¨</n‘2踬.@UYzzPV
)U7El :@@m((uP<4 y[i§$¤}扑!G
Χu3OEBH!簥`]||ǐ8A#aANYX<<
)U7xE(VH@@β((F.PY+jj
)U7xE\VI@@((F.P
Xs@§?/gu"
aap{u
IY/jjPV
)U7E\ ;@@|((μP<$6NNyg
§TuUYaBjjPV
)U7E\ <@@{((9μP<$kAx2Pe2褫f¥gμPZ`5E:h^鼱{¨3P@EU#K§e~P$=5_@z2~KЧ E°¤NTμ0^a μ1¥~{(z£K°
Ψ¥\C_8sHZ1k0d‘4T¢|D9вq_°c|¤
n
′r1c<<
)U7xE(VJ@@((F/mPYooPV
)U7E =@@*((mμP<t`ZH9£tyBj3-%oa:W@ )OI[[!/?ˉ6s`
R§AK5[root@aminglinux-01 ~]# XshellXshellXshellXshellXshellXshellXshellXshell
```
- 使用命令 tcpdump -r /tmp/1.cap ,-r read 读
```
[root@aminglinux-01 ~]# tcpdump -r /tmp/1.cap
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
15:25:53.161477 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 3600362797:3600362945, ack 3051505245, win 316, length 148
15:25:53.163859 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [.], ack 148, win 253, length 0
15:25:55.954490 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [P.], seq 1:69, ack 148, win 253, length 68
15:25:55.954808 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 148:216, ack 69, win 316, length 68
15:25:56.153617 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [.], ack 216, win 253, length 0
15:25:56.404408 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [P.], seq 69:121, ack 216, win 253, length 52
15:25:56.405262 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 216:268, ack 121, win 316, length 52
15:25:56.410209 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 268:576, ack 121, win 316, length 308
15:25:56.418745 IP 192.168.202.1.63536 > aminglinux-01.ssh: Flags [.], ack 576, win 252, length 0
15:25:57.421580 IP aminglinux-01.ssh > 192.168.202.1.63536: Flags [P.], seq 576:708, ack 121, win 316, length 132
[root@aminglinux-01 ~]#
```
-下面分享一个抓包工具 叫tshark,需要先按照一个包yum install -y wireshark
```
[root@aminglinux-01 ~]# yum install -y wireshark
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirror.premi.st
正在解决依赖关系
--> 正在检查事务
---> 软件包 wireshark.x86_64.0.1.10.14-10.el7 将被 安装
--> 正在处理依赖关系 libsmi.so.2()(64bit),它被软件包 wireshark-1.10.14-10.el7.x86_64 需要
已安装:
wireshark.x86_64 0:1.10.14-10.el7
作为依赖被安装:
c-ares.x86_64 0:1.10.0-3.el7 libsmi.x86_64 0:0.4.8-13.el7
完毕!
[root@aminglinux-01 ~]#
```
-命令tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "request.uri"
```
[root@aminglinux-01 ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "request.uri"
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Running as user "root" and group "root". This could be dangerous.
Capturing on ‘nflog‘
^C0 packets captured
[root@aminglinux-01 ~]#
```
- 我们的虚拟机上抓不到的,因为没有任何的80端口在监听,没有提供web服务,所以我们这个做不出效果来
- 扩展
- 扩展tcp三次握手四次挥手 http://www.doc88.com/p-9913773324388.html
- tshark几个用法:http://www.aminglinux.com/bbs/thread-995-1-1.html
- 使用tshark抓包分析http请求
- 默认我们的机器上是没有安装这个工具的。如果你的linux是CentOS那么就使用yum安装
yum install -y wireshark
也可以到官网下载源码 http://www.wireshark.org
具体安装方法,请参考 http://www.qtasp.cn/wiresharkcharpt/buildingwireshark.html
以下,简单介绍这个抓包工具的应用
1. 以下的用法可以显示访问http请求的域名以及uri
tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
2. 以下可以抓取mysql的查询
tshark -n -i eth1 -R ‘mysql.query‘ -T fields -e "ip.src" -e "mysql.query"
另外一种方法:
tshark -i eth1 port 3307 -d tcp.port==3307,mysql -z "proto,colinfo,mysql.query,mysql.query"
3. 以下可以抓取指定类型的MySQL查询
tshark -n -i eth1 -R ‘mysql matches "SELECT|INSERT|DELETE|UPDATE"‘ -T fields -e "ip.src" -e "mysql.query"
4. 统计http的状态
tshark -n -q -z http,stat, -z http,tree
这个命令,直到你ctrl + c 才会显示出结果
5. tshark 增加时间标签
tshark -t ad
tshark -t a
参考
https://ask.wireshark.org/questions/16964/analyzing-http-protocol-using-tshark10.6 监控io性能 - 10.7 free命令 - 10.8 ps命令 - 10.9 查看网络状态 - 10.10 linux下抓包
标签:10.6 监控io性能 - 10.7 free命令 - 10.8 ps命令 - 10.9 查看网络状态 - 10.10 linux下抓包
原文地址:http://ch71smas.blog.51cto.com/13090095/1964751
