1、iostat/iotop 磁盘使用
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@server01 ~]
# iostat ##静态显示
Linux 3.10.0-514.el7.x86_64 (server01) 2017年07月11日 _x86_64_ (1 CPU)
avg-cpu: %user %
nice
%system %iowait %steal %idle
0.32 0.00 4.05 0.29 0.00 95.34
Device: tps kB_read
/s
kB_wrtn
/s
kB_read kB_wrtn
sda 1.62 53.20 3.89 234652 17158
sdb 0.03 0.21 0.00 920 0
scd0 0.00 0.01 0.00 44 0
[root@server01 ~]
# iotop ##动态显示
Total DISK READ : 0.00 B
/s
| Total DISK WRITE : 0.00 B
/s
Actual DISK READ: 0.00 B
/s
| Actual DISK WRITE: 0.00 B
/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
1 be
/4
root 0.00 B
/s
0.00 B
/s
0.00 % 0.00 % systemd -~rialize 21
2 be
/4
root 0.00 B
/s
0.00 B
/s
0.00 % 0.00 % [kthreadd]
3 be
/4
root 0.00 B
/s
0.00 B
/s
0.00 % 0.00 % [ksoftirqd
/0
]
......
|
2、free 内存使用
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@server01 ~]
# free
total used
free
shared buff
/cache
available
Mem: 1008392 113948 614756 6868 279688 719948
Swap: 2097148 0 2097148
[root@server01 ~]
# free -m ##兆
total used
free
shared buff
/cache
available
Mem: 984 111 600 6 273 703
Swap: 2047 0 2047
[root@server01 ~]
# free -g
total used
free
shared buff
/cache
available
Mem: 0 0 0 0 0 0
Swap: 1 0 1
[root@server01 ~]
# free -h ##智能显示
total used
free
shared buff
/cache
available
Mem: 984M 111M 600M 6.7M 273M 703M
Swap: 2.0G 0B 2.0G
|
buffer:cpu传给内存(buffer),再写入磁盘。
cache:从磁盘读进内存(cache),再提交cpu。
total=used+free+buff/cache;
available包含free和buff/cache剩余部分。
3、ps 系统进程
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@server01 ~]
# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 128092 6708 ? Ss 7月10 0:01
/usr/lib/syste
root 2 0.0 0.0 0 0 ? S 7月10 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 7月10 0:00 [ksoftirqd
/0
]
......
[root@server01 ~]
# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 32023 ep_pol 7月10 ? 00:00:01
/usr/lib/systemd/systemd
--switched-root --system --deserialize 21
1 S root 2 0 0 80 0 - 0 kthrea 7月10 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo 7月10 ? 00:00:00 [ksoftirqd
/0
]
......
|
“ps aux”和“ps -elf”的作用是一致的,使用哪个取决于用户使用习惯。
▎STAT部分详解:
D 不能中断的进程 < 高优先级进程
R run状态的进程 N 低优先级进程
S sleep状态的进程 L 内存中被锁了内存分页
T 暂停的进程 s 主进程
Z 僵尸进程 l 多线程进程
+ 前台进程
4、netstat 网络状态
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
[root@server01 ~]
# netstat
Active Internet connections (w
/o
servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 64 server01:
ssh
gateway:51102 ESTABLISHED
udp 0 0 server01:53475 marla.ludost.net:ntp ESTABLISHED
udp 0 0 server01:44876 61-216-153-107.HINE:ntp ESTABLISHED
udp 0 0 server01:40498 ntp1.ams1.
nl
.leasew:ntp ESTABLISHED
udp 0 0 server01:49814 ntp4.itcompliance.d:ntp ESTABLISHED
Active UNIX domain sockets (w
/o
servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 7564
/run/systemd/notify
......
[root@server01 ~]
# netstat -lnp ##能显示端口和连接状态
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1293
/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1793
/master
tcp6 0 0 :::22 :::* LISTEN 1293
/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1793
/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 492
/chronyd
udp6 0 0 ::1:323 :::* 492
/chronyd
raw6 0 0 :::58 :::* 7 510
/NetworkManager
Active UNIX domain sockets (only servers)
......
[root@server01 ~]
# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 64 192.168.137.100:22 192.168.137.1:51102 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 192.168.137.100:53475 79.98.105.18:123 ESTABLISHED
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 192.168.137.100:58381 61.216.153.107:123 ESTABLISHED
......
[root@server01 ~]
# netstat -lntp ##只显示TCP
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1293
/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1793
/master
tcp6 0 0 :::22 :::* LISTEN 1293
/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1793
/master
[root@server01 ~]
# netstat -lnup ##只显示UDP
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
udp 0 0 127.0.0.1:323 0.0.0.0:* 492
/chronyd
udp6 0 0 ::1:323 :::* 492
/chronyd
[root@server01 ~]
# netstat -an |awk '/^tcp/{++sta[$NF]}END{for(key in sta)print key,"\t",sta[key]}' ##统计连接数
LISTEN 4
ESTABLISHED 1
[root@server01 ~]
# ss -an
......
u_str ESTAB 0 0 * 13719 * 13718
u_str ESTAB 0 0 * 17908 * 17907
u_str ESTAB 0 0 * 14545 * 14546
u_str ESTAB 0 0 * 13612 * 13720
udp UNCONN 0 0 :::58 :::*
udp ESTAB 0 0 192.168.137.100:56524 163.172.177.158:123
udp ESTAB 0 0 192.168.137.100:42723 79.98.105.18:123
udp UNCONN 0 0 127.0.0.1:323 *:*
udp ESTAB 0 0 192.168.137.100:58381 61.216.153.107:123
......
|
5、tcpdump 抓包
|
1
2
3
4
5
6
7
8
9
|
[root@server01 ~]
# tcpdump -nn -i ens33 ##指定抓包网卡
......
00:43:14.089076 IP 192.168.137.100.22 > 192.168.137.1.51102: Flags [P.],
seq
1265808:1266096, ack 18561, win 260, length 288
00:43:14.089308 IP 192.168.137.1.51102 > 192.168.137.100.22: Flags [.], ack 1266096, win 251, length 0
00:43:14.089335 IP 192.168.137.100.22 > 192.168.137.1.51102: Flags [P.],
seq
1266096:1266272, ack 18561, win 260, length 176
^C
8213 packets captured
8215 packets received by filter
0 packets dropped by kernel
|
其他用法:
|
1
2
3
4
|
tcpdump -nn port 80
##指定抓包端口
tcpdump -nn not port 25 and host 192.168.137.1
##“and”匹配多个过滤条件
tcpdump -nn -c 100 -w 1.cap
##100个包写入文件
tcpdump -r
/tmp/1
.cap
##读取抓包文件
|
▎除了tcpdump外,wireshark也可以用于抓包:
|
1
2
|
[root@server01 ~]
# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.mothod" -e "http.request.uri"
##显示访问http请求的域名以及uri
|
参数解读:
|
1
2
3
4
5
6
7
8
|
-e <field>
Add a field to the list of fields to display if -T fields is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "col."
Example: -e frame.number -e ip.addr -e udp -e col.info
Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.
-R <Read filter>
Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied during the first pass of analysis. Packets not matching the filter are not considered for future passes. Only makes sense with multiple passes, see -2. For regular filtering on single-pass dissect see -Y instead.
Note that forward-looking fields such as 'response in frame #' cannot be used with this filter, since they will not have been calculate when this filter is applied.
|
其他用法:
|
1
2
3
4
5
6
7
8
9
10
|
①抓取mysql的查询:
tshark -n -i eth1 -R
'mysql.query'
-T fields -e
"ip.src"
-e
"mysql.query"
tshark -i eth1 port 3307 -d tcp.port==3307,mysql -z
"proto,colinfo,mysql.query,mysql.query"
②抓取指定类型的MySQL查询:
tshark -n -i eth1 -R
'mysql matches "SELECT|INSERT|DELETE|UPDATE"'
-T fields -e
"ip.src"
-e
"mysql.query"
③统计http的状态:
tshark -n -q -z http,stat, -z http,tree
④增加时间标签:
tshark -t ad
tshark -t a
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1946485,如需转载请自行联系原作者
|
