七周二次课

时间 2019-12-06

标签七周 7周二次繁體版

原文原文链接

七周二次课linux

10.6 监控io性能 ios

10.7 free命令web

10.8 ps命令面试

10.9 查看网络状态数据库

10.10 linux下抓包缓存

10.6 监控io性能 bash

在平常运维过程当中，除了CPU、内存外，磁盘的io也是很是重要的指标。有时候CPU、内存明明有剩余，但系统就是负载很高，咱们用vmstat命令查看会发现b列或wa列比较大，那就说明系统磁盘有瓶颈。咱们会想更详细的查看磁盘的状态，咱们在安装sysstat包时，就会安装iostat命令，它和sar属于同一个包。服务器

iostat的用法：网络

[root@localhost ~]# iostat
Linux 3.10.0-693.el7.x86_64 (localhost.localdomain) 01/21/2018 _x86_64_ (2 CPU)session

avg-cpu: %user %nice %system %iowait %steal %idle
0.06 0.00 0.22 0.07 0.00 99.65

Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.00 0.04 0.00 1028 0
sda 0.77 16.62 2.34 443211 62322
sdb 0.00 0.08 0.00 2200 0

[root@localhost ~]#

也能够加参数1，这个和vmstat很像。

[root@localhost ~]# iostat 1
Linux 3.10.0-693.el7.x86_64 (localhost.localdomain) 01/21/2018 _x86_64_ (2 CPU)

avg-cpu: %user %nice %system %iowait %steal %idle
0.06 0.00 0.22 0.07 0.00 99.65

Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.00 0.04 0.00 1028 0
sda 0.77 16.60 2.33 443219 62324
sdb 0.00 0.08 0.00 2200 0

avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00

Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.00 0.00 0.00 0 0
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0

avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.50 0.00 0.00 99.50

Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.00 0.00 0.00 0 0
sda 0.00 0.00 0.00 0 0
sdb 0.00 0.00 0.00 0 0

^C
[root@localhost ~]#

这里看不出特别的信息，用sar -b也能够看得出来。

[root@localhost ~]# sar -b
Linux 3.10.0-693.el7.x86_64 (localhost.localdomain) 01/21/2018 _x86_64_ (2 CPU)

10:50:02 AM tps rtps wtps bread/s bwrtn/s
11:00:01 AM 0.50 0.00 0.50 0.00 14.12
11:10:01 AM 0.08 0.00 0.08 0.00 1.04
11:20:01 AM 0.04 0.00 0.04 0.00 0.52
11:30:01 AM 0.12 0.00 0.12 0.00 1.68
11:40:01 AM 0.96 0.00 0.96 0.00 66.18
11:50:01 AM 0.04 0.00 0.04 0.00 0.49
Average: 0.29 0.00 0.29 0.00 14.01
[root@localhost ~]#

要讲的是iostat -x命令，这里有一个很是重要的指标。

[root@localhost ~]# iostat -x 1

Linux 3.10.0-693.el7.x86_64 (localhost.localdomain) 01/21/2018 _x86_64_ (2 CPU)

avg-cpu: %user %nice %system %iowait %steal %idle
0.06 0.00 0.22 0.07 0.00 99.65

Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
scd0 0.00 0.00 0.00 0.00 0.04 0.00 114.22 0.00 5.11 5.11 0.00 4.22 0.00
sda 0.00 0.02 0.55 0.22 16.50 2.33 49.05 0.01 12.62 12.22 13.59 3.70 0.28
sdb 0.00 0.00 0.00 0.00 0.08 0.00 37.61 0.00 0.15 0.15 0.00 0.15 0.00

avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.50 0.00 0.00 99.50

Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00

^C
[root@localhost ~]#

%util首先是一个百分比，这一列表示io等待，总之就是磁盘使用有多少时间是占用你CPU的。CPU有一部分时间是给进程处理、计算的，也有一部分是等待io的，等待磁盘读写的，磁盘读写都是须要时间的。若是这个数字很大，是50%以上，就说明磁盘太差了，它很是忙碌。若是rkB/s和wkB/s不大，可是%util很大，就说明硬盘可能有问题。若是硬盘很慢，即便CPU再快，再厉害，硬盘跟不上存在很大的瓶颈。若是磁盘严重不行，只能更换磁盘。

若是发现磁盘io很忙，很频繁，若是想知道是哪个进程在频繁的读写，就可使用iotop命令。但发现没有安装，使用yum install -y iotop安装。

它和top很像，是动态的，按排行来排,咱们看的是io百分比。

10.7 free命令

[root@localhost ~]# free
total used free shared buff/cache available
Mem: 1867048 390860 925636 9356 550552 1227604
Swap: 4194300 0 4194300
[root@localhost ~]#

free命令能够查看当前系统的总内存大小以及使用内存的状况。CentOS 7系统的free命令显示结果比CentOS 6更简洁一些，但大致一致。

总共有三行，第一行是说明，第二行是内存的使用状况，第三行是交换分区的使用状况，咱们关注的是第二列。

total：内存总大小

used:真正使用的实际内存大小

free:剩余物理内存大小（没有被分配，纯剩余）

shared:共享内存大小，这个不用关注

buff/cache:分配格buff/cache的内存总共有多大。

简单区分一下buff（缓冲）和cache（缓存），听起来差很少，可是数据的流向不同，所叫的名字也不同。

数据（磁盘）到CPU，中间要通过内存，由于数据（磁盘）和CPU差得很大，因此这么作是为了在它们的速度之间作一个缓和。0000（数据）----缓存（cache）---CPU。

数据通过CPU计算完了，要存到磁盘里去，这个过程很难实现，由于CPU很快，磁盘很慢，直接写到磁盘里时间要好久，CPU等不了。这就要把数据先放到内存里，再放到磁盘里。

CPU（处理过的数据）---缓冲（buff）--磁盘。

能够这样理解：数据通过CPU计算，即将要写入磁盘，这是用的内存为buff；CPU要计算时，须要把数据从磁盘中读出来，临时先放到内存中，这部份内存就是cache。

avaliable:系统可以使用内存有多大，它包含了free。linux系统为了让应用跑得更快，系统会预先预留出一部分（buff/cache）给某些应用使用，虽然这部份内存并无真正使用，但也已经分配出去了。然而，当另一个服务要使用更多内存时，是能够把这一部分预先分配的内存拿来用的。因此，

available=free+buff/cache的剩余部分（没有被分配出去的）

total=used+free+buff/cache

swap不够，是内存不够，内存泄露了，程序有BUG，须要排查。

[root@localhost ~]# free
total used free shared buff/cache available
Mem: 1867048 390860 925636 9356 550552 1227604
Swap: 4194300 0 4194300
[root@localhost ~]# free -m
total used free shared buff/cache available
Mem: 1823 377 908 9 537 1203
Swap: 4095 0 4095
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 1.8G 377M 908M 9.1M 537M 1.2G
Swap: 4.0G 0B 4.0G
[root@localhost ~]# free -g
total used free shared buff/cache available
Mem: 1 0 0 0 0 1
Swap: 3 0 3
[root@localhost ~]#

buffer和cache如此重要，系统会预先预留出一部分给buffer和cache。

使用free命令须要关注的是available这一项。

10.8 ps命令

• ps 查看系统进程

[root@localhost ~]# ps
PID TTY TIME CMD
17790 pts/0 00:00:00 bash
18148 pts/0 00:00:00 ps
[root@localhost ~]#

• 用法：ps aux、ps -elf

ps aux会列出系统的全部进程

[root@localhost ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 128564 7308 ? Ss Jan21 0:07 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root 2 0.0 0.0 0 0 ? S Jan21 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S Jan21 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< Jan21 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S Jan21 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S Jan21 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S Jan21 0:23 [rcu_sched]
root 10 0.0 0.0 0 0 ? S Jan21 0:01 [watchdog/0]
root 11 0.0 0.0 0 0 ? S Jan21 0:00 [watchdog/1]
root 12 0.0 0.0 0 0 ? S Jan21 0:00 [migration/1]
gdm 1855 0.0 0.4 451640 8576 ? Sl Jan21 0:00 /usr/libexec/ibus-x11 --kill-daemon
gdm 1864 0.0 0.2 424524 4812 ? Sl Jan21 0:00 /usr/libexec/xdg-permission-store
root 1868 0.0 0.3 406180 7288 ? Ssl Jan21 0:02 /usr/libexec/packagekitd
gdm 1871 0.1 1.1 1247580 21276 ? Sl Jan21 2:13 /usr/libexec/gnome-settings-daemon
root 1878 0.0 0.1 54456 2984 ? Ss Jan21 0:00 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa
colord 1899 0.0 0.3 410996 6192 ? Ssl Jan21 0:00 /usr/libexec/colord
root 1906 0.1 0.2 252428 5552 ? Ssl Jan21 2:34 /usr/sbin/pcscd --foreground --auto-exit
gdm 1921 0.0 0.1 299748 3240 ? Sl Jan21 0:00 /usr/libexec/ibus-engine-simple
root 2117 0.0 0.2 123164 3836 ? Ss Jan21 0:00 login -- root
root 17701 0.0 0.1 116580 3268 tty2 Ss+ 13:41 0:00 -bash
root 21177 0.0 0.0 0 0 ? S 17:30 0:00 [kworker/u256:1]
root 21530 0.0 0.0 0 0 ? S 17:58 0:00 [kworker/1:2]
root 21573 0.0 0.0 0 0 ? R 18:00 0:00 [kworker/0:3]
root 21682 0.0 0.0 0 0 ? S 18:10 0:00 [kworker/u256:0]
postfix 21717 0.0 0.2 91732 4004 ? S 18:13 0:00 pickup -l -t unix -u
root 21890 0.0 0.0 0 0 ? S 18:26 0:00 [kworker/0:1]
root 21942 0.0 0.0 0 0 ? S 18:28 0:00 [kworker/1:1]
root 22000 0.0 0.0 0 0 ? S 18:31 0:00 [kworker/0:0]
root 22041 0.0 0.0 0 0 ? S 18:36 0:00 [kworker/0:2]
root 22058 0.8 0.2 147788 5228 ? Ds 18:39 0:00 sshd: root@pts/0
root 22066 0.1 0.1 116580 3268 pts/0 Ss 18:39 0:00 -bash
root 22084 0.0 0.3 341496 6480 ? Sl 18:39 0:00 /usr/sbin/abrt-dbus -t133
root 22126 0.0 0.0 107904 608 ? S 18:39 0:00 sleep 60
root 22127 0.0 0.0 151064 1804 pts/0 R+ 18:39 0:00 ps aux
[root@localhost ~]#

ps aux最经常使用的形式以下：

第1列是用户是谁；

第2列是PID，也就是一个进程的ID，在杀死一个进程的时候使用。

若是想杀死进程pickup，可使用以下命令：

[root@localhost ~]# kill 21717
[root@localhost ~]# ps aux | grep pickup
postfix 22154 0.1 0.2 91732 4004 ? S 18:41 0:00 pickup -l -t unix -u
root 22156 0.0 0.0 112660 972 pts/0 S+ 18:41 0:00 grep --color=auto pickup
[root@localhost ~]#

若是怀疑colord进程有问题，那就须要看一下这个进程在哪里，在哪里启动起来的，可使用以下命令查看：

[root@localhost ~]# ll /proc/1899/
total 0
dr-xr-xr-x. 2 colord colord 0 Jan 22 18:47 attr
-rw-r--r--. 1 colord colord 0 Jan 22 18:47 autogroup
-r--------. 1 colord colord 0 Jan 22 18:47 auxv
-r--r--r--. 1 colord colord 0 Jan 19 07:14 cgroup
--w-------. 1 colord colord 0 Jan 22 18:47 clear_refs
-r--r--r--. 1 colord colord 0 Jan 19 07:14 cmdline
-rw-r--r--. 1 colord colord 0 Jan 19 07:14 comm
-rw-r--r--. 1 colord colord 0 Jan 22 18:47 coredump_filter
-r--r--r--. 1 colord colord 0 Jan 22 18:47 cpuset
lrwxrwxrwx. 1 colord colord 0 Jan 22 18:47 cwd -> /
-r--------. 1 colord colord 0 Jan 22 18:47 environ
lrwxrwxrwx. 1 colord colord 0 Jan 19 07:14 exe -> /usr/libexec/colord
dr-x------. 2 colord colord 0 Jan 19 07:14 fd
dr-x------. 2 colord colord 0 Jan 22 18:47 fdinfo
-rw-r--r--. 1 colord colord 0 Jan 22 18:47 gid_map
-r--------. 1 colord colord 0 Jan 22 18:47 io
dr-xr-xr-x. 5 colord colord 0 Jan 21 12:04 task
-r--r--r--. 1 colord colord 0 Jan 22 18:47 timers
-rw-r--r--. 1 colord colord 0 Jan 22 18:47 uid_map
-r--r--r--. 1 colord colord 0 Jan 22 08:00 wchan
[root@localhost ~]#

colord进程的PID是一个目录，每一个进程都有一个目录。

[root@localhost ~]# ps aux | grep sshd
root 1254 0.0 0.2 105996 4080 ? Ss Jan21 0:00 /usr/sbin/sshd -D
root 17782 0.0 0.2 147788 5232 ? Ss 07:27 0:00 sshd: root@pts/0
root 18224 0.0 0.0 112664 968 pts/0 S+ 07:56 0:00 grep --color=auto sshd
[root@localhost ~]#

查看全部的进程中有没有sshd进程在运行。

ps -elf和ps aux结果差很少，根据我的使用习惯而定。

[root@localhost ~]# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 32141 ep_pol Jan21 ? 00:00:07 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
1 S root 2 0 0 80 0 - 0 kthrea Jan21 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo Jan21 ? 00:00:00 [ksoftirqd/0]
1 S root 5 2 0 60 -20 - 0 worker Jan21 ? 00:00:00 [kworker/0:0H]
1 S root 7 2 0 -40 - - 0 smpboo Jan21 ? 00:00:00 [migration/0]
1 S root 8 2 0 80 0 - 0 rcu_gp Jan21 ? 00:00:00 [rcu_bh]
1 S root 9 2 0 80 0 - 0 rcu_gp Jan21 ? 00:00:22 [rcu_sched]
5 S root 10 2 0 -40 - - 0 smpboo Jan21 ? 00:00:01 [watchdog/0]
5 S root 11 2 0 -40 - - 0 smpboo Jan21 ? 00:00:00 [watchdog/1]
1 S root 12 2 0 -40 - - 0 smpboo Jan21 ? 00:00:00 [migration/1]
1 S root 13 2 0 80 0 - 0 smpboo Jan21 ? 00:00:00 [ksoftirqd/1]
1 S root 15 2 0 60 -20 - 0 worker Jan21 ? 00:00:00 [kworker/1:0H]
5 S root 17 2 0 80 0 - 0 devtmp Jan21 ? 00:00:00 [kdevtmpfs]
1 S root 18 2 0 60 -20 - 0 rescue Jan21 ? 00:00:00 [netns]
1 S root 19 2 0 80 0 - 0 watchd Jan21 ? 00:00:00 [khungtaskd]
1 S root 20 2 0 60 -20 - 0 rescue Jan21 ? 00:00:00 [writeback]
1 S root 21 2 0 60 -20 - 0 rescue Jan21 ? 00:00:00 [kintegrityd]
4 S root 2117 1 0 80 0 - 30791 do_wai Jan21 ? 00:00:00 login -- root
1 S root 14969 2 0 80 0 - 0 worker 04:10 ? 00:00:33 [kworker/1:2]
1 S root 16901 2 0 80 0 - 0 worker 06:35 ? 00:00:00 [kworker/u256:0]
1 S root 16922 2 0 80 0 - 0 worker 06:36 ? 00:00:01 [kworker/0:0]
1 S root 17289 2 0 80 0 - 0 worker 07:05 ? 00:00:00 [kworker/u256:2]
4 S postfix 17637 1522 0 80 0 - 22933 ep_pol 07:24 ? 00:00:00 pickup -l -t unix -u
1 S root 17685 2 0 80 0 - 0 worker 07:25 ? 00:00:15 [kworker/1:1]
4 S root 17701 2117 0 80 0 - 29145 n_tty_ 07:25 tty2 00:00:00 -bash
4 D root 17782 1254 0 80 0 - 36947 flush_ 07:27 ? 00:00:00 sshd: root@pts/0
4 S root 17790 17782 0 80 0 - 29145 do_wai 07:27 pts/0 00:00:00 -bash
1 S root 18131 2 0 80 0 - 0 worker 07:51 ? 00:00:00 [kworker/0:1]
1 R root 18202 2 0 80 0 - 0 - 07:55 ? 00:00:00 [kworker/0:3]
1 S root 18277 2 0 80 0 - 0 worker 07:58 ? 00:00:00 [kworker/1:0]
0 S root 18299 902 0 80 0 - 26976 hrtime 07:59 ? 00:00:00 sleep 60
0 R root 18314 17790 0 80 0 - 37766 - 08:00 pts/0 00:00:00 ps -elf
[root@localhost ~]#

• STAT部分说明

表示进程的状态，进程状态分为如下几种：

• D 不能中断的进程

由于中断了会影响结果，这个不多见，一般为IO。

• R run状态的进程

正在运行中的进程，其中包括了等待CPU时间片的进程。不是说这个时刻就使用着CPU，而是说在某一个时间段内在使用着CPU。

• S sleep状态的进程

已经中断的进程，系统中大部分进程都是这个状态。

• T 暂停的进程

已经中止或者暂停的进程，若是咱们正在运行一个命令，好比说 sleep 10 若是咱们按一下ctrl z 让它暂停，那么咱们用ps查看就会显示T这个状态。
[root@localhost ~]# sleep 10
^Z
[1]+ Stopped sleep 10
[root@localhost ~]# ps aux | grep sleep
root 22519 0.0 0.0 107904 608 ? S 19:06 0:00 sleep 60
root 22520 0.0 0.0 107904 608 pts/0 T 19:07 0:00 sleep 10
root 22522 0.0 0.0 112660 972 pts/0 S+ 19:07 0:00 grep --color=auto sleep
[root@localhost ~]#

• Z 僵尸进程

僵尸进程，杀不掉，打不死的垃圾进程，占系统一小点资源，不过没有关系。若是太多，就有问题了。

• < 高优先级进程

谁的优先级高，CPU就先给谁用。

• N 低优先级进程

意味着不着急，晚一下子用CPU也是能够的。

• L 内存中被锁了内存分页

• s 主进程

• l 多线程进程

线程和进程的关系：

线程由一个大的进程组成的，一个进程里有多个线程。固然里面是有涉及到内存的使用的状况，进程之间内存相互是不共享的，线程使用了同一个进程的内存的区域。好比说给一个进程分配了一个内存块，这个进程原本是对这个内存有使用权限的，无论进程下有多少线程，它们共享这个内存。

多线程进程是说，这个进程有多个线程。

• + 前台进程

ps命令是工做中用的很是多的一个命令，常常和管道符一块儿使用，用来查看某个进程或者它的数量。

[root@localhost ~]# ps aux | grep -c sshd
3
[root@localhost ~]# ps aux | grep sshd
root 1254 0.0 0.2 105996 4080 ? Ss Jan21 0:00 /usr/sbin/sshd -D
root 22058 0.0 0.2 147788 5228 ? Ss 18:39 0:00 sshd: root@pts/0
root 22639 0.0 0.0 112664 968 pts/0 S+ 19:19 0:00 grep --color=auto sshd
[root@localhost ~]#

上例中的3并不许确，须要减掉1。由于使用grep命令时，grep自己也算是一个进程。

10.9 用netstat命令查看网络状态

linux做为服务器的操做系统，服务器上会有不少服务，服务每每是和客户端相互通讯的，这就意味着它要有监听端口，要有对外的通讯端口。这个netstat命令查看的就是TCP/IP通讯的状态。好比说要给这个系统安装一个ngix，就要提供一个WEB服务；要安装一个MySQL，提供一个数据库服务，有了这样一个服务，就要有一个监听端口，那么何为监听端口呢？正常状况下一台机器是没有任何的端口监听的，这就意味着它没有办法和其余的机器通讯。你要想提供WEB服务，要想让其余人访问你的网站，它就须要监听一个端口，它把这个端口放开，打开一个孔。就像网卡上搞了一个小孔出来，而后远程的设备想办法和这个孔相连，数据就能够经过这个孔进入到网卡里，进入到服务器里，相互的进行通讯。

端口查看命令：

[root@localhost ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1633/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1254/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1256/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1522/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1254/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1256/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1522/master
udp 0 0 0.0.0.0:34496 0.0.0.0:* 799/avahi-daemon: r
udp 0 0 192.168.122.1:53 0.0.0.0:* 1633/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1633/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 799/avahi-daemon: r
udp 0 0 127.0.0.1:323 0.0.0.0:* 810/chronyd
udp6 0 0 ::1:323 :::* 810/chronyd
raw6 0 0 :::58 :::* 7 910/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 27011 1849/ibus-daemon @/tmp/dbus-IFTIxXwX
unix 2 [ ACC ] STREAM LISTENING 18186 779/abrtd /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 26528 1266/gdm @/tmp/dbus-qCnJ8arG
unix 2 [ ACC ] STREAM LISTENING 18194 776/VGAuthService /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 25448 1752/dbus-daemon @/tmp/dbus-zSF9tbEANa
unix 2 [ ACC ] STREAM LISTENING 26657 1734/gnome-session- @/tmp/.ICE-unix/1734
unix 2 [ ACC ] STREAM LISTENING 26359 1680/X @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 27699 1791/pulseaudio /run/user/42/pulse/native
unix 2 [ ACC ] STREAM LISTENING 17303 1/systemd @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 24917 1522/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 24920 1522/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 24923 1522/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 24926 1522/master private/defer
unix 2 [ ACC ] STREAM LISTENING 24929 1522/master private/trace
unix 2 [ ACC ] STREAM LISTENING 24932 1522/master private/verify
unix 2 [ ACC ] STREAM LISTENING 24938 1522/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 24941 1522/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 24944 1522/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 24947 1522/master private/relay
unix 2 [ ACC ] STREAM LISTENING 24953 1522/master private/error
unix 2 [ ACC ] STREAM LISTENING 24956 1522/master private/retry
unix 2 [ ACC ] STREAM LISTENING 24959 1522/master private/discard
unix 2 [ ACC ] STREAM LISTENING 24962 1522/master private/local
unix 2 [ ACC ] STREAM LISTENING 24965 1522/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 24968 1522/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 24971 1522/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 24974 1522/master private/scache
unix 2 [ ACC ] STREAM LISTENING 26658 1734/gnome-session- /tmp/.ICE-unix/1734
unix 2 [ ACC ] STREAM LISTENING 24906 1522/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 24910 1522/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 24913 1522/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 24935 1522/master public/flush
unix 2 [ ACC ] STREAM LISTENING 24950 1522/master public/showq
unix 2 [ ACC ] STREAM LISTENING 26360 1680/X /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 19596 823/gssproxy /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 17293 1/systemd /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 17296 1/systemd /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 17300 1/systemd /var/run/pcscd/pcscd.comm
unix 2 [ ACC ] STREAM LISTENING 17304 1/systemd /var/run/libvirt/virtlogd-sock
unix 2 [ ACC ] STREAM LISTENING 17307 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 17310 1/systemd /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 17312 1/systemd /var/run/libvirt/virtlockd-sock
unix 2 [ ACC ] STREAM LISTENING 26525 1266/gdm @/tmp/dbus-Rb8g1qmG
unix 2 [ ACC ] STREAM LISTENING 18339 788/lsmd /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 18341 788/lsmd /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 18345 892/mcelog /var/run/mcelog-client
unix 2 [ ACC ] STREAM LISTENING 19595 823/gssproxy /var/lib/gssproxy/default.sock
unix 2 [ ACC ] STREAM LISTENING 24497 1263/libvirtd /var/run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 13238 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 24504 1263/libvirtd /var/run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 24506 1263/libvirtd /var/run/libvirt/libvirt-admin-sock
unix 2 [ ACC ] STREAM LISTENING 10940 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 26527 1266/gdm @/tmp/dbus-jI2llL96
unix 2 [ ACC ] STREAM LISTENING 17314 1/systemd @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] SEQPACKET LISTENING 10957 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 10959 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 206 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 26524 1266/gdm @/tmp/dbus-GTxI0HA6
unix 2 [ ACC ] STREAM LISTENING 26583 1741/dbus-daemon @/tmp/dbus-xYLJnvHn8J
[root@localhost ~]#

netstat -lnp 查看当前系统开启的端口以及socket

l表明的是listen，监听的意思，看看你的机器上都监听了哪些端口，哪些服务呢？

以前讲的配置IP，远程链接，链接的就是22端口。

sshd有两个，一个是tcp,一个是tcp6，tcp6就是Ipv6（tcp和udp的资料自行查阅，这个不做为重点）的IP。

master 25端口，发邮件的端口。

socket文件也是用来进程间通讯的，前提是同一台服务器，2个进程之间相互通讯使用这种socket文件。

netstat命令也能够查看都有哪些socket文件在监听。

须要关注的就是上面的，就是看监听了哪些端口，之后讲到服务的时候，都会检查这些服务是否是正常启动了。可使用ps查看进程，也可使用netstat查看端口监听，之后会屡次使用这个命令。

第二种用法：

netstat -an 查看当前系统全部的链接。

[root@localhost ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 52 192.168.231.128:22 192.168.231.1:52975 ESTABLISHED
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 0.0.0.0:34496 0.0.0.0:*
udp 0 0 192.168.122.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 27011 @/tmp/dbus-IFTIxXwX
unix 2 [ ACC ] STREAM LISTENING 18186 /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 26528 @/tmp/dbus-qCnJ8arG
unix 2 [ ACC ] STREAM LISTENING 18194 /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 25448 @/tmp/dbus-zSF9tbEANa
unix 2 [ ACC ] STREAM LISTENING 26657 @/tmp/.ICE-unix/1734

这个命令会查看tcp/ip状态

netstat -lntp 只看出tcp的，不包含socket

[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1633/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1254/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1256/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1522/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1254/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1256/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1522/master
[root@localhost ~]#

netstat -ltunp只查看udp的

[root@localhost ~]# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1633/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1254/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1256/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1522/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1254/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1256/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1522/master
udp 0 0 0.0.0.0:34496 0.0.0.0:* 799/avahi-daemon: r
udp 0 0 192.168.122.1:53 0.0.0.0:* 1633/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1633/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 799/avahi-daemon: r
udp 0 0 127.0.0.1:323 0.0.0.0:* 810/chronyd
udp6 0 0 ::1:323 :::* 810/chronyd
[root@localhost ~]#

扩展知识：tcp/ip的三次握手，四次挥手，这个每每在面试的时候被问到

查看netstat，须要关注一个值就是ESTABLISHED，若是这个值很大，说明你的系统很忙。并发链接数，就是同一时间有多少客户端在链接你，咱们能够拿这个数字来讲明并发链接数有多少。上面说明有45个客户端和服务端进行通讯，正在保持链接。TIME_WATE虽然有3598个，可是只是在等待，这个是真正的通讯，1000之内服务器都是能接受的。若是有几万个，那是不多见的。上面这个命令须要记住。

[root@localhost ~]# netstat -an | awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}'
LISTEN 9
ESTABLISHED 1
[root@localhost ~]#

ss命令和netstat很类似，ss -an用的比较多，这个命令也能显示tcp/ip的状态

[root@localhost ~]# ss -an
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 0 0 0:1620 *
nl UNCONN 0 0 0:0 *
nl UNCONN 0 0 0:-1098906385 *
nl UNCONN 0 0 0:1868 *
nl UNCONN 0 0 0:-1153432690 *
nl UNCONN 0 0 0:469763311 *
nl UNCONN 0 0 0:799 *

下面还有不少，查看一下Listen的。

[root@localhost ~]# ss -an | grep -i listen
u_str LISTEN 0 10 @/tmp/dbus-IFTIxXwX 27011 * 0
u_str LISTEN 0 10 /var/run/abrt/abrt.socket 18186 * 0
u_str LISTEN 0 10 @/tmp/dbus-qCnJ8arG 26528 * 0
u_str LISTEN 0 32 /var/run/vmware/guestServicePipe 18194 * 0
u_str LISTEN 0 30 @/tmp/dbus-zSF9tbEANa 25448 * 0
u_str LISTEN 0 128 @/tmp/.ICE-unix/1734 26657 * 0
u_str LISTEN 0 128 @/tmp/.X11-unix/X0 26359 * 0
u_str LISTEN 0 5 /run/user/42/pulse/native 27699 * 0
u_str LISTEN 0 128 @ISCSID_UIP_ABSTRACT_NAMESPACE 17303 * 0
u_str LISTEN 0 100 private/tlsmgr 24917 * 0
u_str LISTEN 0 100 private/rewrite 24920 * 0
u_str LISTEN 0 100 private/bounce 24923 * 0
u_str LISTEN 0 100 private/defer 24926 * 0
u_str LISTEN 0 100 private/trace 24929 * 0
u_str LISTEN 0 100 private/verify 24932 * 0
u_str LISTEN 0 100 private/proxymap 24938 * 0
u_str LISTEN 0 100 private/proxywrite 24941 * 0
u_str LISTEN 0 100 private/smtp 24944 * 0
u_str LISTEN 0 100 private/relay 24947 * 0
u_str LISTEN 0 100 private/error 24953 * 0
u_str LISTEN 0 100 private/retry 24956 * 0
u_str LISTEN 0 100 private/discard 24959 * 0
u_str LISTEN 0 100 private/local 24962 * 0
u_str LISTEN 0 100 private/virtual 24965 * 0
u_str LISTEN 0 100 private/lmtp 24968 * 0
u_str LISTEN 0 100 private/anvil 24971 * 0
u_str LISTEN 0 100 private/scache 24974 * 0
u_str LISTEN 0 128 /tmp/.ICE-unix/1734 26658 * 0
u_str LISTEN 0 100 public/pickup 24906 * 0
u_str LISTEN 0 100 public/cleanup 24910 * 0
u_str LISTEN 0 100 public/qmgr 24913 * 0
u_str LISTEN 0 100 public/flush 24935 * 0
u_str LISTEN 0 100 public/showq 24950 * 0
u_str LISTEN 0 128 /tmp/.X11-unix/X0 26360 * 0
u_str LISTEN 0 10 /run/gssproxy.sock 19596 * 0
u_str LISTEN 0 128 /var/run/avahi-daemon/socket 17293 * 0
u_str LISTEN 0 128 /var/run/rpcbind.sock 17296 * 0
u_str LISTEN 0 128 /var/run/pcscd/pcscd.comm 17300 * 0
u_str LISTEN 0 128 /var/run/libvirt/virtlogd-sock 17304 * 0
u_str LISTEN 0 128 /var/run/dbus/system_bus_socket 17307 * 0
u_str LISTEN 0 128 /var/run/cups/cups.sock 17310 * 0
u_str LISTEN 0 128 /var/run/libvirt/virtlockd-sock 17312 * 0
u_str LISTEN 0 10 @/tmp/dbus-Rb8g1qmG 26525 * 0
u_str LISTEN 0 5 /var/run/lsm/ipc/simc 18339 * 0
u_str LISTEN 0 5 /var/run/lsm/ipc/sim 18341 * 0
u_str LISTEN 0 10 /var/run/mcelog-client 18345 * 0
u_str LISTEN 0 10 /var/lib/gssproxy/default.sock 19595 * 0
u_str LISTEN 0 128 /var/run/libvirt/libvirt-sock 24497 * 0
u_str LISTEN 0 128 /run/systemd/private 13238 * 0
u_str LISTEN 0 128 /var/run/libvirt/libvirt-sock-ro 24504 * 0
u_str LISTEN 0 20 /var/run/libvirt/libvirt-admin-sock 24506 * 0
u_str LISTEN 0 128 /run/lvm/lvmetad.socket 10940 * 0
u_str LISTEN 0 10 @/tmp/dbus-jI2llL96 26527 * 0
u_str LISTEN 0 128 @ISCSIADM_ABSTRACT_NAMESPACE 17314 * 0
u_seq LISTEN 0 128 /run/udev/control 10957 * 0
u_str LISTEN 0 128 /run/lvm/lvmpolld.socket 10959 * 0
u_str LISTEN 0 128 /run/systemd/journal/stdout 206 * 0
u_str LISTEN 0 10 @/tmp/dbus-GTxI0HA6 26524 * 0
u_str LISTEN 0 30 @/tmp/dbus-xYLJnvHn8J 26583 * 0
tcp LISTEN 0 128 *:111 *:*
tcp LISTEN 0 5 192.168.122.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:631 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 128 :::111 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:631 :::*
tcp LISTEN 0 100 ::1:25 :::*
[root@localhost ~]#

上面这个命令没法显示进程的名字，netstat是能够的。

10.10 linux下抓包

若是受到攻击，网卡流量会异常，进入的包会大于1w，这个时候你可能会想知道都有哪些包进来，那么就可使用tcpdump命令来查看。

[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.231.128 netmask 255.255.255.0 broadcast 192.168.231.255
inet6 fe80::77e9:3d29:fad9:b570 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b7:62:f8 txqueuelen 1000 (Ethernet)
RX packets 74830 bytes 10154281 (9.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 76858 bytes 18781631 (17.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 108 bytes 9456 (9.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 108 bytes 9456 (9.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:c9:f0:09 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~]#

[root@localhost ~]# tcpdump -nn -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:09:51.376591 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 534398562:534398758, ack 4065891896, win 260, length 196
20:09:51.376770 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 196, win 2052, length 0
20:09:51.376815 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 196:472, ack 1, win 260, length 276
20:09:51.377259 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 472:636, ack 1, win 260, length 164
20:09:51.377349 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 636, win 2050, length 0
20:09:51.377413 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 636:896, ack 1, win 260, length 260
20:09:51.377626 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 896:1060, ack 1, win 260, length 164
20:09:51.377709 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1060, win 2048, length 0
20:09:51.377755 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1060:1320, ack 1, win 260, length 260
20:09:51.377937 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1320:1484, ack 1, win 260, length 164
20:09:51.378019 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1484, win 2053, length 0
20:09:51.378073 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1484:1744, ack 1, win 260, length 260
20:09:51.378262 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1744:1908, ack 1, win 260, length 164
20:09:51.378344 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1908, win 2051, length 0
20:09:51.378380 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1908:2168, ack 1, win 260, length 260
20:09:51.378573 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2168:2332, ack 1, win 260, length 164
20:09:51.378654 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 2332, win 2049, length 0
20:09:51.378699 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2332:2592, ack 1, win 260, length 260
20:09:51.378889 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2592:2756, ack 1, win 260, length 164
20:09:51.378970 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 2756, win 2048, length 0
20:09:51.379007 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2756:3016, ack 1, win 260, length 260
20:09:51.379195 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3016:3180, ack 1, win 260, length 164
20:09:51.379281 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 3180, win 2053, length 0
20:09:51.379324 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3180:3440, ack 1, win 260, length 260
20:09:51.379510 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3440:3604, ack 1, win 260, length 164
20:09:51.379624 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 3604, win 2051, length 0

回车后会出现一堆字符串，在按ctrl c以前，这些字符串会一直刷屏，刷屏越快说明网卡上的数据包越多。上例中，咱们只须要关注第3列和第4列，它们显示的信息为哪个IP+端口号在链接哪个IP+端口号。后面的信息是该数据包的相关信息，若是不懂，也没有关系。

-i选项后面跟设备名称，若是想抓取其余网卡的数据包，后面则要跟其余网卡的名字。-nn选项的做用是让第3列和第4列显示成“IP+端口号”的形式，若是不加会显示成“主机名+服务名称”。

[root@localhost ~]# tcpdump -i ens33

21:11:24.210977 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3667324:3667504, ack 609, win 260, length 180
21:11:24.211061 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3667504:3667796, ack 609, win 260, length 292
21:11:24.211162 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3667796, win 2047, length 0
21:11:24.211186 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3667796:3667976, ack 609, win 260, length 180
21:11:24.211273 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3667976:3668268, ack 609, win 260, length 292
21:11:24.211363 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3668268, win 2053, length 0
21:11:24.211381 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3668268:3668448, ack 609, win 260, length 180
21:11:24.211454 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3668448:3668740, ack 609, win 260, length 292
21:11:24.211543 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3668740, win 2051, length 0
21:11:24.211561 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3668740:3668920, ack 609, win 260, length 180
21:11:24.211645 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3668920:3669212, ack 609, win 260, length 292
21:11:24.211764 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3669212, win 2049, length 0
21:11:24.211784 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3669212:3669392, ack 609, win 260, length 180
21:11:24.211919 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3669392:3669684, ack 609, win 260, length 292
21:11:24.212048 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3669684, win 2047, length 0
21:11:24.212095 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3669684:3669864, ack 609, win 260, length 180
21:11:24.212192 IP localhost.localdomain.ssh > 192.168.231.1.52975: Flags [P.], seq 3669864:3670156, ack 609, win 260, length 292
21:11:24.212317 IP 192.168.231.1.52975 > localhost.localdomain.ssh: Flags [.], ack 3670156, win 2053, length 0

主机名对咱们来讲不知道时哪一个因此仍是用-nn比较直观。

•tcpdump -nn -i ens33 port 22

指定端口22

[root@localhost ~]# tcpdump -nn -i ens33 port 22

21:27:32.021849 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 38144, win 2049, length 0
21:27:32.021926 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 38144:38308, ack 53, win 260, length 164
21:27:32.022167 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 38308:38568, ack 53, win 260, length 260
21:27:32.022641 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 38568, win 2047, length 0
21:27:32.022995 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 38568:38828, ack 53, win 260, length 260
21:27:32.023284 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 38828:38992, ack 53, win 260, length 164
21:27:32.023424 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 38992, win 2053, length 0
21:27:32.023500 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 38992:39252, ack 53, win 260, length 260
21:27:32.023597 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [P.], seq 53:105, ack 38992, win 2053, length 52
21:27:32.023622 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 39252:39416, ack 105, win 260, length 164
^C
279 packets captured
281 packets received by filter
0 packets dropped by kernel

固然也可使用排除法

[root@localhost ~]# tcpdump -nn -i ens33 not port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:29:23.475070 IP 192.168.231.1.138 > 192.168.231.255.138: NBT UDP PACKET(138)
21:29:40.780479 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:41.845407 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:42.780027 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:43.778248 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:44.847882 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:45.777573 ARP, Request who-has 192.168.231.128 (00:0c:29:b7:62:f8) tell 192.168.231.1, length 46
21:29:45.777602 ARP, Reply 192.168.231.128 is-at 00:0c:29:b7:62:f8, length 28
21:29:45.777698 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:46.779040 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:47.849318 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:48.779097 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:49.778181 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:50.852261 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:51.778414 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:29:52.777131 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
^C
16 packets captured
17 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

• tcpdump -nn not port 22 and host 192.168.0.100

[root@localhost ~]# tcpdump -nn -i ens33 not port 22 and host 192.168.231.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:31:40.778568 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:41.849239 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:42.778402 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:43.780803 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:44.852342 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:45.781098 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:46.781781 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
21:31:47.858820 ARP, Request who-has 192.168.231.2 tell 192.168.231.1, length 46
^C
8 packets captured
9 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

• tcpdump -nn -c 100 -w 1.cap

也能够给数据包指定长度，指定脚本。有时候咱们写脚本，抓一个数据包出来，存到一个文件里去，是不能用ctrl c结束的。

如今只抓100个包。

[root@localhost ~]# tcpdump -nn -i ens33 -c 100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:34:58.166502 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 539349586:539349782, ack 4065902096, win 260, length 196
21:34:58.166651 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 196, win 2051, length 0
21:34:58.166710 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 196:472, ack 1, win 260, length 276
21:34:58.166915 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 472:636, ack 1, win 260, length 164
21:34:58.167018 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 636, win 2050, length 0
21:34:58.167097 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 636:896, ack 1, win 260, length 260
21:34:58.167345 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 896:1060, ack 1, win 260, length 164
21:34:58.167532 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1060, win 2048, length 0
21:34:58.167604 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1060:1320, ack 1, win 260, length 260
21:34:58.167857 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1320:1484, ack 1, win 260, length 164
21:34:58.167943 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1484, win 2053, length 0
21:34:58.167990 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1484:1744, ack 1, win 260, length 260
21:34:58.168178 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1744:1908, ack 1, win 260, length 164
21:34:58.168261 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 1908, win 2051, length 0
21:34:58.168298 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 1908:2168, ack 1, win 260, length 260
21:34:58.168386 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2168:2332, ack 1, win 260, length 164
21:34:58.168452 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 2332, win 2049, length 0
21:34:58.168545 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2332:2592, ack 1, win 260, length 260
21:34:58.168744 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2592:2756, ack 1, win 260, length 164
21:34:58.168828 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 2756, win 2048, length 0
21:34:58.168872 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 2756:3016, ack 1, win 260, length 260
21:34:58.169064 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3016:3180, ack 1, win 260, length 164
21:34:58.169148 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 3180, win 2053, length 0
21:34:58.169218 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3180:3440, ack 1, win 260, length 260
21:34:58.169404 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3440:3604, ack 1, win 260, length 164
21:34:58.169489 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 3604, win 2051, length 0
21:34:58.169541 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3604:3768, ack 1, win 260, length 164
21:34:58.169620 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 3768:4028, ack 1, win 260, length 260
21:34:58.169687 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 4028, win 2049, length 0
21:34:58.169719 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 4028:4288, ack 1, win 260, length 260
21:34:58.169839 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 4288:4452, ack 1, win 260, length 164
21:34:58.169911 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 4452, win 2048, length 0
21:34:58.169944 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 4452:4712, ack 1, win 260, length 260
21:34:58.170065 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 4712:4876, ack 1, win 260, length 164
21:34:58.170128 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 4876, win 2053, length 0
21:34:58.170174 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 4876:5040, ack 1, win 260, length 164
21:34:58.170351 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 5040:5300, ack 1, win 260, length 260
21:34:58.170454 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 5300, win 2051, length 0
21:34:58.170606 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 5300:5560, ack 1, win 260, length 260
21:34:58.170892 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 5560:5724, ack 1, win 260, length 164
21:34:58.170985 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 5724, win 2049, length 0
21:34:58.171004 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 5724:5888, ack 1, win 260, length 164
21:34:58.171083 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 5888:6148, ack 1, win 260, length 260
21:34:58.171162 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 6148, win 2048, length 0
21:34:58.171307 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 6148:6408, ack 1, win 260, length 260
21:34:58.171500 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 6408:6572, ack 1, win 260, length 164
21:34:58.171595 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 6572, win 2053, length 0
21:34:58.171719 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 6572:6832, ack 1, win 260, length 260
21:34:58.171891 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 6832:6996, ack 1, win 260, length 164
21:34:58.171970 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 6996, win 2051, length 0
21:34:58.172085 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 6996:7256, ack 1, win 260, length 260
21:34:58.172498 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 7256:7420, ack 1, win 260, length 164
21:34:58.172605 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 7420, win 2049, length 0
21:34:58.172729 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 7420:7680, ack 1, win 260, length 260
21:34:58.172888 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 7680:7844, ack 1, win 260, length 164
21:34:58.172962 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 7844, win 2048, length 0
21:34:58.173087 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 7844:8104, ack 1, win 260, length 260
21:34:58.173442 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 8104:8268, ack 1, win 260, length 164
21:34:58.173518 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 8268, win 2053, length 0
21:34:58.173634 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 8268:8528, ack 1, win 260, length 260
21:34:58.173803 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 8528:8692, ack 1, win 260, length 164
21:34:58.173877 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 8692, win 2051, length 0
21:34:58.173988 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 8692:8952, ack 1, win 260, length 260
21:34:58.174153 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 8952:9116, ack 1, win 260, length 164
21:34:58.174229 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 9116, win 2049, length 0
21:34:58.174339 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 9116:9376, ack 1, win 260, length 260
21:34:58.174502 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 9376:9540, ack 1, win 260, length 164
21:34:58.174580 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 9540, win 2048, length 0
21:34:58.174695 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 9540:9800, ack 1, win 260, length 260
21:34:58.174858 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 9800:9964, ack 1, win 260, length 164
21:34:58.174932 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 9964, win 2053, length 0
21:34:58.175045 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 9964:10224, ack 1, win 260, length 260
21:34:58.175226 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 10224:10388, ack 1, win 260, length 164
21:34:58.175300 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 10388, win 2051, length 0
21:34:58.175410 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 10388:10648, ack 1, win 260, length 260
21:34:58.175580 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 10648:10812, ack 1, win 260, length 164
21:34:58.175653 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 10812, win 2049, length 0
21:34:58.175766 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 10812:11072, ack 1, win 260, length 260
21:34:58.175931 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 11072:11236, ack 1, win 260, length 164
21:34:58.176005 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 11236, win 2048, length 0
21:34:58.176181 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 11236:11496, ack 1, win 260, length 260
21:34:58.176313 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 11496:11660, ack 1, win 260, length 164
21:34:58.176391 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 11660, win 2053, length 0
21:34:58.176500 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 11660:11920, ack 1, win 260, length 260
21:34:58.176676 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 11920:12084, ack 1, win 260, length 164
21:34:58.176758 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 12084, win 2051, length 0
21:34:58.177064 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 12084:12344, ack 1, win 260, length 260
21:34:58.177269 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 12344:12508, ack 1, win 260, length 164
21:34:58.177380 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 12508, win 2049, length 0
21:34:58.177521 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 12508:12768, ack 1, win 260, length 260
21:34:58.177628 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 12768:12932, ack 1, win 260, length 164
21:34:58.177713 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 12932, win 2048, length 0
21:34:58.177722 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 12932:13096, ack 1, win 260, length 164
21:34:58.177797 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 13096:13356, ack 1, win 260, length 260
21:34:58.177886 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 13356, win 2053, length 0
21:34:58.177893 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 13356:13520, ack 1, win 260, length 164
21:34:58.178057 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 13520:13780, ack 1, win 260, length 260
21:34:58.178219 IP 192.168.231.1.52975 > 192.168.231.128.22: Flags [.], ack 13780, win 2051, length 0
21:34:58.178310 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 13780:13944, ack 1, win 260, length 164
21:34:58.178659 IP 192.168.231.128.22 > 192.168.231.1.52975: Flags [P.], seq 13944:14204, ack 1, win 260, length 260
100 packets captured
101 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

若是想把它存到一个文件里去。

[root@localhost ~]# tcpdump -nn -i ens33 -c 100 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
100 packets captured
100 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

查看一下这个文件，固然是不能用cat的。

[root@localhost ~]# file /tmp/1.cap
/tmp/1.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)
[root@localhost ~]#

若是用cat查看，会出现乱码，由于这个文件就是从你的网卡里捕获的数据包信息，它就是真正的通讯的数据。

使用tcpdump -r /tmp/1.cap是能够查看的。

下面介绍tshark命令，在介绍这个命令以前须要安装wireshark。

• yum install -y wireshark

• tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"

能够查看指定网卡，80端口web访问的一个状况，这里的服务器是抓不到的，本身的虚拟机也是抓不到的，由于尚未任何的80端口在监听，没有提供web服务，因此这个实验是作不出效果的，可是这个命令是须要记住的。

[root@localhost ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'virbr0'
^C0 packets captured
[root@localhost ~]#

友情连接：阿铭Linux