One, iftop
1. Introduction to iftop
The iftop command can be used to monitor the real-time traffic of the network card (you can specify the network segment), reverse IP resolution, and display port information.
Online installation: yum install iftop
2. Iftop command
iftop -h | [-nNpblP] [-u unit] [-i interface] [-f filter code] [-F net/mask] [-G net6/mask6]
-h: View help information
-i: Specify the monitoring network card
-b: Do not display the traffic histogram
-B: Display the traffic in bytes (default bits)
-n: Do not resolve the host name, directly display the IP
-N: No Analyze the port service and directly display the port number
-F: display the in and out traffic of a specific network segment
-m limit: set the upper limit of bandwidth, you can use K, M, G as suffixes iftop -b -n -N -F 192.168.0.0/24
TX: send traffic
RX: receive traffic
TOTAL: total traffic
cum: accumulation Total flow
peak: peak flow
rates: respectively represent the average flow of the last 2s, 10s, 40s
3. Iftop interactive command
Press h to switch whether to display help
Press n to switch to display the local IP or host name
Press s to switch whether to display the host information of the local machine
Press d to switch whether to display the host information of the remote target host
Press t to switch the display format to 2 lines/1 line/ Only display sending traffic/only receiving traffic
Press N to switch to display port number or port service name
Press S to switch whether to display the port information of the local machine
Press D to switch whether to display the port information of the remote target host
Press p to switch whether to display port information
Press P Switch to pause/continue display
Press b to switch whether to display the average flow graph bar
Press B to switch to calculate the average flow
in 2 seconds or 10 seconds or 40 seconds Press T to switch whether to display the total flow of each connection
Press l to open the screen filter function, enter the required For filtered characters,
press L to switch the scale on the top of the display screen; the scale will change, the flow graph bar will change.
Press j or k to scroll up or down the connection records displayed on the screen.
Press 1 or 2 or 3 to display the display on the right The three columns of traffic data are sorted
according to < sort according to the local name or IP on the left; press> to sort according to the host name or IP of the remote target host.
Press o to switch whether it is fixed or not to display only the current connection.
Press f to edit the filter code
press! Use shell command to
press q to exit monitoring
二、netstat
1. Introduction to netstat
netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to check the network connection of each port of the machine.
2, netstat command
netstat [-vWeenNcCF] [<Af>] -r
netstat {-V|--version|-h|--help}
netstat [-vWnNcaeol] [<Socket> ...]
netstat { [-vWeenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s [-6tuw] } [delay]-a,--all: Display all sockets in the connection.
-A <network type> or --<network type> List the relevant addresses in the connection of this network type.
-c,--continuous: Continuously list the network status.
-C, --cache: Display cache information of router configuration.
-e, --extend: Display other related information of the network.
-F,--fib: display FIB.
-g, --groups: Display the list of group members for the multi-broadcast function.
-h, --help: online help.
-i, --interfaces: display the list of network cards
-l, --listening: display the Socket of the server under monitoring.
-M or --masquerade show disguised network connections.
-n or --numeric Use the IP address directly instead of through the domain name server.
-N or --netlink or --symbolic Displays the symbolic link name of the network hardware peripheral device.
-o or --timers display timers.
-p or --programs Display the program identification code and program name of the Socket being used.
-r, --route: Display Routing Table.
-s, --statistics: Display statistics table of network work information.
-t,--tcp: Display the connection status of the TCP transmission protocol.
-u,--udp: Display the connection status of the UDP transmission protocol.
-v, --verbose: View unsupported address families.
-V,--version: Display version information.
-w, --raw: Display the connection status of the RAW transfer protocol.
-x,--unix: The effect of this parameter is the same as specifying the "-A unix" parameter.
--ip,--inet: The effect of this parameter is the same as specifying the "-A inet" parameter.
3. Common commands for netstat
netstat -a
List all ports netstat -at
lists all TCP ports netstat -au
listed all UDP ports netstat -l
show only listening port netstat -lt
only lists all the listening TCP ports netstat -lu
only lists all the listening UDP port netstat -lx
only lists all the listening port UNIX netstat -s
to display statistics for all ports netstat -st
statistics show that TCP port information netstat -su
display statistics of UDP port netstat -pt
output PID and process name netstat -r
shows the core routing information netstat -ap | grep ssh
port Finder runs netstat -an | grep ':80'
to find a process running on the specified port netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | awk '{++ip[$1]} END {for(i in ip) print ip[i],"\t",i}' | sort -nr
view of a service port to connect up the IP address of netstat -nt | grep -e 127.0.0.1 -e 0.0.0.0 -e ::: -v | awk '/^tcp/ {++state[$NF]} END {for(i in state) print i,"\t",state[i]}'
TCP various state list netstat -anpo | grep "php-cgi" | wc -l
view phpcgi number of processes, if close The default value indicates that it is not enough. You need to add SYN_SENT to netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
view the IP address with the most connected service port netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
: the client sends a SYN to request the establishment of a connection and the status is set to SYN_SENT. SYN_RECV: The server sends an ACK to confirm the SYN of the client, and at the same time sends a SYN to the client, and the status is set to SYN_RECV.
ESTABLISHED: On behalf of an open connection, the two parties can or are already in data exchange.
FIN_WAIT1: Actively close the end application to call close, send a FIN request to actively close the connection, and enter the FIN_WAIT1 state.
CLOSE_WAIT: After receiving the FIN, the passive closing end TCP sends an ACK in response to the FIN request and enters the CLOSE_WAIT state.
FIN_WAIT2: After receiving the ACK, it will enter the FIN-WAIT-2 state. LAST_ACK: After the end of the file is passively closed for a period of time, the application that receives the end of file will call CLOSE to close the connection, send a FIN, and wait for the other party's ACK to be LAST-ACK.
TIME_WAIT: After receiving the FIN at the active closing end, TCP sends an ACK packet and enters the TIME-WAIT state.
CLOSING: Waiting for the remote TCP to confirm the interruption of the connection.
CLOSED: After receiving the ACK packet, the passive closing end enters the CLOSED state and the connection ends.
UNKNOWN: Unknown socket status.
Three, tcpdump
1. Introduction to tcpdump
tcpdump is a command line tool used to capture and analyze traffic data packets passing through the system. It is usually used as a network fault analysis tool and a security tool.
2, tcpdump command
tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ] [ -Q|-P in|out|inout ] [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ] [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]-a: Convert network and broadcast addresses into names.
-c count: the number of captured data packets
-e: display the file header of the connection level
-f: display the network address in numbers.
-F Expression file: Specify the file containing the expression.
-i interface: Specify the network card device for capturing data packets
-l: Use the buffer of the standard output column.
-n: Do not convert the network address of the host into a name.
-N: Do not list domain names.
-O: do not optimize the data packet encoding
-q: fast output mode, only a few transmission protocol information is listed
-r data packet file: read the data packet data from the specified file.
-s Data packet size: Set the size of each data packet.
-S: Use absolute rather than relative values to list TCP association numbers.
-t: Do not display the timestamp
-tt: Display the unformatted timestamp
-T Packet type: Force the data packet specified by the expression to be translated into the set data packet type.
-v: Display the instruction execution process in detail.
-vv: Display the instruction execution process in more detail.
-x: Use hexadecimal code to list data packet data.
-w data package file: write data package data into the specified file.
tcpdump -enfN -r test.cap
tcpdump -r test.cap3. Common commands for tcpdump
tcpdump -i wlp3s0 tcp port 80
Grab the TCP protocol 80 port data packet of the tcpdump -i wlp3s0 dst host 192.168.0.104
wlp3s0 network card and grab the data packet whose destination host is 192.168.0.104 of the wlp3s0 network card.