monitor io performance
iostat -x disk usage
iostat will automatically install this command when installing sysstat. It is the same package as sar
[root@linux-128 ~]# yum install -y sysstat
[root@linux-128 ~]# iostat
Linux 3.10.0-514.el7.x86_64 (linux-128) 2017年11月28日 _x86_64_ (4 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
1.19 0.00 1.98 0.33 0.00 96.50
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sdb 1.65 10.21 0.00 1840 0
sda 31.35 1110.33 414.35 200192 74707
scd0 0.06 0.24 0.00 44 0
dm-0 0.33 2.53 0.00 456 0
The iostat command is similar to the sar command, followed by the number
iostat 1, which is displayed once per second; sda bk_read/s kb_wrtn/s read and write speed
[root@linux-128 ~]# iostat 1
Linux 3.10.0-514.el7.x86_64 (linux-128) 2017年11月28日 _x86_64_ (4 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.57 0.00 0.98 0.16 0.00 98.29
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sdb 0.80 4.94 0.00 1840 0
sda 15.23 537.50 200.94 200192 74839
scd0 0.03 0.12 0.00 44 0
dm-0 0.16 1.22 0.00 456 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sdb 0.00 0.00 0.00 0 0
sda 0.00 0.00 0.00 0 0
scd0 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sdb 0.00 0.00 0.00 0 0
sda 0.00 0.00 0.00 0 0
scd0 0.00 0.00 0.00 0 0
dm-0 0.00 0.00 0.00 0 0
^C
You can also check the speed with sar -b
- iostat -x 1 The most important thing here is %util; this column indicates your IO wait, how much time the disk uses to occupy the cpu, the cpu has part of the time for the process distribution calculation, and part of the time waiting for io, waiting for the disk to read and write, What is the time ratio and what is the proportion? This is %util. If this number is very large, 50% 60%, then your IO is too poor, he is very busy, the number is very large, and the reading and writing are also very large. If the read and write columns are not large, but the util column is very large, it means that There is a problem and failure with your hard drive. If your hard disk is very slow, it will definitely affect your performance. Even if your CPU is very fast, there will be a big bottleneck even if the hard disk is not installed. Remember that iostat -x pays attention to the %util column.
[root@linux-128 ~]# iostat -x 1
Linux 3.10.0-514.el7.x86_64 (linux-128) 2017年11月28日 _x86_64_ (4 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.25 0.00 0.44 0.08 0.00 99.23
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sdb 0.00 0.00 0.33 0.00 2.03 0.00 12.35 0.00 0.06 0.06 0.00 0.05 0.00
sda 0.01 0.29 5.22 1.21 226.67 83.51 96.48 0.05 7.59 2.14 31.06 0.95 0.61
scd0 0.00 0.00 0.01 0.00 0.05 0.00 8.00 0.00 1.27 1.27 0.00 1.27 0.00
dm-0 0.00 0.00 0.07 0.00 0.50 0.00 15.20 0.00 0.02 0.02 0.00 0.02 0.00
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sda 0.00 0.00 0.00 1.98 0.00 1.49 1.50 0.00 0.50 0.00 0.50 0.50 0.10
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
avg-cpu: %user %nice %system %iowait %steal %idle
0.00 0.00 0.00 0.00 0.00 100.00
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
iotop disk usage
If it is found that the disk io is busy, which process is reading and writing, we use iotop to check.
[root@linux-128 ~]# yum install -y iotop
[root@linux-128 ~]#iotop
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-r~tem --deserialize 21
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1]
12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1]
13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1]
16 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/2]
17 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/2]
18 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/2]
531 be/3 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % auditd -n
20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/2:0H]
21 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/3]
22 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/3]
23 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/3]
25 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/3:0H]
27 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khelper]
28 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
29 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
30 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
free command
- free View memory usage
- free -m / -g / -h
- The difference between buffer/cache
- 公式:total=used+free+buff/cache
- available includes free and buffer/cache remaining
free unit KB
[root@linux-128 ~]# free
total used free shared buff/cache available
Mem: 1875748 115996 1453008 8748 306744 1583468
Swap: 4194300 0 4194300
free -m unit M
[root@linux-128 ~]# free -m
total used free shared buff/cache available
Mem: 1831 113 1418 8 299 1546
Swap: 4095 0 4095
free -h unit G
[root@linux-128 ~]# free -h
total used free shared buff/cache available
Mem: 1.8G 113M 1.4G 8.5M 299M 1.5G
Swap: 4.0G 0B 4.0G
-
total is the entire memory size total=used+free+buff/cache
-
used how much memory is used
-
How much memory is left in free The remaining memory is the free in the second line
-
available Regular available memory available=free+remaining buff/cache
- cache: The disk speed is relatively slow, the CPU is relatively fast, and the speed difference between the two is relatively large. In order to alleviate this situation, the engineer thought of the idea of caching. The cache is a meson between the CPU and the disk. Its speed A little slower than cpu, a little faster than disk speed, when we fetch data from disk, the speed is very slow, we can fetch data in advance and put it in memory (cache) when cpu is used, it is fetched from memory , this speed is much faster than the original speed of fetching data directly from the disk, where the space for storing this part of the data in the memory needs to be cached
- The buffer is just the opposite. After the cpu processes the data, when a result (also data) is formed to be written to the disk, the speed is also very slow. We also write it to the memory at the same speed, and then the memory Gradually and slowly write to the disk in the background, this part of the space is called the buffer (buffer)
- The buffer is the memory area where the data to be written to the disk is temporarily stored
- cached is a memory area where data read from disk is temporarily stored. The Linux kernel will allocate a part of the buffer first, and the cache will be reserved for use. This part of the space cannot be used up directly, and there may be a part of the remaining space, so this part of the remaining space is actually available for memory and can be recycled.
The real remaining memory = physical memory + buffer + cache
free The number in the first row of the column is 0, which means that the memory has been allocated, but it does not mean that the memory is exhausted. Because there may be cached allocated and not used up.
The three physical memory, buffer and cached have no more allocated capacity, which means that all physical memory is exhausted, and the
real memory is exhausted, resulting in frequent use of swap, and the running speed of the program will be super slow
ps View all processes in the system
- top -bn1 can also display all processes
[root@linux-128 ~]# top -bn1
top - 10:46:12 up 24 min, 1 user, load average: 0.00, 0.02, 0.05
Tasks: 108 total, 2 running, 106 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.2 us, 0.3 sy, 0.0 ni, 99.4 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1875748 total, 1452588 free, 116272 used, 306888 buff/cache
KiB Swap: 4194300 total, 4194300 free, 0 used. 1583128 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2264 root 20 0 157584 2040 1492 R 5.9 0.1 0:00.03 top
1 root 20 0 125300 3760 2400 S 0.0 0.2 0:01.82 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.19 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
7 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 R 0.0 0.0 0:01.59 rcu_sched
10 root rt 0 0 0 0 S 0.0 0.0 0:00.03 watchdog/0
11 root rt 0 0 0 0 S 0.0 0.0 0:00.13 watchdog/1
12 root rt 0 0 0 0 S 0.0 0.0 0:00.06 migration/1
13 root 20 0 0 0 0 S 0.0 0.0 0:00.18 ksoftirqd/1
16 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/2
17 root rt 0 0 0 0 S 0.0 0.0 0:00.02 migration/2
。。。
- ps aux use this command in a disk job
[root@linux-128 ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.2 125300 3760 ? Ss 10:21 0:01 /usr/lib/systemd/systemd --switched-
root 2 0.0 0.0 0 0 ? S 10:21 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 10:21 0:00 [ksoftirqd/0]
。。。。
root 2142 0.0 0.0 0 0 ? S< 10:22 0:00 [kworker/3:1H]
root 2143 0.0 0.1 116016 2664 pts/0 Ss 10:22 0:00 -bash
root 2217 0.0 0.0 0 0 ? S< 10:24 0:00 [kworker/1:2H]
root 2232 0.0 0.0 0 0 ? S< 10:34 0:00 [kworker/3:2H]
root 2246 0.0 0.0 0 0 ? S 10:37 0:00 [kworker/0:0]
root 2263 0.0 0.0 0 0 ? S 10:42 0:00 [kworker/0:2]
root 2285 0.0 0.0 151068 1820 pts/0 R+ 10:47 0:00 ps aux
- ps -elf The content displayed by the two is familiar
USER user
PID number of process flags, there is a directory with the same name as pid in the /proc file; process id, this id is very useful, in linux, the kernel management process has to rely on pid to identify and manage a certain process, for example, I want to terminate For a certain process, the pid of the 'kill process sometimes cannot be killed, you need to add a -9 option to kill -9 process pid
There is a problem with a process, I want to know which directory it is in? (pids are in the proc directory, each pid is a directory)
-
ls /proc/process ID/ %cpu Percentage of CPU occupied
%mem Percentage of memory occupied
VSZ Virtual memory size
RSS Real memory size
Where does TTY start, pts/0 Current terminal -
The state S of the STAT process means sleep sleep
s main process, parent process
< high priority, priority to get cpu resources
N low priority
- Foreground running process
S<s High-priority main process, sleep state
R running, running process (process using cpu resources for a certain period of time)
L Locked process
l Multi-threaded process
Z Zombie process
x has died Dropped process
T Suspended process ctrl+z
D Processes that cannot be terminated, such as IO, are rare.
START process start time
TIME how long it takes cpu
COMMAND process name
[root@linux-128 ~]# ps aux |grep -c kworker
21
[root@linux-128 ~]# ps aux |grep kworker
root 5 0.0 0.0 0 0 ? S< 10:21 0:00 [kworker/0:0H]
root 20 0.0 0.0 0 0 ? S< 10:21 0:00 [kworker/2:0H]
root 36 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/2:1]
root 37 0.0 0.0 0 0 ? S 10:22 0:01 [kworker/3:1]
root 55 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/u128:1]
root 57 0.1 0.0 0 0 ? S 10:22 0:02 [kworker/0:1]
root 61 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/1:1]
root 256 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/u128:2]
root 290 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/1:2]
root 294 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/2:3]
root 295 0.0 0.0 0 0 ? S 10:22 0:00 [kworker/3:2]
root 452 0.0 0.0 0 0 ? S< 10:22 0:00 [kworker/0:1H]
root 736 0.0 0.0 0 0 ? S< 10:22 0:00 [kworker/1:1H]
root 2075 0.0 0.0 0 0 ? S< 10:22 0:00 [kworker/2:1H]
root 2142 0.0 0.0 0 0 ? S< 10:22 0:00 [kworker/3:1H]
root 2217 0.0 0.0 0 0 ? S< 10:24 0:00 [kworker/1:2H]
root 2232 0.0 0.0 0 0 ? S< 10:34 0:00 [kworker/3:2H]
root 2263 0.0 0.0 0 0 ? S 10:42 0:00 [kworker/0:2]
root 2286 0.0 0.0 0 0 ? S< 10:48 0:00 [kworker/3:0H]
root 2307 0.0 0.0 0 0 ? S 10:52 0:00 [kworker/0:0]
Monitor system status
- netstat View network status
- netstat -lnp View listening ports
- netstat -an View the network connection status of the system
- netstat -lntp only sees tcp, not socket
- ss -an and nestat share a little trick:
netstat -an | awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key] }'
The netstat command is used to view the network connection status, all open ports of the system, routing table and other information
- netstat -lnp is used to monitor which interfaces
[root@linux-128 ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 947/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1216/master
tcp6 0 0 :::22 :::* LISTEN 947/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1216/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 553/chronyd
udp6 0 0 ::1:323 :::* 553/chronyd
raw6 0 0 :::58 :::* 7 587/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 18635 1216/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 18638 1216/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 18661 1216/master public/flush
unix 2 [ ACC ] STREAM LISTENING 18676 1216/master public/showq
unix 2 [ ACC ] STREAM LISTENING 10897 1/systemd /run/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 10926 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 9134 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 18642 1216/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 18700 1216/master private/scache
unix 2 [ ACC ] STREAM LISTENING 10949 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 10952 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 18631 1216/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 18652 1216/master private/defer
unix 2 [ ACC ] STREAM LISTENING 13291 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 18655 1216/master private/trace
unix 2 [ ACC ] STREAM LISTENING 18658 1216/master private/verify
unix 2 [ ACC ] STREAM LISTENING 18664 1216/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 18667 1216/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 18670 1216/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 18673 1216/master private/relay
unix 2 [ ACC ] STREAM LISTENING 18679 1216/master private/error
unix 2 [ ACC ] STREAM LISTENING 18682 1216/master private/retry
unix 2 [ ACC ] STREAM LISTENING 18685 1216/master private/discard
unix 2 [ ACC ] STREAM LISTENING 18688 1216/master private/local
unix 2 [ ACC ] STREAM LISTENING 18691 1216/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 18694 1216/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 18645 1216/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 18649 1216/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 18697 1216/master private/anvil
After viewing the listening interface, which clients does the server communicate with, and what is the state of the communication process between the client and our server?
Is the connection for data transmission, or the two have just established a connection, or after the communication is completed Keeping a connection and waiting: use netstat -an to see
netstat -an
- View status between server and client
- Use this value to measure whether the server is under pressure, whether there is concurrency, and what is the concurrency
- netstat -an |grep 122.122.69.86:80|grep -ic estab -i is the number of lines that ignore case -c the number of lines that meet the requirements of
this server is 884. It means that there are 884 in this second or this moment connection.
netstat -lntp
netstat -lnp View listening ports
[root@linux-128 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 947/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1216/master
tcp6 0 0 :::22 :::* LISTEN 947/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1216/master
netstat -an tcp IP
[root@linux-128 ~]# netstat -an tcp IP
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 52 192.168.88.128:22 192.168.88.1:54651 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 18635 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 18638 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 18661 public/flush
unix 2 [ ACC ] STREAM LISTENING 18676 public/showq
unix 2 [ ACC ] STREAM LISTENING 10897 /run/systemd/private
unix 2 [ ] DGRAM 9115 /run/systemd/notify
unix 2 [ ] DGRAM 9117 /run/systemd/cgroups-agent
unix 2 [ ACC ] SEQPACKET LISTENING 10926 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 9134 /run/systemd/journal/stdout
unix 5 [ ] DGRAM 9137 /run/systemd/journal/socket
unix 13 [ ] DGRAM 9139 /dev/log
unix 2 [ ] DGRAM 10934 /run/systemd/shutdownd
unix 2 [ ACC ] STREAM LISTENING 18642 private/tlsmgr
。。。。
.sock linux, a unique file in unix, can communicate
Path status
TIME_WAIT transmission completed link maintains
ESTABLTSHED established link is communicating
FIN_WAIT2 status details, please refer to [TCP/IP three-way handshake]
netstat -an |grep 112.112.69.86:80 View Concurrent status of port 80
netstat -an |grep 112.112.69.86:80 |grep -ic estab Statistical links (ESTABLTSHED) The total number of links in communication (2 to 30,000 static web pages in the front-end and 2,000 to 3,000 for php, mysql, etc. in the back end)
- netstat -an | awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}'
[root@linux-128 ~]# netstat -an | awk '/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}'
LISTEN 4
ESTABLISHED 1
tcpdump tool
If you don't have this tool, you need to install it; yum install -y tcpdump
[root@linux-128 ~]# yum install -y tcpdump
[root@linux-128 ~]# tcpdump -nn -i ens33
tcpdump -i ens33
The first n is that the ip is printed in the form of a number. If it is not added, the host name will be displayed.
tcpdump -n -i ens33
2n is the port
tcpdump -nn -i ens33 plus 2n will display ip and port format
tcpdump command:
- -i: specify the network card
- host: specify ip
- port: specify the port
- -c : specify the number of packages
- -w : Write to the specified file, and write the contents of the package into the file. If you do not add -w, what will be displayed directly on the screen is not the data packet, but the data flow.
- length length
-
tcpdump -nn -i ens33 port 22
-
tcpdump -nn -i ens33 port 22 -c 6
[root@linux-128 ~]# tcpdump -nn -i ens33 port 22 -c 6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
11:16:43.472559 IP 192.168.88.128.22 > 192.168.88.1.54651: Flags [P.], seq 3677319136:3677319348, ack 3881493294, win 468, length 212
11:16:43.473078 IP 192.168.88.1.54651 > 192.168.88.128.22: Flags [.], ack 212, win 16425, length 0
11:16:43.473799 IP 192.168.88.128.22 > 192.168.88.1.54651: Flags [P.], seq 212:504, ack 1, win 468, length 292
11:16:43.474308 IP 192.168.88.128.22 > 192.168.88.1.54651: Flags [P.], seq 504:668, ack 1, win 468, length 164
11:16:43.474661 IP 192.168.88.1.54651 > 192.168.88.128.22: Flags [.], ack 668, win 16311, length 0
11:16:43.474922 IP 192.168.88.128.22 > 192.168.88.1.54651: Flags [P.], seq 668:832, ack 1, win 468, length 164
6 packets captured
6 packets received by filter
0 packets dropped by kernel
- tcpdump -nn -i ens33 port 22 -c 6 -w /tmp/1.cap Write to the specified file, write the contents of the package into the file, it is a real package, if you do not add -w, it will be displayed on the screen directly It's not the packets, it's the data flow
[root@linux-128 ~]# tcpdump -nn -i ens33 port 22 -c 6 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C3 packets captured
4 packets received by filter
0 packets dropped by kernel
- tcpdump -r View data flow, not packets
[root@linux-128 ~]# tcpdump -r /tmp/1.cap
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
11:18:02.971264 IP linux-128.ssh > 192.168.88.1.54651: Flags [P.], seq 3677321812:3677321960, ack 3881494042, win 468, length 148
11:18:02.971994 IP 192.168.88.1.54651 > linux-128.ssh: Flags [.], ack 148, win 16139, length 0
11:18:10.905692 IP 192.168.88.1.54651 > linux-128.ssh: Flags [P.], seq 1:53, ack 148, win 16139, length 52
wireshark tool
If you don't need to install yum install -y wireshark first
[root@linux-128 ~]# yum install -y wireshark
- Usage: tshark only needs to remember this command; copy
tshark -n -ta -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" when you use it -e "http.request.method" -e "http.request.uri"