Linux server traffic monitoring and analysis
Article directory
Preface
In daily work, the server bandwidth traffic increases and then drops, and the reasons need to be analyzed afterwards. When there is no relevant monitoring system to save the traffic data, post-analysis is often troubled because there is no data and cannot perform positioning analysis. This article mainly introduces how to do it. Real-time traffic data is acquired and saved, and then the causes are analyzed.
1. Process-level traffic monitoring
The nethogs tool is generally used to collect data. Nethogs can be installed through the yum command. The specific installation steps are not described here. The following describes the use of the tool and how to format the output and save the data.
Execute the command nethogs -h
help command to see how to use it
. Among them, -b indicates that it is suitable for bughunt mode and is used with -t.
By default nethogs
, after pressing Enter, the page dynamically displays data in real time. If the real-time data is written to text and saved, for example nethogs > nethogs.log
, it can be executed if it needs to be run in the background nohup nethogs > nethogs.log &
. However, files saved in this way can only be cat nethogs.log
viewed, and vim viewing will display garbled characters. .
This method cannot capture and save all the data and cannot achieve the expected goal, so you need to use the tracking mode to execute the command:
nohup nethogs -d 5 -t > networks_program.info &
Among them, -d 5 means delaying the display data update, so that you can use vim
the command to view the saved traffic data used by the captured process. However, the data saved in this way is not easy to view, and you do not know the specific traffic at that time. The situation is as shown below:
Therefore, it is necessary to format it and write relevant scripts to implement it. The processed process flow input is as follows: In
this way, the saved data can be captured very clearly and it can be used to analyze the processes that occupy a large amount of traffic. , and also know the process data collected at that time.
2. Inter-IP access traffic monitoring
In 1, we can use nethogs
tools to obtain process-related traffic data, but it is far from enough for actual analysis, so we need to use another tool command iftop
to perform detailed analysis.
If you execute iftop
it directly and then save the output to a file, the collected real-time data will not be written to the file. Only the data saved to the file can be cat
viewed. vim
Viewing will also be garbled, so you need to adjust the relevant parameters to make the output in text format. . The command is: nohup iftop -nNP -i eth0 -t -L 10 > networks_ip.info &
, where -t indicates text output, and -L can be used together with -t.
⚠️Please note thatiftop
the amount of data collected is large, so you need to pay attention to the storage space. I actually used the discovery server for 10 hours and collected 60G of traffic data.
Similarly, in order to analyze the data later, the collected data needs to be preprocessed and the date and time are added in front of each row to facilitate locating IP traffic access. The following preprocessing methods can be used:
awk '{ print strftime("%Y-%m-%d %H:%M:%S ", systime()) $0 }' tmp_networks_ip.info >>networks_ip.info
Summarize
Based on the above two tools for collecting, saving and analyzing network traffic, they need to be used in conjunction to better analyze abnormal network traffic behavior.