5.1 - 5.4 监控Linux系统状态1-4
查看系统负载:
w/uptime 最后面三个数字表示1分钟,5分钟,15分钟平均有多少个进程占用CPU
占用CPU的进程可以是Running,也可以是Waiting
某一时刻1颗CPU只能有一个进程在使用其资源
top命令:
top 回车就可以进入到top界面
每3秒刷新一次
默认按cpu百分比排序,可以按M键按照内存使用率大小排序
按数字1,可以显示所有CPU使用率详情
top -bn1 静态显示所有进程的情况,也是按cpu百分比排序
静态显示进程信息,方便在shell脚本中使用top命令
free命令:
free查看内存和swap使用情况,关注最后一列的available,这个数字是真正剩余的物理内存大小
free -k -m -g -h
手动增加swap
dd if=/dev/zero of=/bigfile bs=1M count=1000
mkswap /bigfile
chmod 600 /bigfile
swapon /bigfile
监控磁盘:
iostat --> yum install -y sysstat
iostat -dx 1
iostat -dx 1 5
iotop --> yum install -y iotop
iotop 回车 动态显示,按IO使用率大小排序
综合工具,断定瓶颈点:
vmstat 1
vmstat 1 10
关注:r、b、si、so、bi、bo、id、wa
监控网卡流量:
sar -n DEV 1 10
yum install -y epel-release
yum install nload
nload 回车后查看网卡流量,动态显示
ethtool ens33
mii-tool ens33
查看进程:
ps aux 、 ps -elf 、 ps -eLf (查看线程)
STAT
S Sleep
R Running
s 父进程
N 低优先级
< 高优先级
+ 前台进程
l 多线程进程
Z 僵尸进程
ls -l /proc/pid/ #查看一个进程的一些详细信息
查看网络连接状况:
netstat -lnp 、netstat -lntp 、 netstat -lntup
netstat -an
ss -an
抓包工具:
tcpdump (安装:yum install -y tcpdump)
tcpdump -nn -i ens33 port 80
tcpdump -nn -i ens33 -c 100 -w 1.cap
tcpdump -i ens33 -nn not port 22 and not port 80 and not host 192.168.222.1
tcpdump -nn -r 1.cap
wireshark (安装:yum install -y wireshark)
tshark -i ens33 -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
补充:
查看cpu核数
cat /proc/cpuinfo
lscpu
buffer和cached
buffer : 这部分内存是从CPU产生即将写入到磁盘里去的那部分数据;
cached 这部分数据是先从磁盘里读出来,然 后临时存到内存里的那部分数据,
小常识:
bit 比特(带宽单位)
Byte 字节 (速度传输单位)
8bit = 1Byte 2MB/s 2*8=16Mbit 100Mbit 12.8MB/s
代码正在补充
w/uptime命令
[root@test01 ~]# w
11:57:24 up 5 min, 1 user, load average: 0.01, 0.06, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.28.1 11:52 4.00s 0.06s 0.01s w
时间,有几个用户在登录 ,负载值 平均一分钟,平均5分钟,平均15分钟(平均时间内有多少个活动的进程,排队等待的进程也算是活动的进程)running and waiting
[root@test01 ~]# uptime
12:14:16 up 22 min, 1 user, load average: 0.00, 0.01, 0.05
top命令(可以动态查看系统状态,比较综合)(默认按cpu的使用率从高到低排序)
也可以显示系统的负载值,任务数量,有几个running 有几个sleeping等
[root@test01 ~]# top
top - 12:16:36 up 24 min, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 999936 total, 564892 free, 213240 used, 221804 buff/cache
KiB Swap: 3907580 total, 3907580 free, 0 used. 606240 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
619 root 20 0 229368 6192 4836 S 0.7 0.6 0:02.26 vmtoolsd
3 root 20 0 0 0 0 S 0.3 0.0 0:00.09 ksoftirqd/0
2437 root 20 0 0 0 0 S 0.3 0.0 0:00.03 kworker/0:0
2440 root 20 0 157636 2172 1552 R 0.3 0.2 0:00.15 top
1 root 20 0 128152 6728 3972 S 0.0 0.7 0:01.37 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
6 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/u256:0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.43 rcu_sched
10 root rt 0 0 0 0 S 0.0 0.0 0:00.03 watchdog/0
12 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
27 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
以上都是动态的(每隔3秒刷新一次)
分析解释
系统负载值等
top - 12:16:36 up 24 min, 1 user, load average: 0.00, 0.01, 0.05
任务数量,有几个running 有几个sleeping等
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
cpu使用率,us表示用户级别的进程,sy表示系统级别的进程。99.3 id空闲百分比,其他几个常年都是0不用太关注
%Cpu(s): 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
内存使用率 avaail Mem是系统里面真正可使用的内存大小
KiB Mem : 999936 total, 564892 free, 213240 used, 221804 buff/cache
KiB Swap: 3907580 total, 3907580 free, 0 used. 606240 avail Mem
需要关注的以下内容,RES %CPU %MEM
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
619 root 20 0 229368 6192 4836 S 0.7 0.6 0:02.26 vmtoolsd
3 root 20 0 0 0 0 S 0.3 0.0 0:00.09 ksoftirqd/0
2437 root 20 0 0 0 0 S 0.3 0.0 0:00.03 kworker/0:0
2440 root 20 0 157636 2172 1552 R 0.3 0.2 0:00.15 top
1 root 20 0 128152 6728 3972 S 0.0 0.7 0:01.37 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
6 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/u256:0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.43 rcu_sched
10 root rt 0 0 0 0 S 0.0 0.0 0:00.03 watchdog/0
12 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
27 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
按内存的大小排序,按大写M,按数字1显示所有CPU的使用率
[root@test01 mail]# top -bn1 静态显示(但不会按cpu或者MEM排序)
top - 12:44:12 up 52 min, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.3 us, 0.5 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 999936 total, 545660 free, 217036 used, 237240 buff/cache
KiB Swap: 3907580 total, 3907580 free, 0 used. 597716 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 128152 6728 3972 S 0.0 0.7 0:01.39 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.19 ksoftirqd/0
6 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/u256:0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.48 rcu_sched
10 root rt 0 0 0 0 S 0.0 0.0 0:00.04 watchdog/0
12 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
27 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
28 root 39 19 0 0 0 S 0.0 0.0 0:00.15 khugepaged
29 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
30 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
38 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
40 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpath_rdacd
41 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
43 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ipv6_addrconf
62 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 deferwq
94 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kauditd
269 root 20 0 0 0 0 S 0.0 0.0 0:04.54 kworker/0:3
275 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
276 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 mpt_poll_0
277 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 mpt/0
285 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
286 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 scsi_tmf_0
287 root 20 0 0 0 0 S 0.0 0.0 0:00.01 scsi_eh_1
288 root 20 0 0 0 0 S 0.0 0.0 0:00.15 kworker/u256:2
290 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 scsi_tmf_1
292 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
294 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 scsi_tmf_2
296 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ttm_swap
367 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kdmflush
368 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
378 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kdmflush
379 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
393 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfsalloc
394 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs_mru_cache
395 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-buf/dm-0
396 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-data/dm-0
397 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-conv/dm-0
398 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-cil/dm-0
399 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-reclaim/dm-
400 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-log/dm-0
401 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-eofblocks/d
402 root 20 0 0 0 0 S 0.0 0.0 0:00.55 xfsaild/dm-0
468 root 20 0 34936 2800 2492 S 0.0 0.3 0:00.16 systemd-journal
492 root 20 0 46244 4584 2792 S 0.0 0.5 0:00.13 systemd-udevd
507 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 nfit
520 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-buf/sda1
521 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-data/sda1
522 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-conv/sda1
523 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-cil/sda1
524 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-reclaim/sda
525 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-log/sda1
527 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 xfs-eofblocks/s
528 root 20 0 0 0 0 S 0.0 0.0 0:00.00 xfsaild/sda1
588 root 16 -4 62012 2216 1636 S 0.0 0.2 0:00.01 auditd
608 polkitd 20 0 528324 12700 4780 S 0.0 1.3 0:00.08 polkitd
612 dbus 20 0 98316 1896 1432 S 0.0 0.2 0:00.64 dbus-daemon
614 chrony 20 0 115944 1852 1480 S 0.0 0.2 0:00.11 chronyd
619 root 20 0 229368 6200 4836 S 0.0 0.6 0:05.17 vmtoolsd
620 root 20 0 24252 1700 1404 S 0.0 0.2 0:00.07 systemd-logind
629 root 20 0 126284 1680 1056 S 0.0 0.2 0:00.22 crond
637 root 20 0 110096 856 728 S 0.0 0.1 0:00.08 agetty
643 root 20 0 327904 26968 6624 S 0.0 2.7 0:00.55 firewalld
648 root 20 0 438076 8188 6304 S 0.0 0.8 0:00.43 NetworkManager
992 root 20 0 553620 16516 5868 S 0.0 1.7 0:01.46 tuned
993 root 20 0 222168 4044 3284 S 0.0 0.4 0:00.35 rsyslogd
1080 root 20 0 83016 1300 428 S 0.0 0.1 0:00.00 sshd
1087 root 20 0 115440 1748 1408 S 0.0 0.2 0:00.08 mysqld_safe
1157 root 20 0 230780 6324 1212 S 0.0 0.6 0:00.78 php-fpm
1162 php-fpm 20 0 230772 6328 1212 S 0.0 0.6 0:00.10 php-fpm
1163 php-fpm 20 0 230772 6332 1212 S 0.0 0.6 0:00.00 php-fpm
1164 php-fpm 20 0 230772 6332 1212 S 0.0 0.6 0:00.00 php-fpm
1165 php-fpm 20 0 230772 6332 1212 S 0.0 0.6 0:00.23 php-fpm
1313 mysql 20 0 1254952 90144 10736 S 0.0 9.0 0:02.87 mysqld
1684 root 20 0 89544 2192 1152 S 0.0 0.2 0:00.07 master
1727 postfix 20 0 89648 4044 3036 S 0.0 0.4 0:00.03 pickup
1728 postfix 20 0 89716 4064 3056 S 0.0 0.4 0:00.02 qmgr
2353 root 20 0 143516 5304 4016 S 0.0 0.5 0:00.95 sshd
2356 root 20 0 115780 2276 1780 S 0.0 0.2 0:00.14 bash
2398 root 20 0 46588 1348 164 S 0.0 0.1 0:00.00 nginx
2399 nginx 20 0 47008 2144 532 S 0.0 0.2 0:00.00 nginx
2417 root 20 0 125384 1124 884 S 0.0 0.1 0:00.02 anacron
2719 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
2721 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:1H
2722 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kworker/0:1
2723 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/0:0
2732 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:2H
2733 root 20 0 157632 2064 1520 R 0.0 0.2 0:00.00 top
查看CPU的核数,看processor
[root@test01 mail]# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 142
model name : Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
stepping : 10
microcode : 0x96
cpu MHz : 1799.357
cache size : 6144 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ida arat epb pln pts dtherm hwp hwp_noitfy hwp_act_window hwp_epp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap xsaveopt
bogomips : 3600.00
clflush size : 64
cache_alignment : 64
address sizes : 42 bits physical, 48 bits virtual
power management:
查看CPU的信息,用这个看也很全面
[root@test01 mail]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
座: 1
NUMA 节点: 1
厂商 ID: GenuineIntel
CPU 系列: 6
型号: 142
型号名称: Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
步进: 10
CPU MHz: 1799.357
BogoMIPS: 3600.00
超管理器厂商: VMware
虚拟化类型: 完全
L1d 缓存: 32K
L1i 缓存: 32K
L2 缓存: 256K
L3 缓存: 6144K
NUMA 节点0 CPU: 0
free命令
查看内存和swap使用情况
关注available,真正可使用的物理内存大小,以kb为单位。 不用太关注Swap,Swap的解释,当内存不够用的时候它会进行交换,着重看used列
[root@test01 mail]# free
total used free shared buff/cache available
Mem: 999936 216812 545616 6844 237508 597808
Swap: 3907580 0 39075
[root@test01 mail]# free -m 以M的单位显示
total used free shared buff/cache available
Mem: 976 211 532 6 231 583
Swap: 3815 0 3815
[root@test01 mail]# free -h 自行计算显示
total used free shared buff/cache available
Mem: 976M 211M 532M 6.7M 231M 583M
Swap: 3.7G 0B 3.7G
[root@test01 mail]# free -g 以G为单位显示(因为没有这么大所以显示不出来)
total used free shared buff/cache available
Mem: 0 0 0 0 0 0
Swap: 3 0 3
[root@test01 mail]# free -b 以b的单位显示
total used free shared buff/cache available
Mem: 1023934464 221790208 559091712 6979584 243052544 612491264
Swap: 4001361920 0 4001361920
[root@test01 mail]# free -k (其实-k就等于free)
total used free shared buff/cache available
Mem: 999936 216592 545988 6816 237356 598136
Swap: 3907580 0 3907580
total:总量 used:使用量 free:剩余量
buffer:这部分内存是从CPU即将写入到磁盘里去的那部分数据,缓冲数据内存
cached:这部分数据是先从磁盘里读出来,然后临时存到内存里的那部分数据
增加swap空间
[root@test01 mail]# dd if=/dev/zero of=/bigfile bs=1M count=1000
记录了1000+0 的读入
记录了1000+0 的写出
1048576000字节(1.0 GB)已复制,10.0679 秒,104 MB/秒
[root@test01 mail]# pwd
/var/spool/mail
[root@test01 mail]# ls
ftpuser mysql php-fpm root test1 user1
[root@test01 mail]# du -sh /bigfile
1000M /bigfile
[root@test01 mail]# mkswap /bigfile
正在设置交换空间版本 1,大小 = 1023996 KiB
无标签,UUID=6603a4fd-592e-4e29-b50a-9646f4abdd17
[root@test01 mail]# chmod 600 /bigfile
[root@test01 mail]# swapon /bigfile
[root@test01 mail]# free
total used free shared buff/cache available
Mem: 999936 212132 73684 6816 714120 595168
[root@test01 mail]# free -h
total used free shared buff/cache available
Mem: 976M 207M 71M 6.7M 697M 581M
Swap: 4.7G 0B 4.7G
Swap: 4931576 0 4931576
iostat命令
关注最后一列 百分比%util,如果这一列的数值%99或者%100了,说明磁盘非常的忙
[root@test01 mail]# iostat -dx 1 (1就是1秒钟显示一次。后面还可以加数字)
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.04 1.29 0.56 40.28 129.80 183.46 0.04 20.42 0.98 65.20 0.97 0.18
scd0 0.00 0.00 0.00 0.00 0.01 0.00 8.00 0.00 0.36 0.36 0.00 0.36 0.00
dm-0 0.00 0.00 1.12 0.48 37.19 129.54 208.94 0.04 23.82 1.01 77.45 1.09 0.17
dm-1 0.00 0.00 0.02 0.00 0.13 0.00 17.11 0.00 0.12 0.12 0.00 0.11 0.00
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
[root@test01 mail]# iostat -dx 1 2
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.04 1.23 0.54 38.45 123.91 183.11 0.04 20.39 0.98 64.80 0.97 0.17
scd0 0.00 0.00 0.00 0.00 0.01 0.00 8.00 0.00 0.36 0.36 0.00 0.36 0.00
dm-0 0.00 0.00 1.07 0.46 35.50 123.67 208.44 0.04 23.77 1.01 76.84 1.10 0.17
dm-1 0.00 0.00 0.01 0.00 0.12 0.00 17.11 0.00 0.12 0.12 0.00 0.11 0.00
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
scd0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
dm-1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
[root@test01 mail]# iotop (把所有的进程使用磁盘的百分比以及读写速度列出来(就是IO使用率排序))
Total DISK READ : 0.00 B/s | Total DISK WRITE : 0.00 B/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 0.00 B/s
TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
269 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.33 % [kworker/0:3]
1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % systemd --switched-ro~ystem --deserialize 21
2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
7 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
520 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfs-buf/sda1]
9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
523 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [xfs-cil/sda1]
12 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khelper]
13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kdevtmpfs]
14 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [netns]
15 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khungtaskd]
16 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [writeback]
17 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kintegrityd]
18 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bioset]
19 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kblockd]
20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [md]
26 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kswapd0]
27 be/5 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksmd]
28 be/7 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khugepaged]
29 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [fsnotify_mark]
30 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [crypto]
38 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthrotld]
1063 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % rsyslogd -n [in:imjournal]
40 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kmpath_rdacd]
vmstat 命令
[root@test01 mail]# vmstat 1 10
进程相关 内存相关 swap相关 IO相关 系统相关 CPU相关
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
r b swpd free buff cache si so bi bo in cs us sy id wa st
2 0 0 141280 76 643728 0 0 37 119 45 92 0 0 99 0 0
0 0 0 141264 76 643728 0 0 0 0 54 116 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 50 112 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 55 118 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 46 102 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 55 116 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 57 115 0 1 99 0 0
0 0 0 141264 76 643728 0 0 0 0 58 120 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 50 108 0 0 100 0 0
0 0 0 141264 76 643728 0 0 0 0 55 114 0 0 100 0 0
进程相关:r表示正在活跃的进程(包含running和waiting的进程,其中的2表示平均值)。b表示block,是被阻塞的进程(如磁盘非常忙,肯定会被阻塞)
内存相关:内存不足的话swpd变成非0
swap相关:si表示读swap,so表示写swap,从swap进入到内存里(这一列参照内存来说)
io相关:bi表示磁盘的读,bo表示磁盘的写
cpu相关:cpu看id看空闲量,如果空闲很少说明,cpu使用率高,有瓶颈,100-id=等于使用率。wa表示等待cpu的百分比
监控网卡流量
sar命令(Linux系统的瑞士军刀)
[root@test01 ~]# sar -n DEV 1 10
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
15时01分24秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分25秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分25秒 ens33 1.01 0.00 0.06 0.00 0.00 0.00 0.00
15时01分25秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分26秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分26秒 ens33 2.00 1.00 0.12 0.40 0.00 0.00 0.00
15时01分26秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分27秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分27秒 ens33 2.02 1.01 0.12 0.40 0.00 0.00 0.00
15时01分27秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分28秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分28秒 ens33 2.00 1.00 0.12 0.40 0.00 0.00 0.00
15时01分28秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分29秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分29秒 ens33 2.02 1.01 0.12 0.40 0.00 0.00 0.00
^C
15时01分29秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
15时01分30秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时01分30秒 ens33 4.65 4.65 0.38 1.21 0.00 0.00 0.00
平均时间: IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
平均时间: lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
平均时间: ens33 2.04 1.11 0.13 0.39 0.00 0.00 0.00
着重关注:rxpck/s表示接收到的包的数量,txpck/s表示传送出去包的数量,rxkB/s表示网卡的流量也表示传输速度
100Mb 带宽 Mbit比特 MByte字节 8bit=1Byte 2MB/s 2*8=16Mbit 100Mbit带宽理论上的下载速度12.8MB/s
sar如果不跟数字
[root@test01 ~]# sar -n DEV
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
14时00分02秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
14时10分01秒 lo 0.01 0.01 0.00 0.00 0.00 0.00 0.00
14时10分01秒 ens33 0.49 0.23 0.03 0.03 0.00 0.00 0.00
14时20分02秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时20分02秒 ens33 1.13 0.87 0.16 0.13 0.00 0.00 0.00
14时30分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时30分01秒 ens33 0.42 0.18 0.03 0.02 0.00 0.00 0.00
14时40分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时40分01秒 ens33 0.29 0.05 0.02 0.00 0.00 0.00 0.00
14时50分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时50分01秒 ens33 0.37 0.04 0.02 0.00 0.00 0.00 0.00
15时00分01秒 lo 0.03 0.03 0.00 0.00 0.00 0.00 0.00
15时00分01秒 ens33 0.32 0.13 0.02 0.01 0.00 0.00 0.00
15时10分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时10分01秒 ens33 0.46 0.17 0.03 0.02 0.00 0.00 0.00
平均时间: IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
平均时间: lo 0.01 0.01 0.00 0.00 0.00 0.00 0.00
平均时间: ens33 0.50 0.24 0.05 0.03 0.00 0.00 0.00
如果不跟数字实际它看的就是这个文件,不能直接cat,只能用sar去查
[root@test01 ~]# ls /var/log/sa/sa19 今天是19号。
/var/log/sa/sa19
[root@test01 ~]# sar -n DEV -f /var/log/sa/sa19 只查看19号的网卡流量,如果不加-n DEV就是看19号的cpu
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
14时00分02秒 IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
14时10分01秒 lo 0.01 0.01 0.00 0.00 0.00 0.00 0.00
14时10分01秒 ens33 0.49 0.23 0.03 0.03 0.00 0.00 0.00
14时20分02秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时20分02秒 ens33 1.13 0.87 0.16 0.13 0.00 0.00 0.00
14时30分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时30分01秒 ens33 0.42 0.18 0.03 0.02 0.00 0.00 0.00
14时40分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时40分01秒 ens33 0.29 0.05 0.02 0.00 0.00 0.00 0.00
14时50分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
14时50分01秒 ens33 0.37 0.04 0.02 0.00 0.00 0.00 0.00
15时00分01秒 lo 0.03 0.03 0.00 0.00 0.00 0.00 0.00
15时00分01秒 ens33 0.32 0.13 0.02 0.01 0.00 0.00 0.00
15时10分01秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
15时10分01秒 ens33 0.46 0.17 0.03 0.02 0.00 0.00 0.00
平均时间: IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
平均时间: lo 0.01 0.01 0.00 0.00 0.00 0.00 0.00
平均时间: ens33 0.50 0.24 0.05 0.03 0.00 0.00 0.00
这个文件的记录的多少或者多长是根据系统在线的时间来定的,每隔十分钟记录一次
[root@test01 ~]# sar 直接看sar看的是cpu
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
14时00分02秒 CPU %user %nice %system %iowait %steal %idle
14时10分01秒 all 0.07 0.00 0.20 0.01 0.00 99.72
14时20分02秒 all 2.18 0.00 0.69 0.01 0.00 97.12
14时30分01秒 all 0.23 0.00 0.17 0.01 0.00 99.59
14时40分01秒 all 0.04 0.00 0.12 0.01 0.00 99.83
14时50分01秒 all 0.04 0.00 0.12 0.00 0.00 99.83
15时00分01秒 all 0.12 0.00 0.23 0.01 0.00 99.65
15时10分01秒 all 0.05 0.00 0.16 0.01 0.00 99.78
15时20分01秒 all 0.05 0.00 0.15 0.01 0.00 99.79
平均时间: all 0.35 0.00 0.23 0.01 0.00 99.42
[root@test01 ~]# sar -b 看的是磁盘的io,
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
14时00分02秒 tps rtps wtps bread/s bwrtn/s
14时10分01秒 0.36 0.17 0.19 11.84 3.00
14时20分02秒 0.54 0.11 0.43 23.09 10.56
14时30分01秒 0.03 0.00 0.02 0.11 0.29
14时40分01秒 0.06 0.00 0.06 0.00 0.75
14时50分01秒 0.04 0.00 0.04 0.00 0.53
15时00分01秒 0.15 0.00 0.15 0.00 2.02
15时10分01秒 0.10 0.00 0.10 0.00 1.34
15时20分01秒 0.12 0.06 0.07 9.24 0.81
平均时间: 0.17 0.04 0.13 5.53 2.41
[root@test01 ~]# sar -q 看的是系统负载,历史系统负载
Linux 3.10.0-514.el7.x86_64 (test01) 2019年03月19日 _x86_64_ (1 CPU)
14时00分02秒 runq-sz plist-sz ldavg-1 ldavg-5 ldavg-15 blocked
14时10分01秒 1 144 0.06 0.03 0.05 0
14时20分02秒 1 145 0.06 0.09 0.07 0
14时30分01秒 1 143 0.00 0.01 0.05 0
14时40分01秒 1 144 0.00 0.01 0.05 0
14时50分01秒 1 143 0.00 0.01 0.05 0
15时00分01秒 1 143 0.00 0.01 0.05 0
15时10分01秒 1 143 0.00 0.01 0.05 0
15时20分01秒 1 144 0.00 0.01 0.05 0
平均时间: 1 144 0.01 0.02 0.05 0
nload命令(动态显示网卡流量)
[root@test01 ~]# nload 按方向键切换网卡
Device ens33 [192.168.28.107] (1/2):
=========================================================================================================
Incoming:
Curr: 944.00 Bit/s
Avg: 1.30 kBit/s
Min: 936.00 Bit/s
Max: 2.73 kBit/s
Ttl: 933.24 kByte
Outgoing:
Curr: 8.27 kBit/s
Avg: 8.28 kBit/s
Min: 6.04 kBit/s
Max: 8.74 kBit/s
Ttl: 2.82 MByte
ethtool命令(查看网卡详细信息)少关注最后一行,查看是否连接状态
[root@test01 ~]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
mii-tool 也可以查看网卡是否连接状态
[root@test01 ~]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
ps命令
如果什么都不加,只查询当前终端已运行的一些进程(没什么意义)
[root@test01 ~]# ps
PID TTY TIME CMD
2356 pts/0 00:00:00 bash
3296 pts/0 00:00:00 ps
[root@test01 ~]# ps aux 可以查看所有用户,包括前台,后台,系统级别,用户级别,所有的进程
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 128152 6740 ? Ss 11:52 0:01 /usr/lib/systemd/systemd --switched-roo
root 2 0.0 0.0 0 0 ? S 11:52 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 11:52 0:00 [ksoftirqd/0]
root 7 0.0 0.0 0 0 ? S 11:52 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 11:52 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? R 11:52 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 11:52 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S< 11:52 0:00 [khelper]
root 13 0.0 0.0 0 0 ? S 11:52 0:00 [kdevtmpfs]
root 14 0.0 0.0 0 0 ? S< 11:52 0:00 [netns]
root 15 0.0 0.0 0 0 ? S 11:52 0:00 [khungtaskd]
root 16 0.0 0.0 0 0 ? S< 11:52 0:00 [writeback]
root 17 0.0 0.0 0 0 ? S< 11:52 0:00 [kintegrityd]
root 18 0.0 0.0 0 0 ? S< 11:52 0:00 [bioset]
root 19 0.0 0.0 0 0 ? S< 11:52 0:00 [kblockd]
root 20 0.0 0.0 0 0 ? S< 11:52 0:00 [md]
root 26 0.0 0.0 0 0 ? S 11:52 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 11:52 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 11:52 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 11:52 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S< 11:52 0:00 [crypto]
root 38 0.0 0.0 0 0 ? S< 11:52 0:00 [kthrotld]
root 40 0.0 0.0 0 0 ? S< 11:52 0:00 [kmpath_rdacd]
root 41 0.0 0.0 0 0 ? S< 11:52 0:00 [kpsmoused]
root 43 0.0 0.0 0 0 ? S< 11:52 0:00 [ipv6_addrconf]
root 62 0.0 0.0 0 0 ? S< 11:52 0:00 [deferwq]
root 94 0.0 0.0 0 0 ? S 11:52 0:00 [kauditd]
root 275 0.0 0.0 0 0 ? S< 11:52 0:00 [ata_sff]
root 276 0.0 0.0 0 0 ? S< 11:52 0:00 [mpt_poll_0]
root 277 0.0 0.0 0 0 ? S< 11:52 0:00 [mpt/0]
root 285 0.0 0.0 0 0 ? S 11:52 0:00 [scsi_eh_0]
root 286 0.0 0.0 0 0 ? S< 11:52 0:00 [scsi_tmf_0]
root 287 0.0 0.0 0 0 ? S 11:52 0:00 [scsi_eh_1]
root 288 0.0 0.0 0 0 ? S 11:52 0:03 [kworker/u256:2]
root 290 0.0 0.0 0 0 ? S< 11:52 0:00 [scsi_tmf_1]
root 292 0.0 0.0 0 0 ? S 11:52 0:00 [scsi_eh_2]
root 294 0.0 0.0 0 0 ? S< 11:52 0:00 [scsi_tmf_2]
root 296 0.0 0.0 0 0 ? S< 11:52 0:00 [ttm_swap]
root 367 0.0 0.0 0 0 ? S< 11:52 0:00 [kdmflush]
root 368 0.0 0.0 0 0 ? S< 11:52 0:00 [bioset]
root 378 0.0 0.0 0 0 ? S< 11:52 0:00 [kdmflush]
root 379 0.0 0.0 0 0 ? S< 11:52 0:00 [bioset]
root 393 0.0 0.0 0 0 ? S< 11:52 0:00 [xfsalloc]
root 394 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs_mru_cache]
root 395 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-buf/dm-0]
root 396 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-data/dm-0]
root 397 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-conv/dm-0]
root 398 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-cil/dm-0]
root 399 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-reclaim/dm-]
root 400 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-log/dm-0]
root 401 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-eofblocks/d]
root 402 0.0 0.0 0 0 ? S 11:52 0:01 [xfsaild/dm-0]
root 468 0.0 0.3 34936 3108 ? Ss 11:52 0:00 /usr/lib/systemd/systemd-journald
root 492 0.0 0.4 46244 4584 ? Ss 11:52 0:00 /usr/lib/systemd/systemd-udevd
root 507 0.0 0.0 0 0 ? S< 11:52 0:00 [nfit]
root 520 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-buf/sda1]
root 521 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-data/sda1]
root 522 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-conv/sda1]
root 523 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-cil/sda1]
root 524 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-reclaim/sda]
root 525 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-log/sda1]
root 527 0.0 0.0 0 0 ? S< 11:52 0:00 [xfs-eofblocks/s]
root 528 0.0 0.0 0 0 ? S 11:52 0:00 [xfsaild/sda1]
root 588 0.0 0.2 62012 2216 ? S<sl 11:52 0:00 /sbin/auditd -n
polkitd 608 0.0 1.2 528324 12700 ? Ssl 11:52 0:00 /usr/lib/polkit-1/polkitd --no-debug
dbus 612 0.0 0.1 98316 1896 ? Ssl 11:52 0:00 /bin/dbus-daemon --system --address=sys
chrony 614 0.0 0.1 115944 1896 ? S 11:52 0:00 /usr/sbin/chronyd
root 619 0.1 0.6 229368 6236 ? Ss 11:52 0:23 /usr/bin/vmtoolsd
root 620 0.0 0.1 24252 1700 ? Ss 11:52 0:00 /usr/lib/systemd/systemd-logind
root 629 0.0 0.1 126316 1720 ? Ss 11:52 0:00 /usr/sbin/crond -n
root 637 0.0 0.0 110096 852 tty1 Ss+ 11:52 0:00 /sbin/agetty --noclear tty1 linux
root 643 0.0 2.6 327904 26672 ? Ssl 11:52 0:01 /usr/bin/python -Es /usr/sbin/firewalld
root 648 0.0 0.8 438076 8224 ? Ssl 11:52 0:00 /usr/sbin/NetworkManager --no-daemon
root 992 0.0 1.6 553620 16516 ? Ssl 11:52 0:03 /usr/bin/python -Es /usr/sbin/tuned -l
root 993 0.0 0.4 222168 4244 ? Ssl 11:52 0:00 /usr/sbin/rsyslogd -n
root 1080 0.0 0.1 83016 1300 ? Ss 11:52 0:00 /usr/sbin/sshd
root 1087 0.0 0.1 115440 1748 ? S 11:52 0:00 /bin/sh /usr/local/mysql/bin/mysqld_saf
root 1157 0.0 0.6 230780 6000 ? Ss 11:52 0:03 php-fpm: master process (/usr/local/php
php-fpm 1162 0.0 0.6 230772 6004 ? S 11:52 0:00 php-fpm: pool bbs
php-fpm 1163 0.0 0.6 230772 6008 ? S 11:52 0:00 php-fpm: pool bbs
php-fpm 1164 0.0 0.6 230772 6008 ? S 11:52 0:00 php-fpm: pool blog
php-fpm 1165 0.0 0.6 230772 6008 ? S 11:52 0:00 php-fpm: pool blog
mysql 1313 0.0 9.0 1254952 90124 ? Sl 11:52 0:08 /usr/local/mysql/bin/mysqld --basedir=/
root 1684 0.0 0.2 89544 2192 ? Ss 11:52 0:00 /usr/libexec/postfix/master -w
postfix 1728 0.0 0.4 89716 4064 ? S 11:52 0:00 qmgr -l -t unix -u
root 2353 0.0 0.5 143648 5304 ? Ss 11:52 0:01 sshd: root@pts/0
root 2356 0.0 0.2 115780 2284 pts/0 Ss 11:52 0:00 -bash
root 2398 0.0 0.1 46588 1348 ? Ss 11:54 0:00 nginx: master process /usr/sbin/nginx -
nginx 2399 0.0 0.2 47008 2144 ? S 11:54 0:00 nginx: worker process
root 2842 0.0 0.0 0 0 ? S 13:35 0:00 [kworker/u256:1]
root 3134 0.1 0.0 0 0 ? R 14:57 0:03 [kworker/0:1]
postfix 3229 0.0 0.4 89648 4044 ? S 15:11 0:00 pickup -l -t unix -u
root 3247 0.0 0.0 0 0 ? S< 15:21 0:00 [kworker/0:2H]
root 3283 0.0 0.0 0 0 ? S< 15:31 0:00 [kworker/0:0H]
root 3284 0.0 0.0 0 0 ? S 15:32 0:00 [kworker/0:0]
root 3287 0.0 0.0 0 0 ? S< 15:37 0:00 [kworker/0:1H]
root 3289 0.0 0.0 0 0 ? S 15:37 0:00 [kworker/0:2]
root 3297 0.0 0.1 151116 1852 pts/0 R+ 15:41 0:00 ps aux
USER第一列 表示使用进程的用户
PID 第二列 表示进程ID,pid。每个进程都有自己的一个id
%CPU第三列 cpu百分比
%MEM第四列 内存百分比
VSZ 第五列 虚拟内存大小
RSS 第六列 物理内存大小
TTY 第七列 所在的TTY,TTY如果是?号,一般是指在后台,不属于任何一个tty,登录的终端shell就是一个tty
STAT第八列 (这一列重要)进程的状态,
S Sleep(休眠状态,最普遍的状态)
R Running(在运行的状态)
s 父进程
N 低优先级
< 高优先级
+ 前台进程
l 多线程进程(用ps -eLf 可以看到多线程的进程,比如查找一下MySQL)
Z 僵尸进程
START第九列 启动时间
TIME第十列 空闲时间
COMMAND第十一类 对应的指令、命令
ps aux需要关注进程的使用%cpu的百分比,%MEM的百分比,RSS使用物理内存的大小,STAT进程的状态,COMMAND进程的指令及命令
[root@test01 ~]# ls -l /proc/2399(此命令加id号可以查看到该进程相关的文件,用ps aux查看一个进程的时候显示的很简单,用/proc/id就可以查看详细的指令)
查看网络连接状况(查看监听端口)
netstat命令
[root@test01 ~]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2420/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1096/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1738/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2420/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1209/mysqld
tcp6 0 0 :::22 :::* LISTEN 1096/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1738/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 623/chronyd
udp6 0 0 ::1:323 :::* 623/chronyd
raw6 0 0 :::58 :::* 7 664/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 18749 1314/php-fpm: maste /tmp/bbs.socket
unix 2 [ ACC ] STREAM LISTENING 18751 1314/php-fpm: maste /tmp/blog.socket
unix 2 [ ACC ] STREAM LISTENING 19300 1738/master public/flush
unix 2 [ ACC ] STREAM LISTENING 19318 1738/master public/showq
unix 2 [ ACC ] STREAM LISTENING 19285 1738/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19288 1738/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 19291 1738/master private/defer
unix 2 [ ACC ] STREAM LISTENING 19294 1738/master private/trace
unix 2 [ ACC ] STREAM LISTENING 19308 1738/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19312 1738/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 19315 1738/master private/relay
unix 2 [ ACC ] STREAM LISTENING 19469 1209/mysqld /tmp/mysql.sock
unix 2 [ ACC ] SEQPACKET LISTENING 12870 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 19282 1738/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 14679 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 19328 1738/master private/discard
unix 2 [ ACC ] STREAM LISTENING 19331 1738/master private/local
unix 2 [ ACC ] STREAM LISTENING 19334 1738/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 19337 1738/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19340 1738/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 19343 1738/master private/scache
unix 2 [ ACC ] STREAM LISTENING 19278 1738/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19321 1738/master private/error
unix 2 [ ACC ] STREAM LISTENING 19325 1738/master private/retry
unix 2 [ ACC ] STREAM LISTENING 19297 1738/master private/verify
unix 2 [ ACC ] STREAM LISTENING 19271 1738/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 19275 1738/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 8398 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 19303 1738/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12788 1/systemd /run/systemd/private
只查看tcp的监听端口
[root@test01 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2420/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1096/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1738/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2420/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1209/mysqld
tcp6 0 0 :::22 :::* LISTEN 1096/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1738/master
只查看udp的监听端口
[root@test01 ~]# netstat -lnup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:323 0.0.0.0:* 623/chronyd
udp6 0 0 ::1:323 :::* 623/chronyd
只查看tcp和udp的监听端口
[root@test01 ~]# netstat -lnutp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2420/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1096/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1738/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2420/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1209/mysqld
tcp6 0 0 :::22 :::* LISTEN 1096/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1738/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 623/chronyd
udp6 0 0 ::1:323 :::* 623/chronyd
查看所有的网络连接,包括监听的包括已经连接的
[root@test01 ~]# ss -an 结果也类似netstat -an (但显示比较快)
[root@test01 ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 52 192.168.28.107:22 192.168.28.1:53969 ESTABLISHED
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
raw6 0 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 18749 /tmp/bbs.socket
unix 2 [ ACC ] STREAM LISTENING 18751 /tmp/blog.socket
unix 2 [ ACC ] STREAM LISTENING 19300 public/flush
unix 2 [ ACC ] STREAM LISTENING 19318 public/showq
unix 2 [ ACC ] STREAM LISTENING 19285 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19288 private/bounce
unix 2 [ ACC ] STREAM LISTENING 19291 private/defer
unix 2 [ ACC ] STREAM LISTENING 19294 private/trace
unix 2 [ ACC ] STREAM LISTENING 19308 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19312 private/smtp
unix 2 [ ACC ] STREAM LISTENING 19315 private/relay
unix 2 [ ACC ] STREAM LISTENING 19469 /tmp/mysql.sock
unix 2 [ ] DGRAM 12838 /run/systemd/shutdownd
unix 2 [ ACC ] SEQPACKET LISTENING 12870 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 19282 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 14679 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 19328 private/discard
unix 2 [ ACC ] STREAM LISTENING 19331 private/local
unix 2 [ ACC ] STREAM LISTENING 19334 private/virtual
unix 2 [ ACC ] STREAM LISTENING 19337 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19340 private/anvil
unix 2 [ ACC ] STREAM LISTENING 19343 private/scache
unix 2 [ ACC ] STREAM LISTENING 19278 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 19321 private/error
unix 2 [ ACC ] STREAM LISTENING 19325 private/retry
unix 2 [ ] DGRAM 8385 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 19297 private/verify
unix 2 [ ] DGRAM 8387 /run/systemd/cgroups-agent
unix 2 [ ACC ] STREAM LISTENING 19271 public/pickup
unix 2 [ ACC ] STREAM LISTENING 19275 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 8398 /run/systemd/journal/stdout
unix 5 [ ] DGRAM 8401 /run/systemd/journal/socket
unix 13 [ ] DGRAM 8403 /dev/log
unix 2 [ ACC ] STREAM LISTENING 19303 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12788 /run/systemd/private
unix 2 [ ] DGRAM 14581
unix 3 [ ] STREAM CONNECTED 19320
unix 3 [ ] STREAM CONNECTED 19324
unix 3 [ ] STREAM CONNECTED 19270
unix 3 [ ] STREAM CONNECTED 19317
unix 3 [ ] STREAM CONNECTED 19323
unix 2 [ ] DGRAM 19363
unix 3 [ ] STREAM CONNECTED 14589
unix 2 [ ] DGRAM 19381
unix 3 [ ] STREAM CONNECTED 19280
unix 3 [ ] STREAM CONNECTED 19327
unix 3 [ ] STREAM CONNECTED 19326
unix 3 [ ] STREAM CONNECTED 14588
unix 3 [ ] STREAM CONNECTED 19332
unix 3 [ ] STREAM CONNECTED 15966
unix 3 [ ] STREAM CONNECTED 14914
unix 3 [ ] STREAM CONNECTED 19330
unix 3 [ ] STREAM CONNECTED 19284
unix 3 [ ] STREAM CONNECTED 19329
unix 3 [ ] STREAM CONNECTED 15743
unix 3 [ ] STREAM CONNECTED 19336
unix 3 [ ] STREAM CONNECTED 19335
unix 3 [ ] STREAM CONNECTED 15827 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19279
unix 3 [ ] STREAM CONNECTED 15967 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19333
unix 3 [ ] STREAM CONNECTED 14915
unix 3 [ ] STREAM CONNECTED 19339
unix 3 [ ] STREAM CONNECTED 15826
unix 3 [ ] STREAM CONNECTED 19338
unix 2 [ ] DGRAM 15818
unix 2 [ ] DGRAM 20632
unix 3 [ ] STREAM CONNECTED 19344
unix 3 [ ] STREAM CONNECTED 15097 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19316
unix 3 [ ] STREAM CONNECTED 15096
unix 3 [ ] STREAM CONNECTED 19342
unix 3 [ ] STREAM CONNECTED 19269
unix 3 [ ] STREAM CONNECTED 15744 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19341
unix 3 [ ] STREAM CONNECTED 19345
unix 3 [ ] STREAM CONNECTED 19287
unix 3 [ ] STREAM CONNECTED 18747
unix 2 [ ] DGRAM 15627
unix 3 [ ] STREAM CONNECTED 19286
unix 3 [ ] STREAM CONNECTED 14718
unix 3 [ ] DGRAM 13634
unix 3 [ ] STREAM CONNECTED 15206 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15418
unix 3 [ ] STREAM CONNECTED 19290
unix 3 [ ] STREAM CONNECTED 18176 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 13555 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19276
unix 3 [ ] STREAM CONNECTED 15801 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19289
unix 3 [ ] STREAM CONNECTED 15800
unix 3 [ ] STREAM CONNECTED 17947
unix 2 [ ] DGRAM 13606
unix 3 [ ] STREAM CONNECTED 19295
unix 3 [ ] STREAM CONNECTED 15357 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14916 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15205
unix 2 [ ] DGRAM 23092
unix 3 [ ] STREAM CONNECTED 19293
unix 3 [ ] STREAM CONNECTED 19277
unix 3 [ ] STREAM CONNECTED 15419 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 19292
unix 3 [ ] STREAM CONNECTED 19298
unix 2 [ ] DGRAM 15466
unix 3 [ ] STREAM CONNECTED 21990
unix 3 [ ] STREAM CONNECTED 19273
unix 3 [ ] STREAM CONNECTED 14890 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19296
unix 3 [ ] STREAM CONNECTED 19301
unix 3 [ ] STREAM CONNECTED 15199
unix 3 [ ] STREAM CONNECTED 19299
unix 3 [ ] STREAM CONNECTED 15200 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 19307
unix 3 [ ] STREAM CONNECTED 18830 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 13175
unix 3 [ ] STREAM CONNECTED 21989
unix 3 [ ] STREAM CONNECTED 19306
unix 3 [ ] STREAM CONNECTED 14889
unix 3 [ ] STREAM CONNECTED 18829
unix 3 [ ] STREAM CONNECTED 15356
unix 3 [ ] STREAM CONNECTED 19302
unix 3 [ ] STREAM CONNECTED 13554
unix 3 [ ] STREAM CONNECTED 19319
unix 3 [ ] STREAM CONNECTED 19310
unix 2 [ ] DGRAM 15207
unix 2 [ ] DGRAM 15894
unix 3 [ ] STREAM CONNECTED 19283
unix 3 [ ] STREAM CONNECTED 19314
unix 2 [ ] DGRAM 19241
unix 3 [ ] STREAM CONNECTED 18748
unix 3 [ ] STREAM CONNECTED 19313
unix 2 [ ] DGRAM 15242
unix 3 [ ] STREAM CONNECTED 19272
unix 3 [ ] STREAM CONNECTED 19311
unix 3 [ ] DGRAM 13635
[root@test01 ~]#
抓包工具
-nn以数字的形式显示,-i指定网卡,端口80
[root@test01 ~]# tcpdump -nn -i ens33 port 80
[root@test01 ~]# tcpdump -nn -i ens33 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
13:46:00.303769 IP 192.168.28.1.55389 > 192.168.28.107.80: Flags [S], seq 3172524667, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:46:00.303913 IP 192.168.28.107.80 > 192.168.28.1.55389: Flags [S.], seq 1911447629, ack 3172524668, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:46:00.304232 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [S], seq 327370390, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:46:00.304268 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [S.], seq 3180073244, ack 327370391, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:46:00.304793 IP 192.168.28.1.55389 > 192.168.28.107.80: Flags [.], ack 1, win 261, length 0
13:46:00.304840 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [.], ack 1, win 2091, length 0
13:46:00.305621 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [P.], seq 1:455, ack 1, win 2091, length 454: HTTP: GET / HTTP/1.1
13:46:00.305652 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [.], ack 455, win 237, length 0
13:46:01.106174 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 1:8321, ack 455, win 237, length 8320: HTTP: HTTP/1.1 200 OK
13:46:01.108296 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [.], ack 8321, win 2091, length 0
13:46:01.112753 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 8321:10991, ack 455, win 237, length 2670: HTTP
13:46:01.112891 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 10991:10996, ack 455, win 237, length 5: HTTP
13:46:01.114010 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [.], ack 10996, win 2091, length 0
13:46:03.090434 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [P.], seq 455:909, ack 10996, win 2091, length 454: HTTP: GET / HTTP/1.1
13:46:03.090482 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [.], ack 909, win 245, length 0
13:46:03.366217 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 10996:19316, ack 909, win 245, length 8320: HTTP: HTTP/1.1 200 OK
13:46:03.368354 IP 192.168.28.1.55390 > 192.168.28.107.80: Flags [.], ack 19316, win 2091, length 0
13:46:03.372894 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 19316:21986, ack 909, win 245, length 2670: HTTP
13:46:03.373064 IP 192.168.28.107.80 > 192.168.28.1.55390: Flags [P.], seq 21986:21991, ack 909, win 245, length 5: HTTP
只抓80端口的10个包
[root@test01 ~]# tcpdump -nn -i ens33 port 80 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
13:50:46.804758 IP 192.168.28.1.55537 > 192.168.28.107.80: Flags [S], seq 2594676514, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:50:46.805399 IP 192.168.28.107.80 > 192.168.28.1.55537: Flags [S.], seq 2539877308, ack 2594676515, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:50:46.806617 IP 192.168.28.1.55538 > 192.168.28.107.80: Flags [S], seq 200053957, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:50:46.806765 IP 192.168.28.107.80 > 192.168.28.1.55538: Flags [S.], seq 1478352046, ack 200053958, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:50:46.807685 IP 192.168.28.1.55537 > 192.168.28.107.80: Flags [.], ack 1, win 261, length 0
13:50:46.807801 IP 192.168.28.1.55538 > 192.168.28.107.80: Flags [.], ack 1, win 261, length 0
13:50:46.809629 IP 192.168.28.1.55537 > 192.168.28.107.80: Flags [P.], seq 1:455, ack 1, win 261, length 454: HTTP: GET / HTTP/1.1
13:50:46.809726 IP 192.168.28.107.80 > 192.168.28.1.55537: Flags [.], ack 455, win 237, length 0
13:50:47.799242 IP 192.168.28.107.80 > 192.168.28.1.55537: Flags [P.], seq 1:8321, ack 455, win 237, length 8320: HTTP: HTTP/1.1 200 OK
13:50:47.800146 IP 192.168.28.1.55537 > 192.168.28.107.80: Flags [.], ack 2921, win 261, length 0
10 packets captured
12 packets received by filter
0 packets dropped by kernel
抓包指定存放路径或者叫写入到指定文件(如果不指定路径,仅仅是在屏幕上显示,显示的只是包的流向)
[root@test01 ~]# tcpdump -nn -i ens33 -c 10 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@test01 ~]# ls -l /tmp/1.cap
-rw-r--r--. 1 tcpdump tcpdump 1392 3月 20 13:53 /tmp/1.cap
[root@test01 ~]# ls -lh /tmp/1.cap
-rw-r--r--. 1 tcpdump tcpdump 1.4K 3月 20 13:53 /tmp/1.cap
读取抓取到的包
[root@test01 ~]# tcpdump -r /tmp/1.cap (也可以加上 -nn)
reading from file /tmp/1.cap, link-type EN10MB (Ethernet)
13:53:24.200925 IP www.aaa.com.ssh > 192.168.28.1.53969: Flags [P.], seq 1882283593:1882283741, ack 2106030109, win 317, length 148
13:53:24.201429 IP 192.168.28.1.53969 > www.aaa.com.ssh: Flags [.], ack 148, win 2086, length 0
13:53:29.996538 IP 192.168.28.1.55610 > www.aaa.com.http: Flags [S], seq 3112038806, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:53:29.996651 IP www.aaa.com.http > 192.168.28.1.55610: Flags [S.], seq 704245333, ack 3112038807, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:53:29.997411 IP 192.168.28.1.55611 > www.aaa.com.http: Flags [S], seq 2246959224, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:53:29.997677 IP www.aaa.com.http > 192.168.28.1.55611: Flags [S.], seq 2637615863, ack 2246959225, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:53:29.997767 IP 192.168.28.1.55610 > www.aaa.com.http: Flags [.], ack 1, win 261, length 0
13:53:29.998017 IP 192.168.28.1.55610 > www.aaa.com.http: Flags [P.], seq 1:455, ack 1, win 261, length 454: HTTP: GET / HTTP/1.1
13:53:29.998092 IP www.aaa.com.http > 192.168.28.1.55610: Flags [.], ack 455, win 237, length 0
13:53:30.013054 IP 192.168.28.1.55611 > www.aaa.com.http: Flags [.], ack 1, win 261, length 0
反向指定,不要22端口
[root@test01 ~]# tcpdump -nn -i ens33 not port 22 -c 10 -w /tmp/1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
还可以这样写
[root@test01 ~]# tcpdump -nn -i ens33 not port 22 and not port 80 -c 10 -w /tmp/2.cap
还可以写成限定IP
[root@test01 ~]# tcpdump -nn -i ens33 not port 22 and not port 80 and not host 192.168.28.1 -c 10 -w /tmp/2.cap
抓到的包可以放到windows下用wireshark工具分析,在Linux下也有这样的用具,叫tshark,要先安装wireshark包
[root@test01 ~]#yum install -y wireshark
用法和tcpdump特别像
[root@test01 ~]# tshark -nn -i ens33
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens33'
1 0.000000000 192.168.28.1 -> 192.168.28.107 TCP 60 53969 > 22 [ACK] Seq=1 Ack=1 Win=2089 Len=0
2 0.069678344 00:50:56:c0:00:08 -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.28.2? Tell 192.168.28.1
3 0.576803815 192.168.28.107 -> 192.168.28.1 SSH 314 Encrypted response packet len=260
4 0.618519032 192.168.28.1 -> 192.168.28.107 TCP 60 53969 > 22 [ACK] Seq=1 Ack=261 Win=2088 Len=0
5 1.067259122 00:50:56:c0:00:08 -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.28.2? Tell 192.168.28.1
6 1.318880114 192.168.28.107 -> 192.168.28.1 SSH 410 Encrypted response packet len=356
7 1.360251169 192.168.28.1 -> 192.168.28.107 TCP 60 53969 > 22 [ACK] Seq=1 Ack=617 Win=2086 Len=0
8 1.863810229 192.168.28.107 -> 192.168.28.1 SSH 298 Encrypted response packet len=244
9 1.906595125 192.168.28.1 -> 192.168.28.107 TCP 60 53969 > 22 [ACK] Seq=1 Ack=861 Win=2085 Len=0
10 2.411396943 192.168.28.107 -> 192.168.28.1 SSH 298 Encrypted response packet len=244
tshark的正确用法,出来的结果跟访问日志类似(命令很长)有来源ip,有域名,有对应的方法,有url
[root@test01 ~]# tshark -i ens33 -n -t a -R http.request -T fields -e "frame.time" -e "http.host" -e "http.request.method" -e "http.request.uri"
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens33'
"Mar 20, 2019 14:16:54.122553219 CST" blog.champin.top GET /
"Mar 20, 2019 14:16:58.915388171 CST" blog.champin.top GET /
"Mar 20, 2019 14:17:01.573371949 CST" www.champin.top GET /?p=1
"Mar 20, 2019 14:17:01.576945362 CST" blog.champin.top GET /?p=1
"Mar 20, 2019 14:17:01.819057126 CST" www.champin.top GET /wp-includes/js/comment-reply.min.js?ver=5.0.3
"Mar 20, 2019 14:17:01.828312956 CST" blog.champin.top GET /wp-includes/js/comment-reply.min.js?ver=5.0.3
"Mar 20, 2019 14:17:08.260327793 CST" blog.champin.top GET /?p=1
"Mar 20, 2019 14:17:09.978334198 CST" www.champin.top GET /?author=1
"Mar 20, 2019 14:17:09.981046716 CST" blog.champin.top GET /?author=1
"Mar 20, 2019 14:17:20.217063100 CST" blog.champin.top GET /?p=1
