A powerful network analysis shell script sharing (real-time traffic, connection statistics) _linux shell

Introduces a powerful analysis of the network shell script, this script is split from the ezhttp, feel the need to introduce separately.

Screenshot of script run effect:

This script contains features such as:

1, real-time monitoring of any network card traffic
2, statistics in 10 seconds average flow
3, statistics of each port in 10 seconds of the average flow, based on client and server-side port statistics. can see which end population traffic is relatively large, for Web servers, typically 80 ports. When other ports are attacked, it is also possible that other ports have a larger flow. So this feature can help us port traffic is normal.
4, statistics in the 10s occupy the largest bandwidth of the first 10 IP. This feature can help us find out if there is a malicious bandwidth-consuming IP.
5, Statistical connection status. This feature allows us to see which connection states are relatively large. If the SYN-RECV state is much more, there can be a half-connection attack. If the establised is very large, but the log found that there are not so many requests, or through the tcpdump found that a large number of IP only to establish a connection does not request data, may be a full connection attack, this time if you are using the Nginx server, you can add listen 80 in the configuration file Deferred to prevent.
6, statistics of the port connection status. This feature can help us find out which port is being attacked when it can be attacked.
7, the statistics port is 80 and the state is the Estab connection number of the top 10 IP. This feature can help us find out how to create too many connections to the IP, and then mask.
8, the statistics port is 80 and the state is the SYN-RECV connection number of the top 10 IP. This feature can help us find malicious IP when subjected to a semi-connected attack.

Network analysis tools to use:

1. Tcpdump: This script uses tcpdump to count ip-based or port based traffic.
2, SS: This script with the SS command to statistical connection state, the actual use found SS more efficient than Netstat.
3,/proc/net/dev, used to calculate the specified network card traffic.
Script Download Address: https://www.centos.bz/wp-content/uploads/2014/06/network-analysis.sh
The complete script is posted below:

Copy Code code as follows:

#!/bin/bash

#write by Zhumaohai (ADMIN#CENTOS.BZ)

#显示菜单 (Radio)
Display_menu () {
Local soft=$1
Local prompt= "which ${soft} for you ' D select:"
Eval local arr= (\${${soft}_arr[@]})
While True
Todo
Echo-e "#################### ${soft} setting ####################\n\n"
For ((i=1;i<=${#arr [@]};i++)); Do echo-e "$i) ${arr[$i-1]}"; Done
Echo
Read-p "${prompt}" $soft
Eval local select=\$ $soft
If ["$select" = ""] | | ["${arr[$soft-1]}" = = "];then
prompt= "Input Errors,please input a number:"
Else
Eval $soft =${arr[$soft-1]}
Eval echo "Your selection: \$ $soft"
Break
Fi
Done
}

#把带宽bit单位转换为人类可读单位
Bit_to_human_readable () {
#input bit value
Local trafficvalue=$1

if [[${trafficvalue%.*}-gt 922]];then
#conv to Kb
Trafficvalue= ' awk-v value= $trafficValue ' begin{printf '%0.1f ', value/1024} '
if [[${trafficvalue%.*}-gt 922]];then
#conv to Mb
Trafficvalue= ' awk-v value= $trafficValue ' begin{printf '%0.1f ', value/1024} '
echo "${TRAFFICVALUE}MB"
Else
echo "${TRAFFICVALUE}KB"
Fi
Else
echo "${trafficvalue}b"
Fi
}

#判断包管理工具
Check_package_manager () {
Local manager=$1
Local systempackage= '
If Cat/etc/issue | Grep-q-e-i "Ubuntu|debian"; then
Systempackage= ' apt '
Elif Cat/etc/issue | Grep-q-e-i "centos|red hat|redhat"; then
Systempackage= ' Yum '
Elif Cat/proc/version | Grep-q-e-i "Ubuntu|debian"; then
Systempackage= ' apt '
Elif Cat/proc/version | Grep-q-e-i "centos|red hat|redhat"; then
Systempackage= ' Yum '
Else
echo "Unkonw"
Fi

If ["$manager" = "$systemPackage"];then
return 0
Else
Return 1
Fi
}


#实时流量
Realtimetraffic () {
Local Eth= ""
Local nic_arr= (' ifconfig | grep-e-o "^[a-z0-9]+" | grep-v "Lo" | uniq ')
Local niclen=${#nic_arr [@]}
if [[$nicLen-eq 0]]; Then
echo "Sorry,i can not detect any network device,please the" this issue to author. "
Exit 1
elif [[$nicLen-eq 1]]; Then
Eth= $nic _arr
Else
Display_menu NIC
Eth= $nic
Fi

Local Clear=true
Local eth_in_peak=0
Local eth_out_peak=0
Local eth_in=0
Local eth_out=0

While True;do
#移动光标到0:0 Position
printf "\033[0;0h"
#清屏并打印Now Peak
[[$clear = = true]] && printf "\033[2j" && echo "$eth--------now--------Peak-----------"
Traffic_be= (' awk-v eth= $eth-F ' [:]+ ' {if ($ ~eth) {print $3,$11}} '/proc/net/dev ')
Sleep 2
traffic_af= (' awk-v eth= $eth-F ' [:]+ ' {if ($ ~eth) {print $3,$11}} '/proc/net/dev ')
#计算速率
Eth_in=$ (((${traffic_af[0]}-${traffic_be[0]}) *8/2)
Eth_out=$ (((${traffic_af[1]}-${traffic_be[1]}) *8/2)
#计算流量峰值
[[$eth _in-gt $eth _in_peak]] && eth_in_peak= $eth _in
[[$eth _out-gt $eth _out_peak]] && eth_out_peak= $eth _out
#移动光标到2:1
printf "\033[2;1h"
#清除当前行
printf "\033[k"
printf "%-20s%-20s\n" "Receive: $ (bit_to_human_readable $eth _in)" "$ (bit_to_human_readable $eth _in_peak)"
#清除当前行
printf "\033[k"
printf "%-20s%-20s\n" "Transmit: $ (bit_to_human_readable $eth _out)" "$ (bit_to_human_readable $eth _out_peak)"
[[$clear = = True]] && clear=false
Done
}

#流量和连接概览
Trafficandconnectionoverview () {
if! which tcpdump >/dev/null;then
echo "Tcpdump not found,going to install it."
If Check_package_manager Apt;then
Apt-get-y Install Tcpdump
Elif Check_package_manager Yum;then
Yum-y Install Tcpdump
Fi
Fi

Local reg= ""
Local Eth= ""
Local nic_arr= (' ifconfig | grep-e-o "^[a-z0-9]+" | grep-v "Lo" | uniq ')
Local niclen=${#nic_arr [@]}
if [[$nicLen-eq 0]]; Then
echo "Sorry,i can not detect any network device,please the" this issue to author. "
Exit 1
elif [[$nicLen-eq 1]]; Then
Eth= $nic _arr
Else
Display_menu NIC
Eth= $nic
Fi

echo "Please wait for 10s to generate network data ..."
Echo
#当前流量值
Local traffic_be= (' Awk-v eth= $eth-F ' [:]+ ' {if ($ ~eth) {print $3,$11}} '/proc/net/dev ')
#tcpdump监听网络
Tcpdump-v-I $eth-tnn >/tmp/tcpdump_temp 2>&1 &
Sleep 10
Clear
Kill ' PS aux | grep tcpdump | Grep-v grep | awk ' {print $} '

    #10s后流量值
    local traffic_af= (' Awk-v eth= $eth-F ' [:]+ ' {if ($ ~eth) {print $ , $11}} '/proc/net/dev ')
    #打印10s平均速率
    local eth_in=$ ((${traffic_af[0]}-$ {Traffic_be[0]}) *8/10))
    Local eth_out=$ (((${traffic_af[1]}-${traffic_be[1)}) *8/10)
    ECHO-E "\033[32mnetwork device $eth average traffic in 10s: \033[0m"
    echo "$eth Receive: $ (bit_to_ Human_readable $eth _in)/S "
    echo" $eth Transmit: $ (bit_to_human_readable $eth _out)/S "
     Echo

    local regtcpdump=$ (ifconfig | grep-a 1 $eth | awk-f ' [:]+ ' $0~/inet addr:/{printf $] | "} ' | sed- E ' s/|$//' e ' s/^/(/' E ' s/$/) \\\\\. [0-9]+:/')
 
    #新旧版本tcpdump输出格式不一样, handling
    if awk/^ip/{print;exit respectively } '/tmp/tcpdump_temp | Grep-q ") $"; then
        #处理tcpdump文件
         awk '/^ip/{print;getline;print} '/tmp/tcpdump_temp >/TMP/TCPDUMP_TEMP2
    Else
        #处理tcpdump文件
        awk '/^ Ip/{print} '/tmp/tcpdump_temp >/TMP/TCPDUMP_TEMP2
        sed-i-R ' s# (. *: [0-9]+\)) (. *) #\1\n    \2# '/tmp/tcpdump_temp2
    fi
   
    awk ' {len= $NF; sub (/\)/, ", Len); Getline;print $0,len} '/tmp/tcpdump_temp2 >/tmp/tcpdump

#统计每个端口在10s内的平均流量
Echo-e "\033[32maverage traffic in 10s base on server port: \033[0m"
Awk-f ' [.:]+ '-v regtcpdump= $regTcpdump ' {if ($ ~ regtcpdump) {line= ' clients > ' $ '. " $ "." $ "." $11 ":" $12}else{line=$2 "." $ "." $ "." $ ": $" > Clients "};sum[line]+= $NF *8/10}end{for (line in sum) {printf '%s%d\n ', Line,sum[line]} '/tmp/tcpdump | \
Sort-k 4-nr | Head-n 10 | While read a B c d;do
echo "$a $b $c $ (bit_to_human_readable $d)/S"
Done
Echo-ne "\033[11a"
Echo-ne "\033[50c"
Echo-e "\033[32maverage traffic in 10s base on client port: \033[0m"
Awk-f ' [.:]+ '-v regtcpdump= $regTcpdump ' {if ($ ~ regtcpdump) {line=$2 '. ' $ "." $ "." $ ": $ > Server"}else{line= "Server >" $ "." $ "." $ "." $11 ":" $12};sum[line]+= $NF *8/10}end{for (line in sum) {printf '%s%d\n ', Line,sum[line]} '/tmp/tcpdump | \
Sort-k 4-nr | Head-n 10 | While read a B c d;do
Echo-ne "\033[50c"
echo "$a $b $c $ (bit_to_human_readable $d)/S"
Done

Echo

#统计在10s内占用带宽最大的前10个ip
Echo-e "\033[32mtop IP average traffic in 10s base on server: \033[0m"
Awk-f ' [.:]+ '-v regtcpdump= $regTcpdump ' {if ($ ~ regtcpdump) {line=$2 '. ' $ "." $ "." $ ">" $ "." $ "." $ "." $11 ":" $12}else{line=$2 "." $ "." $ "." $ ": $" > "$". " $ "." $ "." $11};sum[line]+= $NF *8/10}end{for (line in sum) {printf '%s%d\n ', Line,sum[line]} '/tmp/tcpdump | \
Sort-k 4-nr | Head-n 10 | While read a B c d;do
echo "$a $b $c $ (bit_to_human_readable $d)/S"
Done
Echo-ne "\033[11a"
Echo-ne "\033[50c"
Echo-e "\033[32mtop IP average traffic in 10s base on client: \033[0m"
Awk-f ' [.:]+ '-v regtcpdump= $regTcpdump ' {if ($ ~ regtcpdump) {line=$2 '. ' $ "." $ "." $ ": $" > "$". " $ "." $ "." $11}else{line=$2 "." $ "." $ "." $ ">" $ "." $ "." $ "." $11 ":" $12};sum[line]+= $NF *8/10}end{for (line in sum) {printf '%s%d\n ', Line,sum[line]} '/tmp/tcpdump | \
Sort-k 4-nr | Head-n 10 | While read a B c d;do
Echo-ne "\033[50c"
echo "$a $b $c $ (bit_to_human_readable $d)/S"
Done

Echo
#统计连接状态
Local regss=$ (ifconfig | grep-a 1 $eth | awk-f ' [:]+ ' $0~/inet addr:/{printf $] | "} ' | sed-e ' s/|$//')
Ss-an | Grep-v-E "listen| Unconn "| Grep-e "$regSS" >/tmp/ss
Echo-e "\033[32mconnection State count: \033[0m"
awk ' nr>1{sum[$ (NF-4)]+=1}end{for (state in sum) {print state,sum[state]} '/tmp/ss | Sort-k 2-NR
Echo
#统计各端口连接状态
Echo-e "\033[32mconnection state count by Port base on server: \033[0m"
awk ' nr>1{sum[$ (NF-4), $ (NF-1)]+=1}end{for (key in sum) {split (KEY,SUBKEY,SUBSEP);p rint subkey[1],subkey[2],sum[ SUBKEY[1],SUBKEY[2]]} '/tmp/ss | Sort-k 3-nr | Head-n 10
Echo-ne "\033[11a"
Echo-ne "\033[50c"
Echo-e "\033[32mconnection state count by Port base on client: \033[0m"
awk ' nr>1{sum[$ (NF-4), $ (NF)]+=1}end{for (key in sum) {split (KEY,SUBKEY,SUBSEP);p rint subkey[1],subkey[2],sum[ SUBKEY[1],SUBKEY[2]]} '/tmp/ss | Sort-k 3-nr | Head-n 10 | awk ' {print ' \033[50c ' $} '
Echo
#统计端口为80且状态为ESTAB连接数最多的前10个IP
Echo-e "\033[32mtop IP estab State count at Port: \033[0m"
Cat/tmp/ss | grep estab | Awk-f ' [:]+ ' {sum[$ (NF-2)]+=1}end{for (IP in sum) {print Ip,sum[ip]} ' | Sort-k 2-nr | Head-n 10
Echo
Top 10 IP #统计端口为80且状态为SYN-RECV connections
Echo-e "\033[32mtop IP syn-recv State count at Port: \033[0m"
Cat/tmp/ss | Grep-e "$regSS" | grep SYN-RECV | Awk-f ' [:]+ ' {sum[$ (NF-2)]+=1}end{for (IP in sum) {print Ip,sum[ip]} ' | Sort-k 2-nr | Head-n 10
}

Main () {
While true; Todo
ECHO-E "1" real time traffic.\n2) traffic and connection overview.\n "
Read-p "Please input your select (ie 1):" Select
Case $select in
1) realtimetraffic;break;;
2) Trafficandconnectionoverview;break;;
*) echo "input error,please input a number.";
Esac
Done
}

Main