linux-Network Monitoring Command-netstat advanced

2. Detailed Network connection Status
A total of 12 possible states, the first 11 are based on the TCP connection established three handshake and the TCP connection broken four wave process to describe.
1), LISTEN: First, the server needs to open a socket for monitoring, the status of listen./* the socket is listening for incoming connections. Listening for connection requests from remote TCP ports */

2), Syn_sent: The client calls connect through the application to make active open. The client TCP sends a SYN to request a connection. Then the status is set to Syn_sent./*the socket is actively Attempting to establish a connection. Wait for a matching connection request after sending a connection request */

3), SYN_RECV: The server should issue an ACK to confirm the client's SYN, and send itself to the client a syn. The status is then set to syn_recv/* A connection request has been received from the network. Wait for confirmation of the connection request after receiving and sending a connection request */

4), established: represents an open connection, both can be made or have interacted with the data. /* The socket has an established connection. Represents an open connection, data can be sent to the user */

5), Fin_wait1: Active shutdown (active close) end application calls Close, and its TCP sends a FIN request to actively close the connection before entering the FIN_WAIT1 state./* The socket is closed, and the Connection is shutting down. Pending connection interruption request for remote TCP, or confirmation of a previous connection interruption request */

6), close_wait: Passive shutdown (passive close) After TCP receives FIN, an ACK is issued in response to the FIN request (its receive is also passed as a file terminator to the upper-level application), and enters close_wait./* the remote end Have shut down, waiting for the socket to close. Waiting for a connection interrupt request from a local user */

7), Fin_wait2: Active closed end received ACK, entered the fin-wait-2./* Connection is closed, and the socket was waiting for a shutdown from the Remot E end. Waiting for connection interrupt request from remote TCP */

8), Last_ack: After a period of passive shutdown, the application that receives the file terminator will call close to close the connection. This causes its TCP to also send a FIN, waiting for the other person's ACK. It entered the last-ack./* The remote end has a shut down, and the socket is closed. Waiting for acknowledgement. Wait for the acknowledgement of the connection interrupt request that was originally sent to remote TCP */

9), Time_wait: After the active shut-off side receives the fin, TCP sends the ACK packet, and enters the time-wait state. /* The socket is waiting after close to handle packets still in the network. Wait enough time to make sure that the remote TCP receives a connection interrupt request confirmation */

10), CLOSING: relatively rare./* Both sockets is shut down but we still don ' t has all of our data sent. Wait for the remote TCP acknowledgement of the connection interruption */

11), CLOSED: Passive closed end after receiving the ACK packet, it entered the state of CLOSED. The connection ends./* The socket is not being used. No connection Status */

12), UNKNOWN: Unknown socket status. /* The state of the socket is unknown. */

SYN: (Synchronous sequence number, Synchronize Sequence Numbers) This flag is valid only if the three-time handshake establishes a TCP connection. Represents a new TCP connection request.
ACK: (acknowledgement number) is a confirmation flag for the TCP request and indicates that the peer system has successfully received all the data.
FIN: (end sign, finish) used to end a TCP reply. However, the corresponding port is still open and ready to receive subsequent data.

PS: In Windows There is a gadget pretty good, TCPView is a Windows program that'll show you detailed listings of all TCP and UDP endpoints on yo ur system, including the local and remote addresses and state of TCP connections. See Http://technet.microsoft.com/en-us/sysi nternals/bb897437, of course, if you want to analyze the packet in detail, you can choose more powerful tools such as sniffer, wireshark, etc.

Resources:

Http://linux.sheup.com/linux/4/31225.html

Http://hi.baidu.com/mqbest_come_on/blog/item/18526dcef73d791a00e928e5.html

http://www.daxigua.com/archives/1355


System Connection Status Chapter:

1. View TCP connection Status
Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rn

Netstat-n | awk '/^tcp/{++s[$NF]}; END {for (a in S) print A, s[a]} ' or
Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (key in) print key, "\ T", State[key]} '
Netstat-n | awk '/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "\ T", arr[k]} '

Netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn

Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c

2. Find the number of requests 20 IP (commonly used to find the source of attack):
Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20

Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A[i],i} ' |sort-rn|head-n20

3. Sniff 80-port access with tcpdump to see who is the tallest
Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $1″. ' $2″. " $3″. " $4} ' | Sort | uniq-c | Sort-nr |head-20

4. Find more time_wait connections
Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20

5. Check for more SYN connections
Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

6. Depending on the port column process
NETSTAT-NTLP | grep 80 | awk ' {print $7} ' | Cut-d/-F1

Website Log Analysis 1 (Apache):

1. Get access to the top 10 IP addresses
Cat Access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-10
Cat Access.log|awk ' {counts[$ (11)]+=1}; END {for (URL in counts) print Counts[url], url} '

2. Most visited files or pages, take the top 20
Cat Access.log|awk ' {print $11} ' |sort|uniq-c|sort-nr|head-20

3. List the maximum number of EXE files to be transmitted (commonly used when analyzing the download station)
Cat Access.log |awk ' ($7~/\.exe/) {print $ "" $ "" $4 "" $7} ' |sort-nr|head-20

4. list exe files with output greater than 200000byte (approx. 200kb) and the number of corresponding file occurrences
Cat Access.log |awk ' ($ > 200000 && $7~/\.exe/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

5. If the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client
Cat Access.log |awk ' ($7~/\.php/) {print $NF "" $ "" $4 "" $7} ' |sort-nr|head-100

6. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
Cat Access.log |awk ' ($NF > && $7~/\.php/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

7. List files that have been transmitted for longer than 30 seconds
Cat Access.log |awk ' ($NF >) {print $7} ' |sort-n|uniq-c|sort-nr|head-20

8. Statistics website Traffic (G)
Cat Access.log |awk ' {sum+=$10} END {print sum/1024/1024/1024} '

9. Statistics 404 of the Connection
awk ' ($9 ~/404/) ' Access.log | awk ' {print $9,$7} ' | Sort

10. Statistics HTTP status.
Cat Access.log |awk ' {counts[$ (9)]+=1}; END {for (code in counts) print code, Counts[code]} '
Cat Access.log |awk ' {print $9} ' |sort|uniq-c|sort-rn

10. Spider Analysis
See which spiders are crawling content.
/usr/sbin/tcpdump-i Eth0-l-S 0-w-DST Port 80 | Strings | Grep-i User-agent | Grep-i-E ' bot|crawler|slurp|spider '

Website Daily Analysis 2 (Squid article)

2. Statistic Traffic by domain
Zcat squid_access.log.tar.gz| awk ' {print $10,$7} ' |awk ' begin{fs= "[/]"}{trfc[$4]+=$1}end{for (domain in TRFC) {printf "%s\t%d\n", Domain,trfc[domain] }}‘

For more efficient Perl versions, please download: http://docs.linuxtone.org/soft/tools/tr.pl

Database Chapter
1. View SQL executed by the database
/usr/sbin/tcpdump-i eth0-s 0-l-w-dst Port 3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '

System Debug Analysis Chapter

1. Debug commands
Strace-p PID

2. Tracking the PID of the specified process
Gdb-p PID

Detailed access to linuxtone.org

linux-Network Monitoring Command-netstat advanced