Netstat command and log analysis command

The netstat command and log analysis command are used as the computer administrator. we all need to know about the netstat command. it is a tool used to check the network connection status. This tool is also available in windows by default. The Netstat command details how to use the netstat command to close the TIME_WAIT connection... the netstat command and log analysis command are used as the computer administrator. we all need to know about the netstat command. it is a tool used to check the network connection status. This tool is also available in windows by default. The Netstat command details how to use the netstat command to disable the TIME_WAIT connection, how to count the access volume of the web server, and how to view the nginx access traffic? Next let's take a look at its main usage and details! (Netstat-na command). This article mainly describes the netstat tool in Linux, and then describes the various network connection statuses in detail. Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-nr1.netstat occupied ), if you are a root user, I like to use netstat-pnl | grep 443 (the process PID that occupies port 443 of the local machine can also be displayed ). Netstat function description: displays the network status. Syntax: netstat [-acCeFghilMnNoprstuvVwx] [- <网络类型> ] [-- Ip] Note: the netstat command can be used to show you the network conditions of the entire Linux system. Parameter:-a or-all shows the sockets in all connections. - <网络类型> Or- <网络类型> Lists the related addresses of a network connection. -C or-continuous continuously lists the network status. -C or-cache displays the cache information of the vro configuration. -E or-extend displays other network-related information. -F or-fib displays FIB. -G or-groups displays a list of members of the multi-broadcast function Group. -H or-help online help. -I or-interfaces displays the network interface information form. -L or-listening displays the Socket of the monitored server. -M or-masquerade displays disguised network connections. -N or-numeric directly uses the IP address instead of the domain name server. -N or-netlink or-symbolic indicates the symbolic connection name of the network hardware peripheral device. -O or-timers displays the timer. -P or-programs shows the program identification code and program name using Socket. -R or-route displays the Routing Table. -S or-statistice displays a statistical table of network work information. -T or-tcp shows the connection status of the TCP transmission protocol. -U or-udp shows the connection status of UDP transmission protocol. -V or-verbose displays the command execution process. -V or-version displays version information. -W or-raw shows the RAW transmission protocol connection status. -X or-unix: this parameter has the same effect as the specified "-A unix" parameter. -Ip or-inet: the effect of this parameter is the same as that of the specified "-A inet" parameter. 2. a total of 12 possible network connection statuses are described in detail. the first 11 are described based on the three-way handshake established by the TCP connection and the four-way handshake process of the TCP connection. 1) LISTEN: first, the server needs to open a socket for listening. The status is LISTEN. /* The socket is listening for incoming connections. listen for connection requests from remote TCP ports */2), SYN_SENT: the client calls connect through the application to perform active open. therefore, the client tcp sends a SYN request to establish a connection. then the status is set to SYN_SENT. /* The socket is actively attempting to establish a connection. after sending the connection request, wait for the matching connection request */3). SYN_RECV: the server should issue an ACK to confirm the SYN of the client and send a SYN to the client. then the status is set to SYN_RECV/* A connection request has been received ed from the netw Ork. after receiving and sending a connection request, wait for confirmation of the connection request */4), ESTABLISHED: represents an open connection, and both parties can or already interact with the data. /* The socket has an established connection. indicates an opened connection. data can be transmitted to the user */5). FIN_WAIT1: the application of active close calls close, so TCP sends a FIN request to actively close the connection, and then enters the FIN_WAIT1 status. /* The socket is closed, and the connection is shutting down. wait for the remote TCP connection interruption request, or the confirmation of the previous connection interruption request */6), CLOSE_WAIT: After the passive close (passive close) end TCP receives the FIN, issue ACK to respond to the FIN request (its receipt is also passed to the upper-layer application as a file terminator) and enter CLOSE_WAIT. /* The remote end has shut down, waiting for the socket to clos E. WAIT for the connection interruption request sent from the local user */7), FIN_WAIT2: after the active end receives the ACK, it enters the FIN-WAIT-2. /* Connection is closed, and the socket is waiting for a shutdown from the remote end. from remote TCP waiting for connection interruption requests */8), LAST_ACK: After the end is passively closed for a period of time, the application receiving the file terminator will call CLOSE to CLOSE the connection. As a result, TCP also sends a FIN, waiting for the ACK of the other party. the LAST-ACK. /* The remote end has shut down, and the socket is closed. waiting for acknowledgement. WAIT for confirmation of the original connection interruption request sent to remote TCP */9) and TIME_WAIT: After receiving the FIN from the active closing end, TCP sends the ACK packet and enters the TIME-WAIT status. /* The socket is waiting after close to handle packets still in the network. wait for enough time to confirm that the remote TCP receives the connection interruption request */10), CLOSING: relatively rare. /* Both sockets are shut down but we still don't have all our data sent. wait for the remote TCP to confirm the connection interruption */11), CLOSED: After the passive closing end receives the ACK packet, it enters the closed status. Connection ended./* The socket is not being used. no connection status */12), UNKNOWN: UNKNOWN Socket status. /* The state of the socket is unknown. */SYN: (synchronous Sequence number, Synchronize Sequence Numbers) this flag is valid only when three handshakes are used to establish a TCP connection. Indicates a new TCP connection request. ACK: (confirmation Number, Acknowledgement Number) indicates the confirmation of TCP requests. it also prompts that the peer system has successfully received all data. FIN: (end sign, FINish) is used to end a TCP session. However, the corresponding port is still open and is ready to receive subsequent data. PS: There is a good tool in windows. TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. see http://technet.microsoft.com/en-us/sysinternals/bb897437 Of course, if you want to analyze data packets in detail, you can use more powerful tools such as sniffer and Wireshark. References: http://linux.sheup.com/linux/4/31225.html http://hi.baidu.com/mqbest_come_on/blog/item/18526dcef73d791a00e928e5.html http://www.daxigua.com/archives/1355 System connection status: 1. view TCP connection status netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]} 'or netstat-n | awk'/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]} 'netstat-n | awk'/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]} 'netstat-n | awk'/^ tcp/{print $ NF} '| sort | uniq-c | sort-rn netstat-ant | awk' {print $ NF} '| Grep-V' [a-z]' | sort | uniq-c 2. for more than 20 requests, see netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20 netstat-ant | awk '/: 80/{split ($5, ip, ":"); ++ A [ip [1]} END {for (I in A) print A [I], i} '| sort-rn | head-n20 3. use tcpdump to sniff access to port 80 to see who has the highest tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". '{print $1 ″. "$2 ″. "$3 ″. "$4} '| sort | uniq-c | sort-nr | Head-20 4. find more time_wait connections to netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20 5. find more SYN connections. netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more 6. process netstat-ntlp | grep 80 | awk '{print $7}' | cut-d/-f1 website log analysis article 1 (Apache): 1. obtain the first 10 IP addresses of cat access. log | awk '{print $1}' | sort | uniq-c | sort-nr | head-10cat access. log | awk '{coun Ts [$ (11)] + = 1}; END {for (url in counts) print counts [url], url} '2. the most frequently accessed file or page, with the first 20 cat access. log | awk '{print $11}' | sort | uniq-c | sort-nr | head-20 3. list the largest number of exe files transmitted (commonly used when analyzing download sites) cat access. log | awk '($7 ~ /\. Exe/) {print $10 "$1" $4 "$7} '| sort-nr | head-20 4. lists the exe files with an output greater than 200000 bytes (about KB) and the number of occurrences of the corresponding files cat access. log | awk '($10> 200000 & $7 ~ /\. Exe/) {print $7} '| sort-n | uniq-c | sort-nr | head-100 5. if the last column of the log records the page file transfer time, the most time-consuming page cat access is listed on the client. log | awk '($7 ~ /\. Php/) {print $ NF "$1" $4 "$7} '| sort-nr | head-100 6. list the most time-consuming pages (more than 60 seconds) and the corresponding page occurrence times cat access. log | awk '($ NF> 60 & $7 ~ /\. Php/) {print $7} '| sort-n | uniq-c | sort-nr | head-100 7. lists the cat access files that have been transferred for more than 30 seconds. log | awk '($ NF> 30) {print $7}' | sort-n | uniq-c | sort-nr | head-20 8. count website traffic (G) cat access. log | awk '{sum + = $10} END {print sum/1024/1024/1024}' 9. count 404 of connected awk' ($9 ~ /404/) 'Access. log | awk '{print $9, $7}' | sort 10. count http status. cat access. log | awk '{counts [$ (9)] + = 1}; END {for (code in counts) print code, counts [code]} 'cat access. log | awk '{print $9}' | sort | uniq-c | sort-rn 10. spider analysis shows which spider is capturing the content. /Usr/sbin/tcpdump-I eth0-l-s 0-w-dst port 80 | strings | grep-I user-agent | grep-I-E 'bot | crawler | slurp | spider's website Daily Analysis 2 (Squid) 2. traffic statistics by domain zcat squid_access.log.tar.gz | awk '{print $10, $7} '| awk' BEGIN {FS = "[/]"} {trfc [$4] + = $1} END {for (domain in trfc) {printf "% s \ t % d \ n", domain, trfc [domain]} 'the more efficient perl version can be downloaded here: http://docs.linuxtone.org/soft/tools/tr.pl Database article 1. view the SQL/usr/sbin/tcpdump-I eth0-s 0-l-w-dst port 3306 | strings | egrep-I 'select | UPDATE | DELETE | INSERT | SET | COMMIT | ROLLBACK | CREATE | DROP | ALTER | CALL 'system Debug analysis 1. debug the strace-p pid command. tracks the PIDgdb-p pid of a specified process