Linux Daily Management Tips (2): Free,ps,netstat Command and grab Kit

A. Free command

The free command displays the number of unused and used memory in the current system and also shows the memory buffers used by the kernel.
usage :

free [选项]

Options:

-B: Displays memory usage in bytes;
-K: Displays memory usage in kilobytes;
-M: Displays memory usage in megabytes;
-O: Do not display buffer adjustment columns;
-s< interval seconds;: Continuous observation of memory usage;
-T: Displays the sum of memory columns;
-V: Displays version information.

Instance:

Total: Memory totals;
Used: The number of memory that has been used;
Free: The number of idle memory;
Shared: not currently obsolete;
Buff/cache: How much memory is allocated to buffer and cache in total;
Available: The system can use memory size, avaliable contains free and buffer/cache remaining parts.

Second, PS command

The PS command is used to report the process status of the current system. You can break and delete unnecessary programs with the KILL command at any time. The PS command is the most basic and powerful process view command that can be used to determine which processes are running and running, whether the process is complete, if the process is dead, which processes are consuming too much resources, and so on, and most of the information can be obtained by executing the command.
Usage:

# ps [选项]

Options (Reference):

Http://man.linuxde.net/ps
Because the PS command can support a very large number of system types, so the options are outrageous!

Instance:

Some people like to use the ps -elf same, the information displayed is basically the same. PS command There are more uses, there is not much to introduce, because you can only use this command is enough, if you need other usage, man or online search. Here are the meanings of several parameters.
PID: ID of the process, this ID is very useful, the kernel management process in Linux relies on the PID to identify and manage a certain process, such as I want to terminate a course, kill 进程的pid and sometimes do not kill, you need to add a-9 option kill -9 进程pid , it is a bit violent, Serious time back lost data, so try not to.
STAT: Indicates the status of the process, and the process state is divided into the following types (not required to remember, but to understand)

D: A process that cannot be interrupted (usually IO)
R: Running Process
S: A process that has been interrupted, typically, most of the processes in the system are in this state
T: A process that has stopped or is paused, if we are running a command, say sleep 10 if we press ctrl-z and let him pause, then we will show the status of T in PS View.
W: This seems to say that after the kernel 2.6xx, it is indicated that there is not enough memory page allocation
X: Dead process (this never seems to happen)
Z: Zombie process, can't kill, fight the garbage process, the system a small resource, but no relationship. If too many, there is a problem. Generally does not appear.
<: high-priority process
N: Low-priority process
L: Memory is locked in memory paging
S: Main process
L: Multithreaded Process
+: Represents a process running in the foreground
In daily work, PS commands are often used with pipe characters :

Iii. netstat order

The netstat command is used to print the status information of network systems in Linux, allowing you to learn about the network conditions of the entire Linux system.
Usage:

# netsta [参数]

Parameters:

-A or--all: Displays all sockets in the connection,
-a< network type > or--< network type;: Lists the relevant addresses in the network type connection;
- C or--continuous: The network status is continuously listed;
-C or--cache: Displays the cache information for the router configuration,
-E or--extend: Displays other information about the network;
-F or--fib: show fib;
- G or--groups: Displays the multicast feature group member list,
-H or--help: online help;
-I or--interfaces: Displays the Web interface information form;
- L or--listening: Displays the socket of the server in the monitor;
-M or--masquerade: Displays the spoofed network connection;
-N or--numeric: Use the IP address directly, Instead of through a domain name server,
-N or--netlink or--symbolic: Displays the symbolic connection name of the network hardware peripheral,
-O or--timers: Display timer;
- P or--programs: shows the program identification code and program name of the socket being used;
-R or--route: Displays routing Table;
-S or--statistice: Displays the statistics of network work information;
-T or--tcp: Displays the connection status of the TCP transport protocol,
-U or--udp: Displays the connection status of the UDP transport protocol,
-V or--verbose: Displays the instruction execution process,
-V or--version: Displays version information;
-W or--raw: Displays the connection status of the raw transport protocol,
-X or--unix: The effect of this parameter is the same as specifying the "-a Unix" parameter;
--ip or--inet: The effect of this parameter is the same as specifying the "-a inet" parameter.
Reference: Http://man.linuxde.net/netstat

Instance:

The netstat command is used to print information such as network connection status, ports open by the system, and routing tables. The most common command about Netstat is this netstat -lnp (which ports are printed on the current system) and netstat -an (Print network connection status) These two commands are very useful, so be sure to remember.

The right side is the network connection state, understanding the TCP three handshake, it is good to understand.
If the server you are administering is a server that provides Web services (80 ports), then you can use Netstat-an |grep 80 to see which IPs are currently connected to the Web service.
Add: ss -an Similar to the netstat -an action.

# netstat -an | awk ‘/^tcp/ {++sta[$NF]} END {for(key in sta) print key,"\t",sta[key]}‘  //查看tcp各网络连接状态的数量

Four, grasping the bag tool 1, tcpdump grasping the bag tool.

Sometimes you might want to look at what packets are on a network card, especially if you initially decide that there is a traffic attack on your server. At this point, use the grab Bag tool to grab the packet, you can know which IP is attacking you.

# tcpdump -nn -c 10 -i ens33            //抓取10次包指定ens33网卡，并显示ip和端口，不显示主机名和服务名称

If you do not tcpdump this command, you need to use the yum install -y tcpdump command to install. The third and fourth columns in the example above show which Ip+port is connected to which ip+port, and the information that follows is the information about the packet, and the-nn parameter is for the ip+ port number to be displayed directly , only the third and fourth columns of interest. The-i option is followed by the device name , if you want to catch the ENS33 network card packet, followed by EENS33. The purpose of the-NN option is to have the third and fourth columns appear as ip+ port numbers, and if not-nn, the host name + service name is displayed.
-C option to specify the number of grab packets.
Reference:http://man.linuxde.net/tcpdump
Some common examples of tcpdump:

# tcpdump -nn -i ens33 port 22           //只抓22端口的包# tcpdump host 192.168.x.x   //抓取指定ip的包# tcpdump -nn -i ens33 tcp and not port 22        //指定抓tcp的包，但是不要22端口的# tcpdump -nn -i ens33 port 22 and port 53       //只抓22和53端口的包# tcpdump -nn -i ens33 -c 10 -i ens33 -w /tmp/tset.cap    //保存10次抓包到/tmp/test.cap# tcpdump -r /tmp/test.cap  //读取抓包文件

2. Wireshark Tools

Reference: http://www.360doc.com/content/15/0516/18/14900341_471040655.shtml
Instance:

This is similar to accessing the Web log, which can be used temporarily to view the current Web request if the server does not have an access log configured.
For more usage, refer to: https://www.cnblogs.com/liun1994/p/6142505.html

Linux Daily Management Tips (2): Free,ps,netstat Command and grab Kit