LINUX Three Musketeers boss (AWK) Daily Summary

A. Linux system connection Status Chapter;

1, check the status of TCP connection;

netstat -nat |awk  ' {print $6} ' |sort|uniq-c|sort  -rnnetstat -n | awk  '/^tcp/ {++s[$NF]}; End {for (Ain s)  print a, s[a]} '   or netstat -n | awk  '/^tcp/  {++state[$NF]}; end{for (key in state)  print key, "T", State[key]} ' netstat -n  | awk  '/^tcp/ {++arr[$NF]}; End{for (K in arr)  print k, "T", arr[k]} ' netstat -n |awk  '/^tcp/ {print   $NF} ' |sort|uniq-c|sort -rnnetstat -ant | awk  ' {print  $NF} '  |  grep -v  ' [A-z] ' | sort | uniq -c 

2. find the number of requests please IP(often used to find the source of attack);

Netstat-anlp|grep 80|grep Tcp|awk ' {print$5} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20netstat-ant |awk '/:80/ {Split ($5,ip, ":"); ++a[ip[1]]} End{for (i in A) print A[i],i} ' |sort-rn|head-n20

3. Use tcpdump sniffing the port access to see who is the tallest ;

Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' |sort | uniq-c | Sort-nr |head-20

4 , Find more time_wait connection ;

Netstat-n|grep Time_wait|awk ' {print$5} ' |sort|uniq-c|sort-rn|head-n20

5, look for more SYN connection;

Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

6, according to the port column process;

NETSTAT-NTLP | grep 80 | awk ' {print $7} ' |cut-d/-f1

Two. website log analysis;

1.apache log (to obtain the IP address of the first ten digits of access );

Cat Access.log|awk ' {print $} ' |sort|uniq-c|sort-nr|head-10cat Access.log|awk ' {counts[$ (11)]+=1}; End{for (URL in counts) print Counts[url], url} '

2. the most visited files or pages , take the first page ;

Cat Access.log|awk ' {print $11} ' |sort|uniq-c|sort-nr|head-20

3. List The maximum number of exe files (commonly used when analyzing the download station);

Cat Access.log |awk ' ($7~/.exe/) {print $ "" $ "" $4 "" $7} ' |sort-nr|head-20

4. List output greater than200000byte (about200KB)of theExeThe number of files and corresponding file occurrences;

Cat Access.log |awk ' ($ > 200000&& $7~/.exe/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

5. If the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client

Cat Access.log |awk ' ($7~/.php/) {print $NF "" $ "" $4 "" $7} ' |sort-nr|head-100

6. List the most time-consuming pages(more than60seconds of)and the number of corresponding page occurrences;

Cat Access.log |awk ' ($NF > &&$7~/.php/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

7. List files that have been transmitted for more than a second;

Cat Access.log |awk ' ($NF >) {print$7} ' |sort-n|uniq-c|sort-nr|head-20

8. Statistical website Traffic (G);

Cat Access.log |awk ' {sum+=$10} END {printsum/1024/1024/1024} '

9. connection of statistical 404;

awk ' ($9 ~/404/) ' Access.log | awk ' {print$9,$7} ' | Sort

statistics HTTP status;

Cat Access.log |awk ' {counts[$ (9)]+=1}; End{for (code in counts) print code, Counts[code]} ' cat Access.log |awk ' {print $9} ' |sort|uniq-c|sort-rn

One . Spider analysis to see which spiders are crawling content.

/usr/sbin/tcpdump-i Eth0-l-S 0-w-DST Port80 | Strings | Grep-i User-agent | Grep-i-E ' bot|crawler|slurp|spider '

three. Database chapter;1. View the database executionSql

/usr/sbin/tcpdump-i eth0-s 0-l-w-dst port3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '

2. system Debug Analysis Chapter;

1. Debug command

Strace-p PID

2. Tracks the specified process'sPid

Gdb-p PID

.

This article from "rendering unchanged Yesterday" blog, declined reprint!

LINUX Three Musketeers boss (AWK) Daily Summary