Network Analysis shell script (real-time traffic + connection statistics)

Source: Internet
Author: User

Network Analysis shell script (real-time traffic + connection statistics)

This article introduces a powerful Analysis Network shell script, which is split from EZHTTP and I think it is necessary to introduce it separately.
Script running effect:




This script provides the following functions:

  • 1. monitor traffic of any network card in real time
  • 2. Average traffic within 10 seconds
  • 3. Calculate the average traffic of each port within 10 seconds based on the statistics of the client and server ports. We can see which ports account for a large amount of traffic. For web servers, port 80 is generally used. When other ports are under attack, the traffic on other ports may be large. Therefore, this function helps us determine whether the port traffic is normal.
  • 4. Count the top 10 ip addresses that occupy the maximum bandwidth within 10 s. This feature helps us identify whether there are ip addresses that maliciously occupy bandwidth.
  • 5. collect statistics on the connection status. This feature allows us to see which connections are in relatively large states. If the SYN-RECV is in many States, it may be vulnerable to semi-connection attacks. If ESTABLISED is very large, but there are not so many requests through logs, or if tcpdump finds that a large number of ip addresses only establish connections and do not request data, it may be a full connection attack, in this case, if you are using the nginx server, you can add listen 80 deferred in the configuration file to prevent it.
  • 6. Check the connection status of each port. This feature helps us find out which port is under attack when it may be attacked.
  • 7. The first 10 IP addresses with the maximum number of ESTAB connections in port 80. This feature helps us find out the Ip addresses with too many connections and block them.
  • 8. The first 10 IP addresses with the maximum number of SYN-RECV connections in the status of port 80. This function helps us find malicious ip addresses when we are under semi-connected attacks.

Network Analysis tools used:

  • 1. tcpdump: This script uses tcpdump to count traffic based on ip addresses or ports.
  • 2. ss: This script uses ss commands to calculate the connection status. In actual use, it is much more efficient than netstat.
  • 3./proc/net/dev is used to count the traffic of the specified Nic.

Script: https://www.centos.bz/wp-content/uploads/2014/06/network-analysis.sh
The following is a complete script:

  1. #! /Bin/bash
  2. # Write by zhumaohai (admin # centos. bz)
  3. # Author blog: www. centos. bz
  4. # Display menu (single choice)
  5. Display_menu (){
  6. Local soft = $1
  7. Local prompt = "which $ {soft} you 'd select :"
  8. Eval local arr = (\$ {soft {soft} _ arr [@]})
  9. While true
  10. Do
  11. Echo-e "#####################$ {soft} setting ########### ######### \ n"
  12. For (I = 1; I <=$ {# arr [@]}; I ++); do echo-e "$ I) $ {arr [$ I-1]} "; done
  13. Echo
  14. Read-p "$ {prompt}" $ soft
  15. Eval local select =\$ soft
  16. If ["$ select" = ""] | ["$ {arr [$ soft-1]}" = ""]; then
  17. Prompt = "input errors, please input a number :"
  18. Else
  19. Eval $ soft =$ {arr [$ soft-1]}
  20. Eval echo "your selection: \ $ soft"
  21. Break
  22. Fi
  23. Done
  24. }
  25. # Converting bandwidth bit units to human readable units
  26. Bit_to_human_readable (){
  27. # Input bit value
  28. Local trafficValue = $1
  29. If [[$ {trafficValue %. *}-gt 922]; then
  30. # Conv to Kb
  31. TrafficValue = 'awk-v value = $ trafficValue 'BEGIN {printf "% 0.1f", value/1024 }''
  32. If [[$ {trafficValue %. *}-gt 922]; then
  33. # Conv to Mb
  34. TrafficValue = 'awk-v value = $ trafficValue 'BEGIN {printf "% 0.1f", value/1024 }''
  35. Echo "$ {trafficValue} Mb"
  36. Else
  37. Echo "$ {trafficValue} Kb"
  38. Fi
  39. Else
  40. Echo "$ {trafficValue} B"
  41. Fi
  42. }
  43. # Determine the package management tool
  44. Check_package_manager (){
  45. Local manager = $1
  46. Local systemPackage =''
  47. If cat/etc/issue | grep-q-E-I "ubuntu | debian"; then
  48. SystemPackage = 'apt'
  49. Elif cat/etc/issue | grep-q-E-I "centos | red hat | redhat"; then
  50. SystemPackage = 'yum'
  51. Elif cat/proc/version | grep-q-E-I "ubuntu | debian"; then
  52. SystemPackage = 'apt'
  53. Elif cat/proc/version | grep-q-E-I "centos | red hat | redhat"; then
  54. SystemPackage = 'yum'
  55. Else
  56. Echo "unkonw"
  57. Fi
  58. If ["$ manager" = "$ systemPackage"]; then
  59. Return 0
  60. Else
  61. Return 1
  62. Fi
  63. }
  64. # Real-time traffic
  65. RealTimeTraffic (){
  66. Local eth = ""
  67. Local nic_arr = ('ifconfig | grep-E-o "^ [a-z0-9] +" | grep-v "lo" | uniq ')
  68. Local nicLen =$ {# nic_arr [@]}
  69. If [[$ nicLen-eq 0]; then
  70. Echo "sorry, I can not detect any network device, please report this issue to author ."
  71. Exit 1
  72. Elif [[$ nicLen-eq 1]; then
  73. Eth = $ nic_arr
  74. Else
  75. Display_menu nic
  76. Eth = $ nic
  77. Fi
  78. Local clear = true
  79. Local eth_in_peak = 0
  80. Local eth_out_peak = 0
  81. Local eth_in = 0
  82. Local eth_out = 0
  83. While true; do
  84. # Move the cursor to 0: 0
  85. Printf "\ 033 [0; 0 H"
  86. # Clear the screen and print Now Peak
  87. [[$ Clear = true] & printf "\ 033 [2J" & echo "$ eth -------- Now -------- Peak -----------"
  88. Traffic_be = ('awk-v eth = $ eth-F' [:] + ''{if ($0 ~ Eth) {print $3, $11} '/proc/net/dev ')
  89. Sleep 2
  90. Traffic_af = ('awk-v eth = $ eth-F' [:] + ''{if ($0 ~ Eth) {print $3, $11} '/proc/net/dev ')
  91. # Computing Rate
  92. Eth_in = $ ($ {traffic_af [0]}-$ {traffic_be [0]}) * 8/2 ))
  93. Eth_out = $ ($ {traffic_af [1]}-$ {traffic_be [1]}) * 8/2 ))
  94. # Calculating traffic peaks
  95. [[$ Eth_in-gt $ eth_in_peak] & eth_in_peak = $ eth_in
  96. [[$ Eth_out-gt $ eth_out_peak] & eth_out_peak = $ eth_out
  97. # Move the cursor
  98. Printf "\ 033 [2; 1 H"
  99. # Clearing the current row
  100. Printf "\ 033 [K"
  101. Printf "%-20 s %-20s \ n" "Receive: $ (bit_to_human_readable $ eth_in)" $ (bit_to_human_readable $ eth_in_peak )"
  102. # Clearing the current row
  103. Printf "\ 033 [K"
  104. Printf "%-20 s %-20s \ n" "Transmit: $ (bit_to_human_readable $ eth_out)" $ (bit_to_human_readable $ eth_out_peak )"
  105. [[$ Clear = true] & clear = false
  106. Done
  107. }
  108. # Traffic and connection Overview
  109. TrafficAndConnectionOverview (){
  110. If! Which tcpdump>/dev/null; then
  111. Echo "tcpdump not found, going to install it ."
  112. If check_package_manager apt; then
  113. Apt-get-y install tcpdump
  114. Elif check_package_manager yum; then
  115. Yum-y install tcpdump
  116. Fi
  117. Fi
  118. Local reg = ""
  119. Local eth = ""
  120. Local nic_arr = ('ifconfig | grep-E-o "^ [a-z0-9] +" | grep-v "lo" | uniq ')
  121. Local nicLen =$ {# nic_arr [@]}
  122. If [[$ nicLen-eq 0]; then
  123. Echo "sorry, I can not detect any network device, please report this issue to author ."
  124. Exit 1
  125. Elif [[$ nicLen-eq 1]; then
  126. Eth = $ nic_arr
  127. Else
  128. Display_menu nic
  129. Eth = $ nic
  130. Fi
  131. Echo "please wait for 10 s to generate network data ..."
  132. Echo
  133. # Current Traffic Value
  134. Local traffic_be = ('awk-v eth = $ eth-F' [:] + ''{if ($0 ~ Eth) {print $3, $11} '/proc/net/dev ')
  135. # Tcpdump listening Network
  136. Tcpdump-v-I $ eth-tnn>/tmp/tcpdump_temp 2> & 1 &
  137. Sleep 10
  138. Clear
  139. Kill 'ps aux | grep tcpdump | grep-v grep | awk '{print $2 }''
  140. # Traffic value after 10 s
  141. Local traffic_af = ('awk-v eth = $ eth-F' [:] + ''{if ($0 ~ Eth) {print $3, $11} '/proc/net/dev ')
  142. # Print the average rate of 10 s
  143. Local eth_in =$ ($ {traffic_af [0]}-$ {traffic_be [0]}) * 8/10 ))
  144. Local eth_out = $ ($ {traffic_af [1]}-$ {traffic_be [1]}) * 8/10 ))
  145. Echo-e "\ 033 [32 mnetwork device $ eth average traffic in 10 s: \ 033 [0 m"
  146. Echo "$ eth Receive: $ (bit_to_human_readable $ eth_in)/s"
  147. Echo "$ eth Transmit: $ (bit_to_human_readable $ eth_out)/s"
  148. Echo
  149. Local regTcpdump = $ (ifconfig | grep-A 1 $ eth | awk-F' [:] + ''$0 ~ /Inet addr: /{printf $4 "|"} '| sed-e's/| $ //'-e's/^/(/'-e's/$ /) \\\\\. [0-9] + :/')
  150. # The output formats of the new and old versions of tcpdump are different.
  151. If awk '/^ IP/{print; exit}'/tmp/tcpdump_temp | grep-q ") $"; then
  152. # Process tcpdump files
  153. Awk '/^ IP/{print; getline; print}'/tmp/tcpdump_temp>/tmp/tcpdump_temp2
  154. Else
  155. # Process tcpdump files
  156. Awk '/^ IP/{print}'/tmp/tcpdump_temp>/tmp/tcpdump_temp2
  157. Sed-I-r's # (. *: [0-9] + \) (. *) # \ 1 \ n \ 2 #'/tmp/tcpdump_temp2
  158. Fi
  159. Awk '{len = $ NF; sub (/\)/, "", len); getline; print $0, len}'/tmp/tcpdump_temp2>/tmp/tcpdump
  160. # Count the average traffic of each port within 10 s
  161. Echo-e "\ 033 [32 maverage traffic in 10 s base on server port: \ 033 [0 m"
  162. Awk-F' [.:] + '-v regTcpdump = $ regTcpdump' {if ($0 ~ RegTcpdump) {line = "clients>" $8 ". "$9 ". "$10 ". "$11": "$12} else {line = $2 ". "$3 ". "$4 ". "$5": "$6"> clients "}; sum [line] + = $ NF * 8/10} END {for (line in sum) {printf "% s % d \ n", line, sum [line]} '/tmp/tcpdump | \
  163. Sort-k 4-nr | head-n 10 | while read a B c d; do
  164. Echo "$ a $ B $ c $ (bit_to_human_readable $ d)/s"
  165. Done
  166. Echo-ne "\ 033 [11A"
  167. Echo-ne "\ 033 [50C"
  168. Echo-e "\ 033 [32 maverage traffic in 10 s base on client port: \ 033 [0 m"
  169. Awk-F' [.:] + '-v regTcpdump = $ regTcpdump' {if ($0 ~ RegTcpdump) {line = $2 ". "$3 ". "$4 ". "$5": "$6"> server "} else {line =" server> "$8 ". "$9 ". "$10 ". "$11": "$12}; sum [line] + = $ NF * 8/10} END {for (line in sum) {printf" % s % d \ n ", line, sum [line]} '/tmp/tcpdump | \
  170. Sort-k 4-nr | head-n 10 | while read a B c d; do
  171. Echo-ne "\ 033 [50C"
  172. Echo "$ a $ B $ c $ (bit_to_human_readable $ d)/s"
  173. Done
  174. Echo
  175. # Count the top 10 ip addresses with the largest bandwidth in 10 s
  176. Echo-e "\ 033 [32 mtop 10 ip average traffic in 10 s base on server: \ 033 [0 m"
  177. Awk-F' [.:] + '-v regTcpdump = $ regTcpdump' {if ($0 ~ RegTcpdump) {line = $2 ". "$3 ". "$4 ". "$5"> "$8 ". "$9 ". "$10 ". "$11": "$12} else {line = $2 ". "$3 ". "$4 ". "$5": "$6"> "$8 ". "$9 ". "$10 ". "$11}; sum [line] + = $ NF * 8/10} END {for (line in sum) {printf" % s % d \ n ", line, sum [line]} '/tmp/tcpdump | \
  178. Sort-k 4-nr | head-n 10 | while read a B c d; do
  179. Echo "$ a $ B $ c $ (bit_to_human_readable $ d)/s"
  180. Done
  181. Echo-ne "\ 033 [11A"
  182. Echo-ne "\ 033 [50C"
  183. Echo-e "\ 033 [32 mtop 10 ip average traffic in 10 s base on client: \ 033 [0 m"
  184. Awk-F' [.:] + '-v regTcpdump = $ regTcpdump' {if ($0 ~ RegTcpdump) {line = $2 ". "$3 ". "$4 ". "$5": "$6"> "$8 ". "$9 ". "$10 ". "$11} else {line = $2 ". "$3 ". "$4 ". "$5"> "$8 ". "$9 ". "$10 ". "$11": "$12}; sum [line] + = $ NF * 8/10} END {for (line in sum) {printf" % s % d \ n ", line, sum [line]} '/tmp/tcpdump | \
  185. Sort-k 4-nr | head-n 10 | while read a B c d; do
  186. Echo-ne "\ 033 [50C"
  187. Echo "$ a $ B $ c $ (bit_to_human_readable $ d)/s"
  188. Done
  189. Echo
  190. # Statistical connection status
  191. Local regSS =$ (ifconfig | grep-A 1 $ eth | awk-F' [:] + ''$0 ~ /Inet addr:/{printf $4 "|"} '| sed-e's/| $ //')
  192. Ss-an | grep-v-E "LISTEN | UNCONN" | grep-E "$ regSS">/tmp/ss
  193. Echo-e "\ 033 [32 mconnection state count: \ 033 [0 m"
  194. Awk 'nr> 1 {sum [$ (NF-4)] + = 1} END {for (state in sum) {print state, sum [state]} '/tmp/ss | sort-k 2-nr
  195. Echo
  196. # Count the connection status of each port
  197. Echo-e "\ 033 [32 mconnection state count by port base on server: \ 033 [0 m"
  198. Awk 'nr> 1 {sum [$ (NF-4), $ (NF-1)] + = 1} END {for (key in sum) {split (key, subkey, SUBSEP ); print subkey [1], subkey [2], sum [subkey [1], subkey [2]} '/tmp/ss | sort-k 3-nr | head-n 10
  199. Echo-ne "\ 033 [11A"
  200. Echo-ne "\ 033 [50C"
  201. Echo-e "\ 033 [32 mconnection state count by port base on client: \ 033 [0 m"
  202. Awk 'nr> 1 {sum [$ (NF-4), $ (NF)] + = 1} END {for (key in sum) {split (key, subkey, SUBSEP ); print subkey [1], subkey [2], sum [subkey [1], subkey [2]} '/tmp/ss | sort-k 3-nr | head-n 10 | awk' {print "\ 033 [50C" $0 }'
  203. Echo
  204. # Top 10 IP addresses with the maximum number of ESTAB connections in port 80
  205. Echo-e "\ 033 [32 mtop 10 ip ESTAB state count at port 80: \ 033 [0 m"
  206. Cat/tmp/ss | grep ESTAB | awk-F' [:] + ''{sum [$ (NF-2)] + = 1} END {for (ip in sum) {print ip, sum [ip]} '| sort-k 2-nr | head-n 10
  207. Echo
  208. # The first 10 IP addresses with the maximum number of SYN-RECV connections in port 80
  209. Echo-e "\ 033 [32 mtop 10 ip SYN-RECV state count at port 80: \ 033 [0 m"
  210. Cat/tmp/ss | grep-E "$ regSS" | grep SYN-RECV | awk-F '[:] + ''{sum [$ (NF-2)] + = 1} END {for (ip in sum) {print ip, sum [ip]} '| sort-k 2-nr | head-n 10
  211. }
  212. Main (){
  213. While true; do
  214. Echo-e "1) real time traffic. \ n2) traffic and connection overview. \ n"
  215. Read-p "please input your select (ie 1):" select
  216. Case $ select in
  217. 1) realTimeTraffic; break ;;
  218. 2) trafficAndConnectionOverview; break ;;
  219. *) Echo "input error, please input a number .";;
  220. Esac
  221. Done
  222. }
  223. Main

If you do not understand the script, leave a message for consultation.

For more information, see https://www.centos.bz/2014/06/shell-script-for-network-analysis/.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.