Organize common Linux network commands

Common Linux network commands are commonly used in Linux to help us monitor network conditions. The 1Tcpdump command tcpdump can completely intercept the headers of packets transmitted in the network for analysis. It supports filtering of network layers, protocols, hosts, networks, or ports, and provides common Linux network commands to sort out frequently-used commands on Linux to help us monitor the network conditions. 1. the Tcpdump command tcpdump can completely intercept the "header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. 1) All parameters and meanings:-A prints all groups in ASCII format and minimizes the link layer header. -C. after receiving a specified number of groups, tcpdump stops. -C check whether the current file size exceeds the size specified in the file_size parameter before writing an original group to a file. If the size exceeds the specified size, close the current file and open a new file. The file_size parameter is measured in megabytes (1,000,000 bytes, not 1,048,576 bytes ). -D provides the code that matches the information package in an assembly format that people can understand. -Dd provides the code that matches the information package in the format of the C program segment. -Ddd provides the matching information package code in decimal format. -D: print out all network interfaces in the system that can use tcpdump to capture packets. -E prints the header information of the data link layer in the output line. -E uses spi @ ipaddr algo: secret to decrypt the IPsec ESP groups that use addr as the address and contain the security parameter index value spi. -F print the Internet address in numbers. -F reads the expression from the specified file and ignores the expression given in the command line. -I indicates the network interface of the listener, which is useful when multiple NICs exist. -L changes the standard output to the buffer row format. you can export data to a file. -L list the known data links of network interfaces. -M: import the smi mib module definition from the file module. This parameter can be used multiple times to import multiple MIB modules. -M if there is a TCP-MD5 option in the tcp message, you need to use secret as the shared verification code to verify the TCP-MD5 selection option Digest (for details, refer to RFC 2385 ). -B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx. -N does not convert the network address into a name. -Nn does not convert Port names, that is, domain name resolution is not performed. -N does not output the domain name section in the host name. For example, 'Nic .ddn.mil 'only outputs 'en '. -T no timestamp is printed on each output line. -O does not run the packet-matching code optimization program. -P does not set network interfaces to the hybrid mode. -Q: Quick output. Only a small amount of protocol information is output. -R reads packages from a specified file (these packages are generally generated using the-w option ). -S outputs the serial number of tcp in the absolute value form, rather than the relative value. -S reads the initial snaplen bytes from each group, instead of the default 68 bytes. -T directly interpret the packets to be listened to as specified types of packets. Common types include rpc remote process calls and snmp (Simple Network Management Protocol ;). -T does not output the timestamp in each row. -Tt outputs a non-formatted timestamp in each row. -The time difference between the ttt output line and the previous line. -Tttt outputs the default timestamp format processed by date in each row. -U outputs undecoded NFS handle. -V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information. -Vv: output detailed message information. -W directly writes the group into the file, instead of printing it out without analysis. it is useful when saving it to the file. -X indicates the data packet content in hexadecimal format. 2) the Tcpdump expression is a regular expression. tcpdump uses it as a condition for filtering packets. if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. In expressions, the following types of keywords are generally used: The first type is about the type of keywords, including host, net, and port. For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, and port 23 indicates that the port number is 23. If no type is specified, the default type is host. The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src. These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default. The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to the three types of keywords, other important keywords include gateway, broadcast, less, and greater. There are three other logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & ', or the operation is 'or '. 3) for example, monitor TCP packets on port 8012: [root @ bogon ~] # Tcpdump-nn-n dst port 8012 and tcptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet ), capture size 65535 bytes13: 17: 19.728118 IP 10.25.1.41.58755> 192.168.195.146.8012: Flags [.], ack 4530972, win 255, length. 086680 IP 10.25.1.41.58757> 192.168.195.146.8012: Flags [S], seq 2652586086, win 8192, options [mss 1367, n Op, wscale 8, nop, nop, sackOK], length. 095037 IP 10.25.1.41.58755> 192.168.195.146.8012: Flags [F.], seq 0, ack 1, win 255, length. 122483 IP 10.25.1.41.58757> 192.168.195.146.8012: Flags [.], ack 56813455, win 259, length. 123865 IP 10.25.1.41.58757> 192.168.195.146.8012: Flags [P.], seq 0: 394, ack 1, win 259, length 39413: 17: 20.244773 IP 10.25.1.41.58757> 192.168.195. 146.8012: Flags [P.], seq 394: 679, ack 727, win 256, length 28513: 17: 20.284014 IP 10.25.1.41.58757> 192.168.195.146.8012: Flags [.], ack 850, win 255, length 0 ^ C7 packets captured7 packets received by filter0 packets dropped by kernel other common parameters are combined as follows: [html] view plaincopy the following example uses the capture eth0 interface as an example. if "-I eth0" is not added, all interfaces including lo are crawled. First install the tcpdump package: yum install-y tcpdump 1. capture data packets containing 172.16.1.122 # tcpdump-I eth0-vnn host 172.16.1.122. capture data packets containing 172.16.1.0/24 network segments # tcpdump-I eth0-vnn 172.16.1.0 /24 3. capture packets containing port 22 # tcpdump-I eth0-vnn port 22 4. capture udp packets # tcpdump-I eth0-vnn udp 5. capture icmp packets packet # tcpdump-I eth0-vnn icmp 6. capture arp packets # tcpdump-I eth0-vnn arp 7. capture ip packets # tcpdump-I eth0-vnn ip 8, capture data packets whose source ip address is 172.16.1.122. # Tcpdump-I eth0-vnn src host 172.16.1.122 9. capture data packets whose destination ip address is 172.16.1.122 # tcpdump-I eth0-vnn dst host 172.16.1.122 10. capture data packets whose source port is 22- I eth0-vnn src port 22 11. capture data packets whose source ip address is 172.16.1.253 and the destination ip address is 22 # tcpdump-I eth0-vnn src host 172.16.1.253 and dst port 22 12. capture the source ip address is 172.16.1.122 or contains data packets whose port is 22 # tcpdump-I eth0-vnn src host 172.16.1.122 or port 22 13. capture data packets whose source ip address is 172.16.1.122 and whose port is not 22 [root @ ftp] # tc Pdump-I eth0-vnn src host 172.16.1.122 and not port 22 14. capture packets whose source ip address is 172.16.1.2 and target port is 22, or whose source ip address is 172.16.1.65 and the target port is 80. # Tcpdump-I eth0-vnn \ (src host 172.16.1.2 and dst port 22 \) or \ (src host 172.16.1.65 and dst port 80 \) 15. capture data packets whose source ip address is 172.16.1.59 and the destination port is 22, or whose source ip address is 172.16.1.68 and the destination port is 80. # Tcpdump-I eth0-vnn 'src host 172.16.1.59 and dst port 22 'or 'src host 172.16.1.68 and dst port 80' 16. Save the captured data packet records to the/tmp/fill file., after capturing 100 data packets, exit the program. # Tcpdump-I eth0-vnn-w/tmp/fil1-c 100 17. read tcp packets from/tmp/fill Records # tcpdump-I eth0-vnn-r/ tmp/fil1 tcp 18. read data packets containing 172.16.1.58 from/tmp/fill Records # tcpdump-I eth0-vnn-r/tmp/fil1 host 172.16.1.58 2. netstat command 1) all parameters are as follows. common parameters are marked in red:-a or -- all to display the sockets in all connections, for example, ESTABLISHED and LISTENING).- <网络类型> Or -- <网络类型> Lists the related addresses of a network connection. -C or -- continuous continuously lists the network status. -C or -- cache displays the cache information configured by the router. -E or -- extend displays other network-related information. -F or -- fib displays FIB. -G or -- groups displays a list of members of the multi-broadcast function Group. -H or -- help online help. -I or -- interfaces displays the network interface information form. -L or -- listening displays the Socket of the monitored server. -M or -- masquerade displays disguised network connections. -N or -- numeric directly uses the IP address instead of the domain name server. -N or -- netlink or -- symbolic display the symbolic connection name of the network hardware peripheral device. -O or -- timers displays the timer. -P or -- programs displays the program identification code and program name using the Socket. -R or -- route displays the Routing Table. -S or -- statistice displays a statistical table of network work information. -T or -- tcp shows the connection status of the TCP transmission protocol. -U or -- udp shows the connection status of UDP transmission protocol. -V or -- verbose displays the command execution process. -V or -- version displays version information. -W or -- raw shows the connection status of the RAW transmission protocol. -X or -- unix: the effect of this parameter is the same as that of the specified "-A unix" parameter. -- Ip or -- inet this parameter has the same effect as the specified "-A inet" parameter. 2) execute: netstat-anltpu output result: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN 3226/hpiod tcp 0 0.0.0.0: 3306 0.0.0.0: * LISTEN 3411/mysqld tcp 0 0 0.0.0.0: 1002 0.0.0.0: * LISTEN 2940/rpc. statd tcp 0 0 0.0.0.0: 111 0.0.0.0: * LISTEN 2883/portmap tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN 3259/c Upsd tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 3453/sendmail: accetcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN 3231/python tcp 0 0 202.102.240.93: 3306 122.207.210.12: 1750 ESTABLISHED 3411/mysqld tcp 0 protocol: 3306 122.207.210.12: 1748 ESTABLISHED 3411/mysqld tcp 0 protocol: 3306 202.102.240.93: 59141 ESTABLISHED 3411/mysqld tcp 0 protocol: 59141 protocol: 3306 ESTABLISHED 7059/htt Other common combinations of pd include:-nltp, a program that only views TCP connections in the LISTEN state. 3) The watch Command or the netstat-c parameter can help us monitor the network status of a process in real time: watch-n 1-d "netstat-anpo | grep" php-fpm "" output result: tcp 0 0 192.168.195.145: 48467 192.168.198.52: 6379 ESTABLISHED 27908/php-fpm off (0.00/0/0) tcp 0 192.168.195.145: 39178 192.168.195.145: 3306 ESTABLISHED 27908/php-fpm keepalive (7197.09/0/0) unix 2 [ACC] stream listening 2449287 27901/php-fpm/dev/shm/php-fcgi.sockunix 3 [] stream connected 2450180 27908/php-fpm/dev/shm/php-fcgi.sockunix 3 [] STREAM CONNECTED 2449286 27901/php-fpmunix 3 [] stream connected 2449285 27901/php-fpm