View shell script rollup for IP traffic

The first part,
1. View TCP connection Status

Netstat-nat |awk'{print $6}'|sort|uniq-c|sort-Rnnetstat-N | Awk'/^tcp/{++s[$NF]}; END {for (a in S) print A, S[a]}'netstat-N | Awk'/^tcp/{++state[$NF]}; END {for (key in) print key, "\ T", State[key]}'netstat-N | Awk'/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "\ T", arr[k]}'netstat-N |awk'/^tcp/{print $NF}'|sort|uniq-c|sort-Rnnetstat-ant | Awk'{print $NF}'| Grep-v'[A-z]'| Sort | Uniq-Cnetstat-ant|awk'/ip:80/{split ($5,ip, ":"); ++s[ip[1]]}end{for (A in S) print S[a],a}'|sort-Nnetstat-ant|awk'/:80/{split ($5,ip, ":"); ++s[ip[1]]}end{for (A in S) print S[a],a}'|sort-rn|head-nTenawk'begin{printf ("http_code\tcount_num\n")}{count[$10]++}end{for (A in COUNT) printf a "\t\t" count[a] "\ n"}'

2, find the number of requests please 20 IP (commonly used to find the source of attack):

 the ' {print $} ' ' {print $} '|sort|uniq-c|sort-nr|head-'/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) Print A[i],i}' |sort-rn|head-n20

3, sniff with tcpdump 80 port to see who's highest

 the  | Awk-f". " ' {print $ "." $ "." $ "." $4}' | Sort | uniq-c | Sort-nr |head-

4, Find more time_wait connections

' {print $} '|sort|uniq-c|sort-rn|head-n20

5, look for more SYN connections

' {print $} ' ' {print $} ' | Sort | uniq-c | Sort-nr | More

6, depending on the port column process

 the ' {print $7} ' | Cut-d/-F1

The second part, website log analysis (Apache):
1, get access to the first 10-bit IP address

' {print $} '|sort|uniq-c|sort-nr|head-cat access.log'{counts[$ (11)]+=1}; END {for (URL in counts) print Counts[url], url}'

2, most visited files or pages, take the top 20 and count all Access IP

' {print $11} '|sort|uniq-c|sort-nr|head '{print $}' Access.log |sort-n-R |uniq-c|wc-l

3, list the maximum number of EXE files transmitted (when analyzing the download station when used)

' ($7~/\.exe/) {print $ "" $ "" $4 "" $7} '|sort-nr|head-

4, list exe files with output greater than 200000byte (approx. 200kb) and the number of corresponding file occurrences

' ($ > 200000 && $7~/\.exe/) {print $7} '|sort-n|uniq-c|sort-nr|head-

5, if the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client

' ($7~/\.php/) {print $NF "" $ "" $4 "" $7} '|sort-nr|head-

6, List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences

' ($NF > && $7~/\.php/) {print $7} '|sort-n|uniq-c|sort-nr|head-

7, list files with transmission time exceeding 30 seconds

' ($NF >) {print $7} '|sort-n|uniq-c|sort-nr|head-

8, Statistics website traffic (G)

' {sum+=$10} END {print sum/1024/1024/1024} '

9, the connection of statistics 404

' ($9 ~/404/) ' ' {print $9,$7} ' | Sort

10, Statistics HTTP status.

' {counts[$ (9)]+=1}; END {for (code in counts) print code, Counts[code]}'{print $9}' |sort|uniq-c|sort-rn

11, concurrency per second:

' {if ($9~/200|30|404/) count[$4]++}end{for (A in COUNT) print A,count[a]} ' 2 -nr|head-n10

View shell script rollup for IP traffic