Shulou(Shulou.com)06/02 Report--

System connection status section:

1. View TCP connection status

Netstat-nat | awk'{print $6}'| sort | uniq-c | sort-rn

Netstat-n | awk'/ ^ tcp/ {+ + S [$NF]}; END {for (an in S) print a, S [a]}'or

Netstat-n | awk'/ ^ tcp/ {+ + state [$NF]}; END {for (key in state) print key, "\ t", state [key]}'

Netstat-n | awk'/ ^ tcp/ {+ + arr [$NF]}; END {for (k in arr) print k, "\ t", arr [k]}'

Netstat-n | awk'/ ^ tcp/ {print $NF}'| sort | uniq-c | sort-rn

Netstat-ant | awk'{print $NF}'| grep-v'[a murz]'| sort | uniq-c

two。 Find the number of requests, please 20 IP (often used to find the source of attack):

Netstat-anlp | grep 80 | grep tcp | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | head-N20

Netstat-ant | awk'/: 80 / {split ($5 ip IP, ":"); + A [ip [1]]} END {for (i in A) print A [I], I}'| sort-rn | head-N20

3. Use tcpdump to sniff the access to port 80 to see who is the highest.

Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F "."'{print $1 "." $2 "." $3 "." $4}'| sort | uniq-c | sort-nr | head-20

4. Find more time_wait connections

Netstat-n | grep TIME_WAIT | awk'{print $5}'| sort | uniq-c | sort-rn | head-N20

5. Look for more SYN connections

Netstat-an | grep SYN | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | more

6. According to the port column process

Netstat-ntlp | grep 80 | awk'{print $7}'| cut-d /-F1

Website Log Analysis Section 1 (Apache):

1. Get the ip address that accesses the top 10 bits

Cat access.log | awk'{print $1}'| sort | uniq-c | sort-nr | head-10

Cat access.log | awk'{counts [$(11)] + = 1}; END {for (url in counts) print counts [url], url}'

two。 The most visited file or page, take the top 20

Cat access.log | awk'{print $11}'| sort | uniq-c | sort-nr | head-20

3. List the largest exe files transferred (commonly used when analyzing download stations)

Cat access.log | awk'($7clients /\ .exe /) {print $10 "$1"$4"$7}'| sort-nr | head-20

4. List the exe files whose output is larger than 200000byte (about 200kb) and the number of occurrences of the corresponding files

Cat access.log | awk'($10 > 200000 & & $7 million /\ .exe /) {print $7}'| sort-n | uniq-c | sort-nr | head-100

5. If the last column of the log records the page file transfer time, there are pages listed to the client that are the most time-consuming

Cat access.log | awk'($7legs /\ .php /) {print $NF "$1"$4"$7}'| sort-nr | head-100

6. List the most time-consuming pages (more than 60 seconds) and the number of page occurrences

Cat access.log | awk'($NF > 60 & & $7 dollars /\ .php /) {print $7}'| sort-n | uniq-c | sort-nr | head-100

7. List files that have been transferred for more than 30 seconds

Cat access.log | awk'($NF > 30) {print $7}'| sort-n | uniq-c | sort-nr | head-20

8. Statistics of website traffic (G)

Cat access.log | awk'{sum+=$10} END {print sum/1024/1024/1024}'

9. Count the connections of 404

Awk'($9 ~ / 404 /) 'access.log | awk' {print $9 charge 7}'| sort

10. Statistical http status.

Cat access.log | awk'{counts [$(9)] + = 1}; END {for (code in counts) print code, counts [code]}'

Cat access.log | awk'{print $9}'| sort | uniq-c | sort-rn

10. Spider analysis

See which spiders are grabbing content.

/ usr/sbin/tcpdump-I eth0-l-s 0-w-dst port 80 | strings | grep-I user-agent | grep-I-E 'bot | crawler | slurp | spider'

Daily website Analysis 2 (Squid)

two。 Statistical traffic by domain

Zcat squid_access.log.tar.gz | awk'{print $10 FS= 7}'| awk 'BEGIN {FS= "[/]"} {trfc [$4] + = $1} END {for (domain in)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.