Shulou(Shulou.com)06/01 Report--

This article is to share with you what are the common system analysis tools under Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

1.CPU

For cpu, we mainly introduce top,strace,perf,vmstat.

1.1 top

The top command can dynamically view the overall operation of the system in real time, and it is a practical tool that integrates multi-party information to monitor the performance and operation information of the system.

The optional parameters commonly used in Top and their corresponding meanings are as follows:

(1)-c: displays the complete command

(2)-d: screen refresh interval

(3)-I: set the interval

(4)-u: specify a user name

(5)-p: specify the process

(6)-n: the number of times the loop is displayed.

The effect of top execution is as follows:

The first five lines are the statistics of the system as a whole. * rows are task queue information, second and third behavior processes and CPU information, and * * two behavior memory information. Here are some of the more important parameters.

Load average:0.60,0.94,1.04 . Load average represents the average length of the system's task queue over the past 1 minute, 5 minutes and 15 minutes. A higher value indicates that the system CPU is busier.

Cpu (s): 5.0%us (cpu*** occupied by user space), 3.9%sy (percentage of cpu occupied by system space), 0.0%ni (percentage of cpu occupied by users who have changed priority in user process space), 90.9%id (percentage of idle cpu), 0.2%wa (percentage of cpu waiting for input and output).

Mem:817280k buffers (the amount of memory used as kernel cache).

Swap: disk swap capacity.

1.2 strace

Strace can trace the system calls generated by a process, including parameters, return values, and execution time.

The common options for strace and their corresponding meanings are as follows:

(1)-c counts the time, times and errors of each system call

(2)-f tracks the child processes generated by fork calls

(3)-t add time information before each line in the output

(4)-tt adds time information (subtle) before each line in the output

(5)-T shows the time spent on each call

(6)-e trace=set tracks only specified system calls. For example:-e trace=open,close,read,write means that only these four system calls are tracked. The default is set=all

(7)-e trace=file only tracks system calls related to file operations

(8)-e trace=process only tracks system calls related to process control

(9)-e trace=network tracks all system calls related to the network

(10)-e strace=signal tracks all system calls related to system signals

(11)-e trace=ipc tracks all system calls related to process communication

(12)-o filename writes the output of strace to the file filename-p pid tracking the specified process pid

For example, if you execute strace cat / dev/null, you will get the following output:

Each line is a system call. To the left of the equal sign is the function name of the system call and its parameters, and on the right is the return value of the call. If you know what you're looking for, you can have strace track only some types of system calls. For example, if you need to look at the system call ececve call in the program executed in the loadconfigure script, you only need to enter one shell command: strace-f-o loadconfigure-strace.txt-e execve. / loadconfigure

For example, if we know that the process number of ActLogicSvr is 16789, we can execute strace-p 16789-c to count the system calls of ActLogicSvr in a certain period of time. The results are as follows:

This clearly tells you which system functions are called, how many times they are called, how much time is consumed, and so on, which is very useful for us to analyze a program.

1.3 Perf

Perf is a performance tuning tool for Linux. Common commands of the perf tool include top,record,report and so on.

The perf top command is used to show the overall state of the program running. This command is mainly used to observe the current state of the entire system, for example, you can view the most time-consuming kernel function or a user process of the current system by looking at the output of the command. The effect of Perf stat is as follows:

The perf record command is used to record the information of the specified event during the running of the program, while the Perf report command is used to report the program health report generated based on the event information recorded by the previous record command. We usually use the command perf record-g-p pid to store the proportion of CPU that each instruction of the process runs during the command run in perf.data (- g indicates the call relationship between the recording functions). Then use perf report-call-graph-stdio to show the statistical results just now.

When perf record has the-g option, the running effect of perf report:

When perf record does not have the-g option, the running effect of perf report:

1.4 vmstat

Vmstat is a very comprehensive performance analysis tool, which can observe the process status of the system, memory usage, virtual memory usage, disk IO, interrupt, up and down switch, CPU usage and so on.

The output of vmstat is as follows:

Procs:

-r: the number of processes in the run queue, which can also determine whether the CPU needs to be increased. (long-term greater than 1)

-b: the number of processes that are blocked because of io.

Memory:

-swap: use virtual memory size

-free: free physical memory size

-buff: the amount of memory used as a buffer

-cache: the amount of memory used as the cache

Swap:

Si: the amount of memory written from the swap area to memory per second, transferred from disk to memory

So: the amount of memory written to the swap area per second, transferred from memory to disk

Io:

-bi: total amount of data read from block devices (read disk) (KB/s)

-bo: total amount of data written to the block device (write disk) (KB/s)

System:

-in: number of interrupts per second

-cs: the number of context switches per second

Cpu:

-us: percentage of CPU time consumed by the user process

-sy: percentage of CPU time consumed by kernel processes

-percentage of CPU time consumed by wa:IO waiting

-percentage of time id:CPU has been idle

two。 The network

2.1 netstat command

The netstat command is used to print the status information of the network system in Linux, so that you can know the network situation of the whole Linux system.

The common options for netstat are as follows:

(1)-a (all) shows all options

(2)-t (tcp) shows only tcp related options

(3)-u (udp) shows only udp related options

(4)-l (listen) lists only the service status in Listen (monitoring)

(5)-p (program) shows the name of the program that established the relevant link

(6)-r (route) displays routing information, routing table

(7)-e (extend) displays extended information

(8)-c executes the netstat command at regular intervals.

Here we briefly review the process of TCP's three-way handshake and four waves, so as to explain the various states of tcp in netstat below.

The process of the TCP three-way handshake is as follows:

(1) the active connector sends a SYN packet to the passive connector.

(2) after receiving the SYN packet, the passive connection sends a SYN packet with ACK to the active connection.

(3) the active connection terminal sends a packet with ACK logo to the passive connection terminal, and the handshake is completed.

The four waves of TCP are as follows:

(1) the active shutdown end sends a FIN packet to the passive shutdown terminal.

(2) after receiving the FIN packet, the passive shutdown terminal sends an ACK packet to the active shutdown terminal.

(3) after the passive shutdown side sends the ACK packet, it sends a FIN packet to the active shutdown side.

(4) after receiving the FIN packet, the active shutdown terminal sends an ACK packet. When the passive closing end receives the ACK, four waving actions are completed and the connection is disconnected.

Let's explain the various states corresponding to tcp connections in netstat.

(1) LISTEN: listening status, waiting for a connection request from the remote machine.

(2) SYN_SEND: during the TCP three-way handshake, after the active connector sends the SYN packet, it enters the SYN_SEND state and waits for the other party's ACK packet.

(3) SYN_RECV: during the TCP three-way handshake, the active receiver enters the SYN_RECV state after receiving the SYN packet.

(4) ESTABLISHED: after completing the TCP three-way handshake, the active connection end enters the ESTABLISHED state. At this point, the TCP connection is established and you can communicate.

(5) FIN_WAIT_1: when the TCP waves for four times, the active shutdown end sends the FIN packet and enters the FIN_WAIT_1 state.

(6) FIN_WAIT_2: when the TCP waves four times, the active shutdown end receives the ACK packet and enters the FIN_WAIT_2 state.

(7) TIME_WAIT: when the ACK waves four times, the active shutdown end sends the ACK packet, enters the TIME_WAIT state, waits for the maximum 2MSL time, and allows the passive shutdown end to receive the TCP packet.

(8) CLOSING: during the four waves of the TCP, after the active shutdown end sends the FIN packet, it does not receive the corresponding ACK packet, but receives the other party's FIN packet, and enters the CLOSING status.

(9) CLOSE_WAIT: during the four waves of FIN, the passive shutdown end receives the CLOSE_WAIT packet and enters the TCP state.

(10) LAST_ACK: when the TCP waves four times, the passive shutdown end sends the FIN packet, enters the LAST_ACK state, and waits for the other party's ACK packet.

Netstat-te, which shows all tcp connections, has the following effect:

Common methods of netstat:

(1) netstat-p | grep 19626: all ports opened by the process that gets the process number 19626

(2) netstat-tpl: to view the current tcp listening port, you need to display the name of the listening program.

(3) netstat-c 2: execute netstat every two seconds and output continuously

2.2 lsof

The lsof command is used to view the file opened by the process, the process that opened the file, and the port opened by the process (TCP, UDP). In the linux environment, everything exists in the form of files, through which you can access not only regular data, but also network connections and hardware. When using TCP's UDP, the system assigns a file descriptor to the application in the background. Regardless of the nature of the file, the file descriptor provides a common interface for the interaction between the application and the underlying operating system.

Examples of lsof usage are as follows:

The meaning of the output items is as follows:

COMMAND: the name of the process

PID: process identifier

USER: process owner

FD: a file descriptor that the application recognizes by the file descriptor. Such as cwd, txt, etc.

TYPE: file type, such as DIR, REG, etc.

DEVICE: specifies the name of the disk

SIZE: the size of the file

NODE: Inode (identification of files on disk)

NAME: the exact name of the open file

Common methods of Lsof:

(1) lsof abc.txt: view all processes with the file abc.txt open.

(2) lsof-p pid: displays all files opened by the process.

2.3 tcpdump

Tcpdump can completely intercept the packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information.

Common parameters of tcpdump:

(1)-nn, shown directly in IP and Port Number instead of hostname and service name.

(2)-I, followed by network interfaces that want to "listen", such as eth0, lo, ppp0 and so on.

(3)-w, if you want to store the monitored packet data, use this parameter. Followed by the file name.

(4)-c, the number of packets monitored. Without this parameter, tcpdump will continue to listen until the user enters [ctrl]-c.

(* *) the contents of the packet are displayed in ASCII and are usually used to capture the web packet information of WWW.

(6)-e, using the MAC packet data of the data connection layer (OSI layer 2) to display.

(7)-Q, only short packet information is listed, and the content of each line is relatively concise.

(8)-X, which can list the contents of hexadecimal (hex) and ASCII packets, which is useful for listening on packet contents.

(9)-r, read the packet data from the following file. That "file" is an existing file, and this "file" is made by-w.

Common uses of tcpdump:

(1) tcpdump-I eth2 host *. * *: grab all network data that passes through eth2 and the destination or source address is * *. * *.

(2) tcpdump-I eth2 dst host *. * *: grab all the network data that passes through eth2 and the destination address is * *. * *.

(3) tcpdump-I eth2 src host *. * *: grab all the network data that passes through eth2 and the source address is * *. * *.

(4) tcpdump-I eth2 port 36000: grab all network data that passes through eth2 and the destination port or source port is 36000.

(5) tcpdump-I eth2 src port 36000: grab all network data that passes through eth2 and the source port is 36000.

(6) tcpdump-I eth2 dst port 36000: grab all network data that passes through eth2 and the destination port is 36000.

(7) tcpdump-I eth2 'src host *. * * & & src port 36000 capture all network data passing through eth2 with the destination address of 10.136.12.1 and the destination port of 36000.

(8) on the 10.136.12.1 machine, we know through top that the process id of ActLogicSvr is 16789. Then the port on which ActLogicSvr listens is 10014 via netstat-ap | grep 16789. As shown in the following figure:

Then we grab all the packets passing through port 10014 via tcpdump-I eth2 'port 10014'-xxx. We send a request to ActLogicSvr by simulating interface testing. The results of the captured packages are as follows:

From the captured packets, we can clearly see the process of four waves from the three-way handshake established by the tcp connection to the disconnection from the data transmission to the tcp connection (the first three packets are the process of three-way handshake, the four packets are the process of waving four times, and the middle one is the network packet generated by data transmission).

3 memory

3.1 valgrind

Valgrind is a debugging application that is widely used in Linux programs. It is especially good at finding memory management problems and can check for memory leaks when the program is running. When we use valgrind, we mainly use its memory leak detection function, that is, memcheck function. It checks all read / write operations to memory and intercepts all malloc/new/free/delete calls. So the memcheck tool can detect the following problems:

(1) use uninitialized memory

(2) read / write memory that has been freed

(3) read / write memory out of bounds

(4) read / write inappropriate memory stack space

(5) memory leak

(6) using malloc/new/new [] and free/delete/delete [] do not match.

(7) the optional parameters and corresponding meanings of the overlapping valgrind of src and dst are as follows:

(1)-version displays the version of the valgrind kernel, and each tool has its own version.

(2) Q-quiet runs quietly, printing only error messages.

(3) v-verbose more detailed information, increase the number of errors statistics.

(4)-trace-children=no | yes tracks child threads

(5)-track-fds=no | yes tracks the description of open files

(6)-time-stamp=no | yes adds timestamp to LOG information

(7)-log-fd= outputs LOG to descriptor text

(8)-log-file= writes the output information to the file of filename.PID, and PID runs the program to ID.

(9)-log-file-exactly= outputs LOG information to file

(10)-log-file-qualifier= gets the value of the environment variable as the file name of the output information.

(11)-log-socket=ipaddr:port outputs LOG to socket, ipaddr:port

LOG information output:

(1)-xml=yes outputs the information in xml format, and only memcheck is available

(2)-num-callers= show callers in stack traces [12]

(3)-error-limit=no | yes if there are too many errors, stop displaying new errors? [yes]

(4)-error-exitcode= returns the error code [0=disable] if it finds an error

(5)-db-attach=no | yes when an error occurs, valgrind automatically starts the debugger gdb. [no]

(6)-the command line option for db-command= to launch the debugger [gdb-nw% f% p] applies to the relevant options of the Memcheck tool:

(1)-- leak-check=no | summary | full is required to provide detailed information for leak? [summary]

(2)-- leak-resolution=low | med | high how much bt merging in leak check [low]

(3)-- show-reachable=no | yes show reachable blocks in leak check? [no]

Example: valgrind-- leak-check=full / usr/local/app/taf/tafnode/data/TenFortune.WeChatProxySvr/bin/WeChatProxySvr-- config=/usr/local/app/taf/tafnode/data/TenFortune.WeChatProxySvr/conf/TenFortune.WeChatProxySvr.config.conf-trace-child=yes. Result of execution:

4 disk

4.1 iotop

The iotop command is a top-like tool used to monitor disk IZP O usage. Iotop has a UI similar to top, including PID, user, Imax O, process and other related information. Most of the IO statistical tools under Linux, such as iostat,nmon, can only count the reading and writing of per devices. If you want to know how each process uses IO, it is troublesome to use the iotop command to view it.

Iostat command options:

-o: only processes with io operations are displayed

-n NUM: displays NUM times, mainly for non-interactive mode.

-d SEC: displays every SEC second.

-p PID: pid of the monitored process.

-u USER: the process user being monitored.

The execution effect of iotop:

Thank you for reading! This is the end of this article on "what are the common system analysis tools under Linux?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.