Shulou(Shulou.com)06/01 Report--

What are the network commands in Linux, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, hope you can gain something.

View the connection of the current system

How do you see how many connections there are in the current system? You can use netstat in conjunction with awk for statistics. The following script counts the number of tcp connections in each state

# netstat-antp | awk'{a [$6] + +} END {for (x in a) print x, a [x]} 'LISTEN 41CLOSE_WAIT 24ESTABLISHED 150Foreign 1TIME_WAIT 92

But if you execute this command on a server with tens of thousands of connections, you may have to wait a long time. So, we have a second-generation network status statistics tool: netstat = > ss (don't be confused with that jailbreak tool).

# ss-sTotal: 191 (kernel 220) TCP: 5056 (estab 42, closed 5000, orphaned 3, synrecv 0, timewait 5000 plus 0), ports 3469.

Netstat belongs to the net-tools toolset, while ss belongs to iproute. The command corresponds to the following, and it's time to say Bye to net-tools.

Use net-toolsiproute Statistics ifconfigss address netstatip addr routing routeip route neighbor arpip neighVPNiptunnelip tunnelVLANvconfigip link Multicast ipmaddrip maddr

Ss command

Basic use

Let's take a look at the use of ss in terms of usage scenarios.

View the tcp connection that the system is listening to

Ss-atr ss-atn # ip only

View all connections in the system

Ss-alt

View the process pid listening on port 444

Ss-ltp | grep 444

See which ports are occupied by process 555

Ss-ltp | grep 555

Show all udp connections

Ss-u-a

View TCP sockets and use the-ta option

View UDP sockets and use the-ua option

View RAW sockets and use the-wa option

View UNIX sockets and use the-xa option

All connections to an ip

Ss dst 10.66.224.130ss dst 10.66.224.130:httpss dst 10.66.224.130:smtpss dst 10.66.224.130:443

Show all http connections

Ss dport =: http

Check the top 10 ip addresses that connect to this computer

Netstat-antp | awk'{print $4}'| cut-d':'- F1 | sort | uniq-c | sort-n-K1-r | head-n 10

Recv-Q and Send-Q

Note the execution results of ss, and let's explain Recv-Q and Send-Q.

These two values represent different meanings in the LISTEN and ESTAB states, respectively. In general, a normal application should have both values of 0 (except for backlog). The higher the value, the more serious the problem.

LISTEN statu

Recv-Q: indicates how many connections established have not been accept. For example, Nginx is slow to accept new connections.

Send-Q: represents the listen backlog value

ESTAB statu

Recv-Q: how much data in the kernel (bytes) has not been read by the application, resulting in a certain degree of blocking

Send-Q: indicates how much (bytes) data in the sending queue in the kernel does not receive ack, and the receiving and processing capacity of the peer is not strong.

View network traffic

View traffic

There are many tools to look at network traffic, but I like sar best. Sar is the most fully functional monitoring software on linux. As shown in the figure, network traffic can be refreshed every second using sar-n DEV 1.

Of course, you can also use ifstat, nload, iptraf and other commands to check. However, the data source is still from our / proc directory.

Watch cat / proc/net/dev

View the IP that accounts for the largest share of traffic

Sometimes we find that the network bandwidth is very high, but we can't tell where the traffic is coming from. At this point, iftop can help. As shown in the figure, it is easy to find out which host the traffic comes from.

When you are not sure about the source of the private network traffic, such as someone is under pressure testing, the api call is unreasonable, you can find him through this method.

Grab the bag

Tcpdump

When we need to determine whether there is traffic, or debug a difficult netty application problem, we can make a further judgment by grabbing the packet. On Linux, you can grab data through the tcpdump command, and then use Wireshark for analysis.

Tcpdump-I eth0-nn-S0-v port 80

-I specify the network card to grab the packet.

-n, like ss, means that the domain name is not resolved

-nn two n indicates that the port is also a number, otherwise it is resolved to the service name.

-s sets the length of the grab bag. 0 means no limit.

-v display detailed output when grabbing packets, and-vv and-vvv are more detailed in turn.

1) adding the-An option will print ascii, and-X will print hexe code.

Tcpdump-A-S0 port 80

2) grab the related packets of a specific ip

Tcpdump-I eth0 host 10.10.1.1tcpdump-I eth0 dst 10.10.1.20

3) the-w parameter writes the crawled package to a file

Tcpdump-I eth0-S0-w test.pcap

4) tcpdump supports expressions, and there are more complex examples, such as crawling get,post requests (non-https) in the system.

Tcpdump-s 0-v-n-l | egrep-I "POST / | GET / | Host:"

See synonyms at more

Https://hackertarget.com/tcpdump-examples/

You can view the captured data by using wireshark.

Http grabs the bag

The package grabbing tool uses itself as an agent to capture the communication between your browser and the server, and provides the functions of modification, replay, and batch execution. It is a sharp weapon to find problems, analyze protocols, and attack sites. The three commonly used ones are as follows:

Burpsuite (cross-platform)

Fiddle2 (Win)

Charles (Mac)

Bad things have to be done secretly.

Traffic replication

You may need to recreate the real traffic of your production environment HTTP in the development environment or rehearsal environment, so that you can use the traffic replication feature.

There are three tools to choose from, and individuals prefer Gor.

Gor

TCPReplay

TCPCopy

Problem with too many connections

According to TCP/IP, socket contains about 10 connection states. What we usually encounter in our work, except for the denial of service attacks against SYN, if there are any anomalies, it is likely to be the problem of TIME_WAIT and CLOSE_WAIT.

TIME_WAIT can generally be solved by optimizing kernel parameters; CLOSE_WAIT is generally caused by unreasonable programming and should be paid more attention to by developers.

TIME_WAIT

TIME_WAIT is the state maintained by the party who actively closes the connection, such as nginx and crawler servers. A large number of connections in the time_wait state often occur. TCP usually waits for 2MS after actively closing the connection, and then shuts down the connection completely. Because HTTP uses the TCP protocol, there is a large backlog of TIME_WAIT stateful connections on these frequently switched servers.

Some systems can see the following information through dmesg.

_ _ ratelimit: 2170 callbacks suppressedTCP: time wait bucket table overflowTCP: time wait bucket table overflow

From the ss-s command, you can see that there are already 2w timewait.

Ss-sTotal: 174( kernel 1999) TCP: 20047 (estab 32, closed 20000, orphaned 4, synrecv 0, timewait 20000Maple 0), ports 10785

The sysctl command sets these parameters and adds them to the / etc/sysctl.conf file if you want the reboot to take effect.

# modify the threshold net.ipv4.tcp_max_tw_buckets = 50000 # means to enable quick recycling of TIME-WAIT sockets in TCP connection net.ipv4.tcp_tw_reuse = enable timewait fast recycling. This must be turned on. It is off by default. Net.ipv4.tcp_tw_recycle= 1 # modifies the default TIMEOUT time of the system. The default is 60snet.ipv4.tcp_fin_timeout = 10

To test the parameters, you can use commands such as sysctl-w net.ipv4.tcp_tw_reuse = 1. If it is written to a file, it takes effect using sysctl-p.

CLOSE_WAIT

CLOSE_WAIT is usually caused by the active shutdown of the opposite end and our failure to deal with it correctly. To put it bluntly, there is a problem with the writing of the program, which is a relatively harmful one.

Let's take a typical case of "csdn homophonic Taro".

The code is a usage snippet that uses HttpClient. In this code, you clean up the connection resources by calling in.close (). Unfortunately, there is a judgment in the code: connections with non-200state return null directly. In this case, the in doesn't even have a chance to assign a value, and of course it can't be closed, and then a connection leak occurs.

Therefore, the correct way to shut down HttpClient is to use its api:abort ().

Other common commands

Application softwar

# breakpoint resume download file wget-c $url# download whole site wget-r-p-np-k $url# send network connection (commonly used) curl-XGET $url# transfer file scpsftp# data image backup rsync

Detection tool

# Connectivity detection ping google.com# to peer route detection tracepath google.com# domain name detection dig google.comnslookup google.com# network scanning tool nmap# stress test iperf# omni-directional monitoring tool (good stuff) nmon

Configuration tool

# stop a network card ifdown# and open a network card ifup# multi-function management tool ethtool

Pressure testing

Wrkabwebbenchhttp_load

Multi-function tool

# is it helpful for you to remotely log in to telnetsshnc# Firewall iptables-L to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.