Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to write a powerful shell script for network analysis". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Screenshot of the script running effect:

The features included in this script are:

1. Real-time monitor the traffic of any network card

2. Count the average traffic within 10 seconds

3. Count the average traffic of each port within 10 seconds, based on the statistics of client and server ports. You can see which ports account for a large proportion of traffic, and for web servers, it is usually port 80. When other ports are attacked, it is also possible that other ports have a lot of traffic. So this feature can help us whether the port traffic is normal or not.

4. Statistics on the top 10 ip with the largest bandwidth within 10 seconds. This feature can help us to find out if there is an ip that takes up bandwidth maliciously.

5. Count the connection status. This feature allows us to see which connection states are larger. If there are too many SYN-RECV states, some can be subjected to semi-connection attacks. If the ESTABLISED is very large, but found through the log that there are not so many requests, or through tcpdump found that a large number of ip only establish a connection but do not request data, it may be a full connection attack. If you are using a nginx server, you can add listen 80 deferred to the configuration file to prevent it.

6. Count the connection status of each port. When it is possible to be attacked, this feature can help us find out which port is being attacked.

7. The top 10 IP with the largest number of ESTAB connections with a statistical port of 80. This feature can help us to find out how to create Ip with too many connections, and then block it.

8. The top 10 IP with the largest number of SYN-RECV connections with a statistical port of 80. This feature can help us find malicious ip when subjected to semi-connection attacks.

Network analysis tools used:

1. Tcpdump: this script uses tcpdump to count ip-based or port-based traffic.

2. Ss: this script uses the ss command to count the connection status. In practice, it is found that ss is much more efficient than netstat.

3. / proc/net/dev, which is used to count the traffic of the specified network card.

Script download address: https://www.centos.bz/wp-content/uploads/2014/06/network-analysis.sh

The complete script is posted below:

The code is as follows:

#! / bin/bash

# write by zhumaohai (admin#centos.bz)

# display menu (radio)

Display_menu () {

Local soft=$1

Local prompt= "which ${soft} you'd select:"

Eval local arr= (\ ${soft} _ arr [@]})

While true

Do

Echo-e "# ${soft} setting #\ n\ n"

For ((iTune1 / dev/null;then)

Echo "tcpdump not found,going to install it."

If check_package_manager apt;then

Apt-get-y install tcpdump

Elif check_package_manager yum;then

Yum-y install tcpdump

Fi

Fi

Local reg= ""

Local eth= ""

Local nic_arr= (`ifconfig | grep-E-o "^ [a-z0-9] +" | grep-v "lo" | Uniq`)

Local nicLen=$ {# nic_arr [@]}

If [$nicLen-eq 0]; then

Echo "sorry,I can not detect any network device,please report this issue to author."

Exit 1

Elif [[$nicLen-eq 1]]; then

Eth=$nic_arr

Else

Display_menu nic

Eth=$nic

Fi

Echo "please wait for 10s to generate network data..."

Echo

# current traffic value

Local traffic_be= (`awk-v eth=$eth-F' [:] +'{if ($0 ~ eth) {print $3) 11}'/ proc/net/ dev`)

# tcpdump snooping network

Tcpdump-v-I $eth-tnn > / tmp/tcpdump_temp 2 > & 1 &

Sleep 10

Clear

Kill `ps aux | grep tcpdump | grep-v grep | awk'{print $2}'`

# Traffic value after 10s

Local traffic_af= (`awk-v eth=$eth-F' [:] +'{if ($0 ~ eth) {print $3) 11}'/ proc/net/ dev`)

# average speed of printing for 10s

Local eth_in=$ (${traffic_af [0]}-${traffic_be [0]}) * 8go 10)

Local eth_out=$ ((${traffic_af [1]}-${traffic_be [1]}) * 8 take 10))

Echo-e "\ 033 [32mnetwork device $eth average traffic in 10s:\ 033 [0m"

Echo "$eth Receive: $(bit_to_human_readable $eth_in) / s"

Echo "$eth Transmit: $(bit_to_human_readable $eth_out) / s"

Echo

Local regTcpdump=$ (ifconfig | grep-A 1$ eth | awk-F' [:] +'$0~/inet addr:/ {printf $4 "|"}'| sed-e's / | $/'- e's / ^ / (/'- e's Universe /)\. [0-9] +: /')

# the new and old versions of tcpdump have different output formats, so deal with them separately.

If awk'/ ^ IP/ {print;exit}'/ tmp/tcpdump_temp | grep-Q ") $"; then

# processing tcpdump files

Awk'/ ^ IP/ {print;getline;print}'/ tmp/tcpdump_temp > / tmp/tcpdump_temp2

Else

# processing tcpdump files

Awk'/ ^ IP/ {print}'/ tmp/tcpdump_temp > / tmp/tcpdump_temp2

Sed-I-r's # (. *: [0-9] +\)) (. *) #\ 1\ n\ 2girls'/ tmp/tcpdump_temp2

Fi

Awk'{len=$NF;sub (/\) /, ", len); getline;print $0Len}'/ tmp/tcpdump_temp2 > / tmp/tcpdump

# count the average traffic of each port within 10 seconds

Echo-e "\ 033 [32maverage traffic in 10s base on server port:\ 033 [0m"

Awk-F'[.:] +'- v regTcpdump=$regTcpdump'{if ($0 ~ regTcpdump) {line= "clients >" $8 "." $9 "." $10 "." $11 ":" $12} else {line=$2 "." $3 "." $4 "." $5 ":" $6 "> clients"}; sum [line] + = $NF*8/10} END {for (line in sum) {printf "% s% d\ n", line,sum [line]}}'/ tmp/tcpdump |\

Sort-k 4-nr | head-n 10 | while read a b c ditterdo

Echo "$a $b $c $(bit_to_human_readable $d) / s"

Done

Echo-ne "\ 033 [11A"

Echo-ne "\ 033 [50C"

Echo-e "\ 033 [32maverage traffic in 10s base on client port:\ 033 [0m"

Awk-F'[.:] +'- v regTcpdump=$regTcpdump'{if ($0 ~ regTcpdump) {line=$2 "." $3 "." $4 "." $5 ":" $6 "> server"} else {line= "server >" $8 "." $9 "." $10 "." $11 ":" $12}; sum [line] + = $NF*8/10} END {for (line in sum) {printf "% s% d\ n", line,sum [line]}}'/ tmp/tcpdump |\

Sort-k 4-nr | head-n 10 | while read a b c ditterdo

Echo-ne "\ 033 [50C"

Echo "$a $b $c $(bit_to_human_readable $d) / s"

Done

Echo

# Statistics on the top 10 ip with the largest bandwidth in 10 seconds

Echo-e "\ 033 [32mtop 10 ip average traffic in 10s base on server:\ 033 [0m"

Awk-F'[.:] +'- v regTcpdump=$regTcpdump'{if ($0 ~ regTcpdump) {line=$2 "." $3 "." $4 "." $5 ">" $8 "." $9 "." $10 "." $11 ":" $12} else {line=$2 "." $3 "." $4 "." $5 ":" $6 ">" $8 "." $9 "." $10 "." $11} Sum [line] + = $NF*8/10} END {for (line in sum) {printf "% s% d\ n", line,sum [line]}'/ tmp/tcpdump |\

Sort-k 4-nr | head-n 10 | while read a b c ditterdo

Echo "$a $b $c $(bit_to_human_readable $d) / s"

Done

Echo-ne "\ 033 [11A"

Echo-ne "\ 033 [50C"

Echo-e "\ 033 [32mtop 10 ip average traffic in 10s base on client:\ 033 [0m"

Awk-F'[.:] +'- v regTcpdump=$regTcpdump'{if ($0 ~ regTcpdump) {line=$2 "." $3 "." $4 "." $5 ":" $6 ">" $8 "." $9 "." $10 "." $11} else {line=$2 "." $3 "." $5 ">" $8 "." $9 "." $10 "." $11 ":" $12} " Sum [line] + = $NF*8/10} END {for (line in sum) {printf "% s% d\ n", line,sum [line]}'/ tmp/tcpdump |\

Sort-k 4-nr | head-n 10 | while read a b c ditterdo

Echo-ne "\ 033 [50C"

Echo "$a $b $c $(bit_to_human_readable $d) / s"

Done

Echo

# Statistics of connection status

Local regSS=$ (ifconfig | grep-A 1$ eth | awk-F' [:] +'$0~/inet addr:/ {printf $4 "|"}'| sed-e's / | $/ /')

Ss-an | grep-v-E "LISTEN | UNCONN" | grep-E "$regSS" > / tmp/ss

Echo-e "\ 033 [32mconnection state count:\ 033 [0m"

Awk'NR > 1 {sum [$(NF-4)] + = 1} END {for (state in sum) {print state,sum [state]}'/ tmp/ss | sort-k 2-nr

Echo

# count the connection status of each port

Echo-e "\ 033 [32mconnection state count by port base on server:\ 033 [0m"

Awk'NR > 1 {sum [$(NF-4), $(NF-1)] + = 1} END {for (key in sum) {split (key,subkey,SUBSEP); print subkey [1], subkey [2], sum [subkey [1], subkey [2]}}'/ tmp/ss | sort-k 3-nr | head-n 10

Echo-ne "\ 033 [11A"

Echo-ne "\ 033 [50C"

Echo-e "\ 033 [32mconnection state count by port base on client:\ 033 [0m"

Awk'NR > 1 {sum [$(NF-4), $(NF)] + = 1} END {for (key in sum) {split (key,subkey,SUBSEP); print subkey [1], subkey [2], sum [subkey [1], subkey [2]]}}'/ tmp/ss | sort-k 3-nr | head-n 10 | awk'{print "\ 033 [50C" $0}'

Echo

# Top 10 IP with port 80 and the largest number of ESTAB connections

Echo-e "\ 033 [32mtop 10 ip ESTAB state count at port 80:\ 033 [0m"

Cat / tmp/ss | grep ESTAB | awk-F' [:] +'{sum [$(NF-2)] + = 1} END {for (ip in sum) {print ip,sum [ip]}}'| sort-k 2-nr | head-n 10

Echo

# Top 10 IP with port 80 and the largest number of SYN-RECV connections

Echo-e "\ 033 [32mtop 10 ip SYN-RECV state count at port 80:\ 033 [0m"

Cat / tmp/ss | grep-E "$regSS" | grep SYN-RECV | awk-F' [:] +'{sum [$(NF-2)] + = 1} END {for (ip in sum) {print ip,sum [ip]}}'| sort-k 2-nr | head-n 10

}

Main () {

While true; do

Echo-e "1) real time traffic.\ N2) traffic and connection overview.\ n"

Read-p "please input your select (ie 1):" select

Case $select in

1) realTimeTraffic;break

2) trafficAndConnectionOverview;break

*) echo "input error,please input a number."

Esac

Done

}

Main

This is the end of "how to write a powerful shell script for network analysis". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.