Look at kali linux Hundreds of network commands , I was lost in thought . There are too many professional network commands , If you want to list , There are thousands of them . Individuals are not penetration testers , Most of the functions are only superficial . So this paper is a very simple technical summary , only Focus on some of the things you use in your work Linux command .

because nio The popularity of ,ck10k The problem has become a thing of the past . Now any server , You can support hundreds of thousands of levels of connectivity . So let's figure it out ,100 How many resources does Wan's connection need .

First , Every connection is a file handle , So we need to support the number of file descriptors , every last socket Memory footprint 15k-20k Between , such , Only maintain the corresponding socket, Need 20G Memory ; And broadcast one 1KB The bandwidth required for messages of is 1000M

Check the current system connection

How to see how many connections the current system has ? have access to netstat combination awk Make statistics . The following script , Statistics of each state of tcp Number of connections

# netstat -antp | awk '{a[$6]++}END{ for(x in a)print x,a[x]}'LISTEN 41CLOSE_WAIT 24ESTABLISHED 150Foreign 1TIME_WAIT 92

But if you execute this command on a server with tens of thousands of connections , You can wait a long time . therefore , We have the second generation of network state statistics tools :netstat => ss( Don't get confused with that prison break tool ).

# ss -sTotal: 191 (kernel 220)TCP:   5056 (estab 42, closed 5000, orphaned 3, synrecv 0, timewait 5000/0), ports 3469...

netstat Belong to net-tools Toolset , and ss Belong to iproute. The corresponding command is as follows , It's time and net-tools say Bye 了 .

purpose net-tools iproute
Statistics ifconfig ss
Address netstat ip addr
route route ip route
neighbor arp ip neigh
VPN iptunnel ip tunnel
VLAN vconfig ip link
Multicast ipmaddr ip maddr

ss command

Basic use

Let's take a look at ss Usage of .

Check what the system is listening to tcp Connect

ss -atr ss -atn # only ip

View all connections in the system

ss -alt

Check monitor 444 Port process pid

ss -ltp | grep 444

Check the process 555 Which ports are occupied

ss -ltp | grep 555

Show all udp Connect

ss -u -a

see TCP sockets, Use -ta Options
see UDP sockets, Use -ua Options
see RAW sockets, Use -wa Options
see UNIX sockets, Use -xa Options

And some ip All connections

ss dst 10.66.224.130ss dst 10.66.224.130:httpss dst 10.66.224.130:smtpss dst 10.66.224.130:443

Show all http Connect

ss  dport = :http

View the most connected to this machine before 10 individual ip Address

netstat -antp | awk '{print $4}' | cut -d ':' -f1 | sort | uniq -c  | sort -n -k1 -r | head -n 10

Recv-Q and Send-Q

Be careful ss The results of the implementation of , Let's explain Recv-Q and Send-Q.

These two values , stay LISTEN and ESTAB States represent different meanings . commonly , In a normal application, both values should be 0(backlog With the exception of ). The greater the numerical , The more serious the problem is .

LISTEN state

  • Recv-Q: Represents how many connections have not been established by accept, such as Nginx Accepting new connections is slow

  • Send-Q: representative listen backlog value

ESTAB state

  • Recv-Q: How much data is left in the kernel (bytes) Not read by the application , There's a certain amount of blockage

  • Send-Q: Represents the number of send queues in the kernel (bytes) Data not received ack, The receiving and processing ability of the opposite end is not strong

Check network traffic

Check traffic

There are many tools to watch network traffic , But I like sar.sar yes linux The most comprehensive monitoring software on the Internet . Pictured , Use sar -n DEV 1 You can refresh the network traffic once a second .

Of course , You can also use ifstat、nload、iptraf Wait for the order to check . But the source of the data , It's from us /proc Catalog

watch cat /proc/net/dev

Check out the most traffic IP

Sometimes we find that network bandwidth is very high , But we can't tell where the traffic is coming from . Now ,iftop You can help . Pictured , It's easy to find out which host the traffic comes from .

When you're not sure where your intranet traffic comes from , For example, someone is pressure testing ,api Unreasonable call, etc , You can find him in this way .

Grab the bag

tcpdump

When we need to judge whether there is traffic , Or debug a difficult netty Application problems , Then we can make further judgment by grabbing the bag . stay Linux On , Can pass tcpdump Command to grab data , And then use Wireshark Analyze .

tcpdump -i eth0 -nn -s0 -v port 80
  • -i  Specify network card to capture packets

  • -n  and ss equally , Does not resolve domain name

  • -nn  Two n Indicates that the port is also a number , Otherwise, it resolves to service name

  • -s  Set the capture length ,0 Means unrestricted

  • -v  Display detailed output when capturing packets ,-vv、-vvv More details in turn

1) Join in -A Options will print ascii ,-X Print hex code .

tcpdump -A -s0 port 80

2) Grab specific ip The relevant package

tcpdump -i eth0 host 10.10.1.1tcpdump -i eth0 dst 10.10.1.20

3)-w Parameter to write the captured package to a file

tcpdump -i eth0 -s0 -w test.pcap

4)tcpdump Support expression , There are more complicated examples , For example, in the crawling system get,post request ( Not https)

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

More see
https://hackertarget.com/tcpdump-examples/

Captured data , Use wireshark You can see it. .

http Grab the bag

The packet capture tool uses itself as a proxy , It can capture the communication between your browser and the server , And provide modifications 、 replay 、 The function of batch execution . It's finding problems , Analysis protocol , Attack the sharp weapon of the site . There are three commonly used :

  • Burpsuite ( Cross platform )

  • Fiddle2 (Win)

  • Charles (Mac)

Bad things should be done secretly .

Traffic replication

You may need to make your production environment HTTP Real traffic reappears in a development or preview environment , This uses the traffic replication function .
There are three tools to choose from , Individuals tend to Gor.

  • Gor

  • TCPReplay

  • TCPCopy

Too many connections

according to TCP/IP Introduce ,socket It probably includes 10 Connection status . We usually meet in our work , Except for SYN Denial of service attacks on , If there is any abnormality , The approximate rate is TIME_WAIT and CLOSE_WAIT The problem of .
TIME_WAIT It can be solved by optimizing kernel parameters ;CLOSE_WAIT It is usually caused by unreasonable programming , More attention should be paid by developers .

TIME_WAIT

TIME_WAIT Is the state maintained by the party actively closing the connection , image nginx、 Crawler server , It often happens that a lot of people are in time_wait State connection .TCP Generally, after actively closing the connection , Will wait for 2MS, Then close the connection completely . because HTTP Used TCP agreement , So on these servers that are frequently switched on and off , There's a huge backlog of TIME_WAIT Status connection .

Some systems go through dmesg You can see the following information .

__ratelimit: 2170 callbacks suppressedTCP: time wait bucket table overflowTCP: time wait bucket table overflowTCP: time wait bucket table overflowTCP: time wait bucket table overflow

adopt ss -s Command view , You can see timewait There has been a 2w A the .

ss -sTotal: 174 (kernel 199)TCP:   20047 (estab 32, closed 20000, orphaned 4, synrecv 0, timewait 20000/0), ports 10785

sysctl The command can set these parameters , If you want it to work again , Join in /etc/sysctl.conf In file .

#  Modify threshold net.ipv4.tcp_max_tw_buckets = 50000 #  Open for indication TCP Connecting TIME-WAIT sockets Rapid recycling of net.ipv4.tcp_tw_reuse = 1# Enable timewait  Quick recovery . This must be turned on , The default is off .net.ipv4.tcp_tw_recycle= 1   #  Change the system default TIMEOUT Time , The default is 60snet.ipv4.tcp_fin_timeout = 10

Test the parameters , have access to sysctl -w net.ipv4.tcp_tw_reuse = 1 Such an order . If it's written into a file , Then use sysctl -p take effect .

CLOSE_WAIT

CLOSE_WAIT It is usually due to the active closing of the opposite end , But we did not deal with it correctly . To put it bluntly , There is something wrong with the program , It belongs to one of the most harmful .

We take ”csdn Homophonic taro ” A typical case to illustrate .

The code is using HttpClient A usage fragment of . In this code , By calling in.close() To clean up the connection resources . But unfortunately , There is a judgment in the code : Not 200 The connection of state returns directly null. under these circumstances ,in I don't even have a chance to assign a value , Of course, you can't shut it down , Then there was a connection leak .

therefore ,HttpClient The correct way to close is to use it api:abort().

Other common commands

Application software

#  Breakpoints to continue downloading files wget -c $url#  Download the whole station wget -r -p -np -k $url#  Send network connection ( Commonly used )curl -XGET $url#  Transfer files scpsftp#  Data mirror backup rsync

Detection tools

#  Connectivity detection ping google.com#  To peer routing detection tracepath google.com#  Domain name detection dig google.comnslookup google.com#  Network scanning tool nmap#  Pressure test iperf#  Comprehensive monitoring tools ( good thing )nmon

Configuration tool

#  Stop a network card ifdown#  Turn on a network card ifup#  Multi functional management tools  ethtool

Pressure test

wrkabwebbenchhttp_load

Multifunctional tools

#  Remote login telnetsshnc#  A firewall iptables -L

ending

Besides the basic tools , Many of the network commands mentioned in this article , It's not pre installed , Need to use yum Its installation . Network programming learning , I think , Read it 《TCP/IP Detailed explanation volume 1: agreement 》 This book , And then write a few Netty The application is OK .

NIO We've been I/O I mentioned , I won't go into details here . When you come across the so-called problem of unpacking and sticking , Heart rate and flow restriction problems , Even encountered traffic shaping problems , So prove that you are getting closer and closer to a professional network programmer .

Please keep it well. Linux More related articles on network command collection

  1. You have to understand the basics of Linux Network command

    Linux Basic network command list I use FreeBSD, But these UNIX Orders should also be able to be in Linux The same job on the Internet . Connectivity ping <host>: send out ICMP ech ...

  2. The basis of Linux Network command , You deserve it

    Reading guide aspiring Linux System administrator and Linux What fans have to know . The most important . And basic Linux A collection of network commands . stay It's FOSS We don't talk about... Every day Linux Of " On the command line ...

  3. Linux Network management ——Linux Network command

    3. Linux Network command .note-content {font-family: "Helvetica Neue",Arial,"Hiragino Sans GB&quo ...

  4. Linux Basics —— frequently-used Linux Network command

    One . learn Linux What are the benefits of network commands The emergence of network , Our life is more convenient , More and more efficient in dealing with things , You can also see cultural differences around the world . At the same time, we're getting more and more receptive to new things , There is more and more information about new things . The Internet is very important to us ...

  5. intermediate DBA It must be learned 9 individual Linux Network command , See what you haven't used yet

    I wrote an article not long ago < do DBA Must learn to , It's not going to die 11 individual Linux Basic commands >, The blog address is :http://blog.csdn.net/ljunjie82/article/details/4 ...

  6. [ Roof placement ] Linux A collection of common commands

    Source :http://www.vaikan.com/what-are-the-most-useful-swiss-army-knife-one-liners-on-unix/ Linux In the command line &qu ...

  7. Linux Network command must know and know tcpdump, A complete package capture guide please check !

    Catalog 01 brief introduction 02 tcpdump Command options 03 filter 04 Common operations 4.1 Grab a host's packet 4.2 Grab the packet of a port 4.3 Grab a network ( Network segment ) Data packets of 4.4 Grab a packet of a protocol ...

  8. Linux The command of the Internet must know and know the Swiss Army knife nc(netcat)

    This article is published in my official account Linux Cloud computing network (id: cloud_dev), Focus on dry goods sharing , There is 10T Books and video resources , The background to reply 「1024」 Can receive , Welcome to pay attention , Qr code text can be swept at the end . nc, Full name ...

  9. Linux Network command ——ifconfig、ifup、ifdown

    The purpose of these three commands is to start the network interface , however ,ifup And ifdown Just  /etc/sysconfig/network- scripts  Internal  ifcfg-ethx(x Is the number ) To start or shut down , and ...

  10. linux Common commands highlights

    Chapter one   LINUX Introduction and installation     1 One .LINUX Introduce     1 Two .LINUX install     2 3、 ... and .LINUX Catalog     2 Four . In conclusion :    3 Chapter two Common command and account management     4 One .linux life ...

Random recommendation

  1. C++ Expert blog ( Constantly updating ...)

    http://www.zhangjiee.com/ Sina weibo @ Drink alone and get drunk . Github. GitCafe. stackoverflow. Quora http://cpp1x.org/ Liu weipeng | M ...

  2. Explain in detail About Linux Analysis of static library and dynamic library

    Basic concepts There are two kinds of Libraries: dynamic and static , Dynamic usually uses .so For the suffix , Static use .a For the suffix . for example :libhello.so libhello.a In order to use different versions of the library in the same system , You can add the version number after the library file name as the suffix , for example : ...

  3. UIImage Learning notes

    UIImage What is it? Used to manage APP Picture resources in , It can be used to represent image resources supported by the device , not only jpg and png. UIImage yes immutable Of , So it's also thread safe . iOS All supported image formats link ...

  4. VR Panoramic smart city , The platform belongs to everyone who has entrepreneurial dream

    If you are still confused at the crossroads of life , If you still want to achieve something in your life , Make your life different , Let's come to panoramic smart city platform to jointly create your own extraordinary wonderful life ! Seize this opportunity , You're walking in VR The forefront of the times , Time makes a hero , ...

  5. STL --&gt; stack Stack

    stack Stack c++stack( Stack ) It's an adaptation of a container , It implements an in out data structure (FILO), When using this container, you need to include #include<stack> The header file : Definition stack Object example : s ...

  6. Two 、Python Development begins

    1989 Christmas of ,Guido Start writing Python Compiler of language .Python The name , come from Guido Favorite TV series Monty Python’s Flying Circus. He wants this new one called Pytho ...

  7. api Testing tools

    Online interface test http://www.36nu.com/apiTest Use Fiddler test WebApi Interface https://www.cnblogs.com/weixing/p/5254836.htm ...

  8. bzoj4933: miao

    Description Mr. Dong has grown into a regional leader , It's wonderful . Dong's district is made up of n It's a small area , These small areas make up a tree , Every little There's a degree of importance for regions , The importance of a connected block is the sum of the importance of the small areas it contains ...

  9. MySQL How to search data and improve retrieval speed

    Retrieving data mysql> SELECT [DISTINCT] Table name . Name , Table name . Name , Table name . Name -- Use wildcards * Represents all columns DISTINCT Indicates that different values are returned -> FROM Database name . surface ...

  10. shell command ——cut

    function : Divide rows into fields The default qualifier is tab, -d: Change the qualifier -f: Specify the domain that the output force contains