linux前10ip,检查网口流量与前10名流量大IP
此腳本包含的功能有:1、實時監(jiān)控任意網(wǎng)卡的流量
2、統(tǒng)計10秒內(nèi)平均流量
3、統(tǒng)計每個端口在10秒內(nèi)的平均流量,基于客戶端和服務(wù)端端口統(tǒng)計。可以看出哪些端口占流量比較大,對于web服務(wù)器,一般是80端口。其它端口受到***時,也有可能其它端口流量比較大。所以此功能可以幫助我們端口流量是否正常。
4、統(tǒng)計在10s內(nèi)占用帶寬最大的前10個ip。此項功能可以幫助我們來查出是否有惡意占用帶寬的ip。
5、統(tǒng)計連接狀態(tài)。此項功能可以讓我們看出哪些連接狀態(tài)比較大。如果SYN-RECV狀態(tài)比較多的話,有可以受到半連接***。如果ESTABLISED非常大,但通過日志發(fā)現(xiàn)沒有那么多請求,或者通過tcpdump發(fā)現(xiàn)大量ip只建立連接不請求數(shù)據(jù)的話,可能是受到了全連接***,這時候如果你使用的是nginx服務(wù)器,可以在配置文件增加listen 80 deferred來防止。
6、統(tǒng)計各端口連接狀態(tài)。當可能受到***時,此項功能可以幫助我們發(fā)現(xiàn)是哪個端口受到***。
7、統(tǒng)計端口為80且狀態(tài)為ESTAB連接數(shù)最多的前10個IP。此項功能可以幫助我們來找出創(chuàng)建連接過多的Ip,進而屏蔽。
8、統(tǒng)計端口為80且狀態(tài)為SYN-RECV連接數(shù)最多的前10個IP。當受到半連接***時,此項功能可以幫助我們找到惡意ip
用到的網(wǎng)絡(luò)分析工具:1、tcpdump:此腳本用tcpdump來統(tǒng)計基于ip或基于端口的流量。
2、ss: 此腳本用ss命令來統(tǒng)計連接狀態(tài),實際使用發(fā)現(xiàn)ss比netstat高效得多。
3、/proc/net/dev,用來統(tǒng)計指定網(wǎng)卡的流量。#!/bin/bash
#顯示菜單(單選)
display_menu(){
local?soft=$1
local?prompt="which?${soft}?you'd?select:?"
eval?local?arr=(\${${soft}_arr[@]})
while?true
do
echo?-e?"####################?${soft}?setting?####################\n\n"
for?((i=1;i<=${#arr[@]};i++?));?do?echo?-e?"$i)?${arr[$i-1]}";?done
echo
read?-p?"${prompt}"?$soft
eval?local?select=\$$soft
if?[?"$select"?==?""?]?||?[?"${arr[$soft-1]}"?==?""??];then
prompt="input?errors,please?input?a?number:?"
else
eval?$soft=${arr[$soft-1]}
eval?echo?"your?selection:?\$$soft"
break
fi
done
}
#把帶寬bit單位轉(zhuǎn)換為人類可讀單位
bit_to_human_readable(){
#input?bit?value
local?trafficValue=$1
if?[[?${trafficValue%.*}?-gt?922?]];then
#conv?to?Kb
trafficValue=`awk?-v?value=$trafficValue?'BEGIN{printf?"%0.1f",value/1024}'`
if?[[?${trafficValue%.*}?-gt?922?]];then
#conv?to?Mb
trafficValue=`awk?-v?value=$trafficValue?'BEGIN{printf?"%0.1f",value/1024}'`
echo?"${trafficValue}Mb"
else
echo?"${trafficValue}Kb"
fi
else
echo?"${trafficValue}b"
fi
}
#判斷包管理工具
check_package_manager(){
local?manager=$1
local?systemPackage=''
if?cat?/etc/issue?|?grep?-q?-E?-i?"ubuntu|debian";then
systemPackage='apt'
elif?cat?/etc/issue?|?grep?-q?-E?-i?"centos|red?hat|redhat";then
systemPackage='yum'
elif?cat?/proc/version?|?grep?-q?-E?-i?"ubuntu|debian";then
systemPackage='apt'
elif?cat?/proc/version?|?grep?-q?-E?-i?"centos|red?hat|redhat";then
systemPackage='yum'
else
echo?"unkonw"
fi
if?[?"$manager"?==?"$systemPackage"?];then
return?0
else
return?1
fi
}
#實時流量
realTimeTraffic(){
local?eth=""
local?nic_arr=(`ifconfig?|?grep?-E?-o?"^[a-z0-9]+"?|?grep?-v?"lo"?|?uniq`)
local?nicLen=${#nic_arr[@]}
if?[[?$nicLen?-eq?0?]];?then
echo?"sorry,I?can?not?detect?any?network?device,please?report?this?issue?to?author."
exit?1
elif?[[?$nicLen?-eq?1?]];?then
eth=$nic_arr
else
display_menu?nic
eth=$nic
fi
local?clear=true
local?eth_in_peak=0
local?eth_out_peak=0
local?eth_in=0
local?eth_out=0
while?true;do
#移動光標到0:0位置
printf?"\033[0;0H"
#清屏并打印Now?Peak
[[?$clear?==?true?]]?&&?printf?"\033[2J"?&&?echo?"$eth--------Now--------Peak-----------"
traffic_be=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)
sleep?2
traffic_af=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)
#計算速率
eth_in=$((?(${traffic_af[0]}-${traffic_be[0]})*8/2?))
eth_out=$((?(${traffic_af[1]}-${traffic_be[1]})*8/2?))
#計算流量峰值
[[?$eth_in?-gt?$eth_in_peak?]]?&&?eth_in_peak=$eth_in
[[?$eth_out?-gt?$eth_out_peak?]]?&&?eth_out_peak=$eth_out
#移動光標到2:1
printf?"\033[2;1H"
#清除當前行
printf?"\033[K"
printf?"%-20s?%-20s\n"?"Receive:??$(bit_to_human_readable?$eth_in)"?"$(bit_to_human_readable?$eth_in_peak)"
#清除當前行
printf?"\033[K"
printf?"%-20s?%-20s\n"?"Transmit:?$(bit_to_human_readable?$eth_out)"?"$(bit_to_human_readable?$eth_out_peak)"
[[?$clear?==?true?]]?&&?clear=false
done
}
#流量和連接概覽
trafficAndConnectionOverview(){
if?!?which?tcpdump?>?/dev/null;then
echo?"tcpdump?not?found,going?to?install?it."
if?check_package_manager?apt;then
apt-get?-y?install?tcpdump
elif?check_package_manager?yum;then
yum?-y?install?tcpdump
fi
fi
local?reg=""
local?eth=""
local?nic_arr=(`ifconfig?|?grep?-E?-o?"^[a-z0-9]+"?|?grep?-v?"lo"?|?uniq`)
local?nicLen=${#nic_arr[@]}
if?[[?$nicLen?-eq?0?]];?then
echo?"sorry,I?can?not?detect?any?network?device,please?report?this?issue?to?author."
exit?1
elif?[[?$nicLen?-eq?1?]];?then
eth=$nic_arr
else
display_menu?nic
eth=$nic
fi
echo?"please?wait?for?10s?to?generate?network?data..."
echo
#當前流量值
local?traffic_be=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)
#tcpdump監(jiān)聽網(wǎng)絡(luò)
tcpdump?-v?-i?$eth?-tnn?>?/tmp/tcpdump_temp?2>&1?&
sleep?10
clear
kill?`ps?aux?|?grep?tcpdump?|?grep?-v?grep?|?awk?'{print?$2}'`
#處理tcpdump文件
awk?'/^IP/{print;getline;print}'?/tmp/tcpdump_temp?>?/tmp/tcpdump_temp2
awk?'{len=$NF;sub(/\)/,"",len);getline;print?$0,len}'?/tmp/tcpdump_temp2?>?/tmp/tcpdump
#10s后流量值
local?traffic_af=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)
#打印10s平均速率
local?eth_in=$((?(${traffic_af[0]}-${traffic_be[0]})*8/10?))
local?eth_out=$((?(${traffic_af[1]}-${traffic_be[1]})*8/10?))
echo?-e?"\033[32mnetwork?device?$eth?average?traffic?in?10s:?\033[0m"
echo?"$eth?Receive:?$(bit_to_human_readable?$eth_in)/s"
echo?"$eth?Transmit:?$(bit_to_human_readable?$eth_out)/s"
echo
#統(tǒng)計每個端口在10s內(nèi)的平均流量
regTcpdump=$(ifconfig?|?grep?-A?1?$eth?|?awk?-F'[:?]+'?'$0~/inet?addr:/{printf?$4"|"}'?|?sed?-e?'s/|$//'?-e?'s/^/(/'?-e?'s/$/)\\\\\.[0-9]+:/')
echo?-e?"\033[32maverage?traffic?in?10s?base?on?server?port:?\033[0m"
awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line="clients?>?"$8"."$9"."$10"."$11":"$12}else{line=$2"."$3"."$4"."$5":"$6"?>?clients"};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\
sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do
echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"
done
echo
echo?-e?"\033[32maverage?traffic?in?10s?base?on?client?port:?\033[0m"
awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line=$2"."$3"."$4"."$5":"$6"?>?server"}else{line="server?>?"$8"."$9"."$10"."$11":"$12};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\
sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do
echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"
done
echo
#統(tǒng)計在10s內(nèi)占用帶寬最大的前10個ip
echo?-e?"\033[32mtop?10?ip?average?traffic?in?10s?:?\033[0m"
awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line=$2"."$3"."$4"."$5"?>?"$8"."$9"."$10"."$11":"$12}else{line=$2"."$3"."$4"."$5":"$6"?>?"$8"."$9"."$10"."$11};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\
sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do
echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"
done
echo
#統(tǒng)計連接狀態(tài)
regSS=$(ifconfig?|?grep?-A?1?$eth?|?awk?-F'[:?]+'?'$0~/inet?addr:/{printf?$4"|"}'?|?sed?-e?'s/|$//')
ss?-an?|?grep?-v?-E?"LISTEN|UNCONN"?|?grep?-E?"$regSS"?>?/tmp/ss
echo?-e?"\033[32mconnection?state?count:?\033[0m"
awk?'NR>1{sum[$(NF-4)]+=1}END{for?(state?in?sum){print?state,sum[state]}}'?/tmp/ss?|?sort?-k?2?-nr
echo
#統(tǒng)計各端口連接狀態(tài)
echo?-e?"\033[32mconnection?state?count?by?port:?\033[0m"
awk?'NR>1{sum[$(NF-4),$(NF-1)]+=1}END{for?(key?in?sum){split(key,subkey,SUBSEP);print?subkey[1],subkey[2],sum[subkey[1],subkey[2]]}}'?/tmp/ss?|?sort?-k?3?-nr?|?head?-n?10
echo
#統(tǒng)計端口為80且狀態(tài)為ESTAB連接數(shù)最多的前10個IP
echo?-e?"\033[32mtop?10?ip?ESTAB?state?count?at?port?80:?\033[0m"
cat?/tmp/ss?|?grep?ESTAB?|?awk?-F'[:?]+'?'{sum[$(NF-2)]+=1}END{for?(ip?in?sum){print?ip,sum[ip]}}'?|?sort?-k?2?-nr?|?head?-n?10
echo
#統(tǒng)計端口為80且狀態(tài)為SYN-RECV連接數(shù)最多的前10個IP
echo?-e?"\033[32mtop?10?ip?SYN-RECV?state?count?at?port?80:?\033[0m"
cat?/tmp/ss?|?grep?-E?"$regSS"?|?grep?SYN-RECV?|?awk?-F'[:?]+'?'{sum[$(NF-2)]+=1}END{for?(ip?in?sum){print?ip,sum[ip]}}'?|?sort?-k?2?-nr?|?head?-n?10
}
main(){
while?true;?do
echo?-e?"1)?real?time?traffic.\n2)?traffic?and?connection?overview.\n"
read?-p?"please?input?your?select(ie?1):?"?select
case??$select?in
1)?realTimeTraffic;break;;
2)?trafficAndConnectionOverview;break;;
*)?echo?"input?error,please?input?a?number.";;
esac
done
}
main
總結(jié)
以上是生活随笔為你收集整理的linux前10ip,检查网口流量与前10名流量大IP的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: mysql 时间戳 2038_mysql
- 下一篇: linux 查询替换文件内容吗,Linu