此腳本包含的功能有：1、實(shí)時(shí)監(jiān)控任意網(wǎng)卡的流量

2、統(tǒng)計(jì)10秒內(nèi)平均流量

3、統(tǒng)計(jì)每個(gè)端口在10秒內(nèi)的平均流量，基于客戶端和服務(wù)端端口統(tǒng)計(jì)。可以看出哪些端口占流量比較大，對(duì)于web服務(wù)器，一般是80端口。其它端口受到***時(shí)，也有可能其它端口流量比較大。所以此功能可以幫助我們端口流量是否正常。

4、統(tǒng)計(jì)在10s內(nèi)占用帶寬最大的前10個(gè)ip。此項(xiàng)功能可以幫助我們來(lái)查出是否有惡意占用帶寬的ip。

5、統(tǒng)計(jì)連接狀態(tài)。此項(xiàng)功能可以讓我們看出哪些連接狀態(tài)比較大。如果SYN-RECV狀態(tài)比較多的話，有可以受到半連接***。如果ESTABLISED非常大，但通過(guò)日志發(fā)現(xiàn)沒(méi)有那么多請(qǐng)求，或者通過(guò)tcpdump發(fā)現(xiàn)大量ip只建立連接不請(qǐng)求數(shù)據(jù)的話，可能是受到了全連接***，這時(shí)候如果你使用的是nginx服務(wù)器，可以在配置文件增加listen 80 deferred來(lái)防止。

6、統(tǒng)計(jì)各端口連接狀態(tài)。當(dāng)可能受到***時(shí)，此項(xiàng)功能可以幫助我們發(fā)現(xiàn)是哪個(gè)端口受到***。

7、統(tǒng)計(jì)端口為80且狀態(tài)為ESTAB連接數(shù)最多的前10個(gè)IP。此項(xiàng)功能可以幫助我們來(lái)找出創(chuàng)建連接過(guò)多的Ip，進(jìn)而屏蔽。

8、統(tǒng)計(jì)端口為80且狀態(tài)為SYN-RECV連接數(shù)最多的前10個(gè)IP。當(dāng)受到半連接***時(shí)，此項(xiàng)功能可以幫助我們找到惡意ip

用到的網(wǎng)絡(luò)分析工具：1、tcpdump:此腳本用tcpdump來(lái)統(tǒng)計(jì)基于ip或基于端口的流量。

2、ss： 此腳本用ss命令來(lái)統(tǒng)計(jì)連接狀態(tài)，實(shí)際使用發(fā)現(xiàn)ss比netstat高效得多。

3、/proc/net/dev，用來(lái)統(tǒng)計(jì)指定網(wǎng)卡的流量。#!/bin/bash

#顯示菜單(單選)

display_menu(){

local?soft=$1

local?prompt="which?${soft}?you'd?select:?"

eval?local?arr=(\${${soft}_arr[@]})

while?true

do

echo?-e?"####################?${soft}?setting?####################\n\n"

for?((i=1;i<=${#arr[@]};i++?));?do?echo?-e?"$i)?${arr[$i-1]}";?done

echo

read?-p?"${prompt}"?$soft

eval?local?select=\$$soft

if?[?"$select"?==?""?]?||?[?"${arr[$soft-1]}"?==?""??];then

prompt="input?errors,please?input?a?number:?"

else

eval?$soft=${arr[$soft-1]}

eval?echo?"your?selection:?\$$soft"

break

fi

done

}

#把帶寬bit單位轉(zhuǎn)換為人類可讀單位

bit_to_human_readable(){

#input?bit?value

local?trafficValue=$1

if?[[?${trafficValue%.*}?-gt?922?]];then

#conv?to?Kb

trafficValue=`awk?-v?value=$trafficValue?'BEGIN{printf?"%0.1f",value/1024}'`

if?[[?${trafficValue%.*}?-gt?922?]];then

#conv?to?Mb

trafficValue=`awk?-v?value=$trafficValue?'BEGIN{printf?"%0.1f",value/1024}'`

echo?"${trafficValue}Mb"

else

echo?"${trafficValue}Kb"

fi

else

echo?"${trafficValue}b"

fi

}

#判斷包管理工具

check_package_manager(){

local?manager=$1

local?systemPackage=''

if?cat?/etc/issue?|?grep?-q?-E?-i?"ubuntu|debian";then

systemPackage='apt'

elif?cat?/etc/issue?|?grep?-q?-E?-i?"centos|red?hat|redhat";then

systemPackage='yum'

elif?cat?/proc/version?|?grep?-q?-E?-i?"ubuntu|debian";then

systemPackage='apt'

elif?cat?/proc/version?|?grep?-q?-E?-i?"centos|red?hat|redhat";then

systemPackage='yum'

else

echo?"unkonw"

fi

if?[?"$manager"?==?"$systemPackage"?];then

return?0

else

return?1

fi

}

#實(shí)時(shí)流量

realTimeTraffic(){

local?eth=""

local?nic_arr=(`ifconfig?|?grep?-E?-o?"^[a-z0-9]+"?|?grep?-v?"lo"?|?uniq`)

local?nicLen=${#nic_arr[@]}

if?[[?$nicLen?-eq?0?]];?then

echo?"sorry,I?can?not?detect?any?network?device,please?report?this?issue?to?author."

exit?1

elif?[[?$nicLen?-eq?1?]];?then

eth=$nic_arr

else

display_menu?nic

eth=$nic

fi

local?clear=true

local?eth_in_peak=0

local?eth_out_peak=0

local?eth_in=0

local?eth_out=0

while?true;do

#移動(dòng)光標(biāo)到0:0位置

printf?"\033[0;0H"

#清屏并打印Now?Peak

[[?$clear?==?true?]]?&&?printf?"\033[2J"?&&?echo?"$eth--------Now--------Peak-----------"

traffic_be=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)

sleep?2

traffic_af=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)

#計(jì)算速率

eth_in=$((?(${traffic_af[0]}-${traffic_be[0]})*8/2?))

eth_out=$((?(${traffic_af[1]}-${traffic_be[1]})*8/2?))

#計(jì)算流量峰值

[[?$eth_in?-gt?$eth_in_peak?]]?&&?eth_in_peak=$eth_in

[[?$eth_out?-gt?$eth_out_peak?]]?&&?eth_out_peak=$eth_out

#移動(dòng)光標(biāo)到2:1

printf?"\033[2;1H"

#清除當(dāng)前行

printf?"\033[K"

printf?"%-20s?%-20s\n"?"Receive:??$(bit_to_human_readable?$eth_in)"?"$(bit_to_human_readable?$eth_in_peak)"

#清除當(dāng)前行

printf?"\033[K"

printf?"%-20s?%-20s\n"?"Transmit:?$(bit_to_human_readable?$eth_out)"?"$(bit_to_human_readable?$eth_out_peak)"

[[?$clear?==?true?]]?&&?clear=false

done

}

#流量和連接概覽

trafficAndConnectionOverview(){

if?!?which?tcpdump?>?/dev/null;then

echo?"tcpdump?not?found,going?to?install?it."

if?check_package_manager?apt;then

apt-get?-y?install?tcpdump

elif?check_package_manager?yum;then

yum?-y?install?tcpdump

fi

fi

local?reg=""

local?eth=""

local?nic_arr=(`ifconfig?|?grep?-E?-o?"^[a-z0-9]+"?|?grep?-v?"lo"?|?uniq`)

local?nicLen=${#nic_arr[@]}

if?[[?$nicLen?-eq?0?]];?then

echo?"sorry,I?can?not?detect?any?network?device,please?report?this?issue?to?author."

exit?1

elif?[[?$nicLen?-eq?1?]];?then

eth=$nic_arr

else

display_menu?nic

eth=$nic

fi

echo?"please?wait?for?10s?to?generate?network?data..."

echo

#當(dāng)前流量值

local?traffic_be=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)

#tcpdump監(jiān)聽(tīng)網(wǎng)絡(luò)

tcpdump?-v?-i?$eth?-tnn?>?/tmp/tcpdump_temp?2>&1?&

sleep?10

clear

kill?`ps?aux?|?grep?tcpdump?|?grep?-v?grep?|?awk?'{print?$2}'`

#處理tcpdump文件

awk?'/^IP/{print;getline;print}'?/tmp/tcpdump_temp?>?/tmp/tcpdump_temp2

awk?'{len=$NF;sub(/\)/,"",len);getline;print?$0,len}'?/tmp/tcpdump_temp2?>?/tmp/tcpdump

#10s后流量值

local?traffic_af=(`awk?-v?eth=$eth?-F'[:?]+'?'{if?($0?~eth){print?$3,$11}}'?/proc/net/dev`)

#打印10s平均速率

local?eth_in=$((?(${traffic_af[0]}-${traffic_be[0]})*8/10?))

local?eth_out=$((?(${traffic_af[1]}-${traffic_be[1]})*8/10?))

echo?-e?"\033[32mnetwork?device?$eth?average?traffic?in?10s:?\033[0m"

echo?"$eth?Receive:?$(bit_to_human_readable?$eth_in)/s"

echo?"$eth?Transmit:?$(bit_to_human_readable?$eth_out)/s"

echo

#統(tǒng)計(jì)每個(gè)端口在10s內(nèi)的平均流量

regTcpdump=$(ifconfig?|?grep?-A?1?$eth?|?awk?-F'[:?]+'?'$0~/inet?addr:/{printf?$4"|"}'?|?sed?-e?'s/|$//'?-e?'s/^/(/'?-e?'s/$/)\\\\\.[0-9]+:/')

echo?-e?"\033[32maverage?traffic?in?10s?base?on?server?port:?\033[0m"

awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line="clients?>?"$8"."$9"."$10"."$11":"$12}else{line=$2"."$3"."$4"."$5":"$6"?>?clients"};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\

sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do

echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"

done

echo

echo?-e?"\033[32maverage?traffic?in?10s?base?on?client?port:?\033[0m"

awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line=$2"."$3"."$4"."$5":"$6"?>?server"}else{line="server?>?"$8"."$9"."$10"."$11":"$12};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\

sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do

echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"

done

echo

#統(tǒng)計(jì)在10s內(nèi)占用帶寬最大的前10個(gè)ip

echo?-e?"\033[32mtop?10?ip?average?traffic?in?10s?:?\033[0m"

awk?-F'[?.:]+'?-v?regTcpdump=$regTcpdump?'{if?($0?~?regTcpdump){line=$2"."$3"."$4"."$5"?>?"$8"."$9"."$10"."$11":"$12}else{line=$2"."$3"."$4"."$5":"$6"?>?"$8"."$9"."$10"."$11};sum[line]+=$NF*8/10}END{for?(line?in?sum){printf?"%s?%d\n",line,sum[line]}}'?/tmp/tcpdump?|?\

sort?-k?4?-nr?|?head?-n?10?|?while?read?a?b?c?d;do

echo?"$a?$b?$c?$(bit_to_human_readable?$d)/s"

done

echo

#統(tǒng)計(jì)連接狀態(tài)

regSS=$(ifconfig?|?grep?-A?1?$eth?|?awk?-F'[:?]+'?'$0~/inet?addr:/{printf?$4"|"}'?|?sed?-e?'s/|$//')

ss?-an?|?grep?-v?-E?"LISTEN|UNCONN"?|?grep?-E?"$regSS"?>?/tmp/ss

echo?-e?"\033[32mconnection?state?count:?\033[0m"

awk?'NR>1{sum[$(NF-4)]+=1}END{for?(state?in?sum){print?state,sum[state]}}'?/tmp/ss?|?sort?-k?2?-nr

echo

#統(tǒng)計(jì)各端口連接狀態(tài)

echo?-e?"\033[32mconnection?state?count?by?port:?\033[0m"

awk?'NR>1{sum[$(NF-4),$(NF-1)]+=1}END{for?(key?in?sum){split(key,subkey,SUBSEP);print?subkey[1],subkey[2],sum[subkey[1],subkey[2]]}}'?/tmp/ss?|?sort?-k?3?-nr?|?head?-n?10

echo

#統(tǒng)計(jì)端口為80且狀態(tài)為ESTAB連接數(shù)最多的前10個(gè)IP

echo?-e?"\033[32mtop?10?ip?ESTAB?state?count?at?port?80:?\033[0m"

cat?/tmp/ss?|?grep?ESTAB?|?awk?-F'[:?]+'?'{sum[$(NF-2)]+=1}END{for?(ip?in?sum){print?ip,sum[ip]}}'?|?sort?-k?2?-nr?|?head?-n?10

echo

#統(tǒng)計(jì)端口為80且狀態(tài)為SYN-RECV連接數(shù)最多的前10個(gè)IP

echo?-e?"\033[32mtop?10?ip?SYN-RECV?state?count?at?port?80:?\033[0m"

cat?/tmp/ss?|?grep?-E?"$regSS"?|?grep?SYN-RECV?|?awk?-F'[:?]+'?'{sum[$(NF-2)]+=1}END{for?(ip?in?sum){print?ip,sum[ip]}}'?|?sort?-k?2?-nr?|?head?-n?10

}

main(){

while?true;?do

echo?-e?"1)?real?time?traffic.\n2)?traffic?and?connection?overview.\n"

read?-p?"please?input?your?select(ie?1):?"?select

case??$select?in

1)?realTimeTraffic;break;;

2)?trafficAndConnectionOverview;break;;

*)?echo?"input?error,please?input?a?number.";;

esac

done

}

main

總結(jié)

以上是生活随笔為你收集整理的linux前10ip,检查网口流量与前10名流量大IP的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。