Q:
1、100.0.0.16/28 对应网段的网关地址、广播地址、可分配IP地址范围
2、使用man手册学习tcpdump的使用
3、详细叙述僵尸进程产生的原因以及危害
4、详细说明vmstat输出结果的含义
A:
1、100.0.0.16/28 对应网段的网关地址、广播地址、可分配IP地址范围
- 网关地址:
可以是100.0.0.17-100.0.0.30中任意一个ip地址 - 广播地址:
100.0.0.31/28 - 可分配IP地址:
100.0.0.17-100.0.0.30
2、tcpdump
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q|-P in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
-i指定接口
-c指定包的数量
-X以hex和ASCII的形式显示header
[root@localhost ~]# tcpdump -i ens33 -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:32:38.752455 IP localhost.localdomain.ssh > 192.168.223.1.7552: Flags [P.], seq 774515414:774515626, ack 2040416767, win 274, length 212
1 packet captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:32:43.698995 IP localhost.localdomain.ssh > 192.168.223.1.7552: Flags [P.], seq 774516294:774516506, ack 2040417043, win 274, length 212
0x0000: 4510 00fc ea2c 4000 4006 0feb c0a8 df81 E....,@.@.......
0x0010: c0a8 df01 0016 1d80 2e2a 2e46 799e 4b13 .........*.Fy.K.
0x0020: 5018 0112 40c3 0000 0000 00b0 fe6d 2ccc P...@........m,.
0x0030: 1073 22d7 6fcb 87e2 ac4d 3764 d542 5045 .s".o....M7d.BPE
0x0040: 3266 51be 984a 2b35 c8c6 10b0 32bb 2459 2fQ..J+5....2.$Y
0x0050: a883 b149 ef42 e9f6 e48b 436a 457c 3f8a ...I.B....CjE|?.
0x0060: 4b9b c5b3 142a 298c 6489 5cf1 bc74 28d3 K....*).d.\..t(.
0x0070: 5b73 5235 ba96 18e1 84fe 8879 9a7d 4ff5 [sR5.......y.}O.
0x0080: 4011 1a18 9ffa 9aec 3650 ebe5 6e7a a4e4 @.......6P..nz..
0x0090: 4e31 fb54 3281 d50e 0380 6856 c61b e6c7 N1.T2.....hV....
0x00a0: 2d4b 056c e132 f3e2 0821 f66a 4e91 2099 -K.l.2...!.jN...
0x00b0: a4db a80b 630f 2971 595f e63e 5bc0 284a ....c.)qY_.>[.(J
0x00c0: 2bb8 8063 3526 600b 849f 72f0 b652 2bbc +..c5&`...r..R+.
0x00d0: 2c35 7cdf 7ce0 d153 34fd 2754 f538 1f50 ,5|.|..S4.'T.8.P
0x00e0: 3674 97ea a8e2 2f59 e803 afc5 b213 8542 6t..../Y.......B
0x00f0: 0e83 6d42 7737 03d1 91f9 c271 ..mBw7.....q
1 packet captured
8 packets received by filter
0 packets dropped by kernel
-n 主机名数字显示
-nn协议端口以及主机数字显示
-e显示链路层header
[root@localhost ~]# tcpdump -i ens33 -c 1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:36:28.692765 IP 192.168.223.129.ssh > 192.168.223.1.7552: Flags [P.], seq 774518894:774519106, ack 2040418191, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:37:33.358731 IP 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774519670:774519882, ack 2040418415, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:39:21.079193 00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774522334:774522546, ack 2040420835, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
-w将包数据保存至文件中 -r 读取包数据
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -w /tmp/test.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1 packet captured
1 packet received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -r /tmp/test.pcap
reading from file /tmp/test.pcap, link-type EN10MB (Ethernet)
03:41:26.248653 IP localhost.localdomain.ssh > 192.168.223.1.7552: Flags [P.], seq 774524862:774525010, ack 2040422751, win 274, length 148
[root@localhost ~]# tcpdump -r /tmp/test.pcap -X
reading from file /tmp/test.pcap, link-type EN10MB (Ethernet)
03:41:26.248653 IP localhost.localdomain.ssh > 192.168.223.1.7552: Flags [P.], seq 774524862:774525010, ack 2040422751, win 274, length 148
0x0000: 4510 00bc ea9b 4000 4006 0fbc c0a8 df81 E.....@.@.......
0x0010: c0a8 df01 0016 1d80 2e2a 4fbe 799e 615f .........*O.y.a_
0x0020: 5018 0112 4083 0000 0000 0070 7627 99f4 P...@......pv'..
0x0030: 4f33 3dc4 32c0 69fa 53ab 3de7 c4c7 fe21 O3=.2.i.S.=....!
0x0040: fb34 45b5 cda9 4003 cefa d875 98ff ceb6 .4E...@....u....
0x0050: 57cd dce9 adc5 2dcf a609 c554 89d3 6521 W.....-....T..e!
0x0060: 9787 f92e 57b9 aabd e6f6 7ccd 0a41 7ab8 ....W.....|..Az.
0x0070: 40a5 c5e0 50c7 bed9 2e5c 9717 39a3 b091 @...P....\..9...
0x0080: 90d2 104f 25b9 b1f3 8b8a 0545 38d2 3ba1 ...O%......E8.;.
0x0090: 0a70 a251 4d23 b9dd 1a25 7638 889b 755f .p.QM#...%v8..u_
0x00a0: 9813 22c4 608e e9a5 1f6b df63 baa2 637d ..".`....k.c..c}
0x00b0: 580a fcde c933 8c7c 9541 dd90 X....3.|.A..
-t不显示时间戳
-tt显示1970的毫秒数
-ttt 显示与上一行的毫秒差
-tttt显示UTC时间
-ttttt显示与第一行的毫秒差
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774531586:774531798, ack 2040427139, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -tt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1551689209.799680 00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774532410:774532622, ack 2040427363, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -ttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774533250:774533462, ack 2040427535, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -tttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
2019-03-04 03:47:29.925869 00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774534210:774534422, ack 2040427811, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn -e -ttttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 00:0c:29:ae:46:bc > 00:50:56:c0:00:08, ethertype IPv4 (0x0800), length 266: 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774535066:774535278, ack 2040427983, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
NAME
pcap-filter - packet filter syntax
The filter expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by
one or more qualifiers. There are three different kinds of qualifier:
type type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net , port and por‐
trange. E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'. If there is no type qualifier, host is
assumed.
dir dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or
dst, src and dst, ra, ta, addr1, addr2, addr3, and addr4. E.g., `src foo', `dst net 128.3', `src or dst port ftp-
data'. If there is no dir qualifier, src or dst is assumed. The ra, ta, addr1, addr2, addr3, and addr4 qualifiers
are only valid for IEEE 802.11 Wireless LAN link layers. For some link layers, such as SLIP and the ``cooked'' Linux
capture mode used for the ``any'' device and for some other device types, the inbound and outbound qualifiers can be
used to specify a desired direction.
proto proto qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, wlan, ip, ip6,
arp, rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange 7000-7009',
`wlan addr2 0:2:3:4:5:6'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g.,
`src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or
rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
过滤表达式
有type、dir、proto三大类
可以使用关系和逻辑运算 expr relop expr
relop is one of >, <, >=, <=, =, !=
Negation (! or not).
Concatenation (&& or and).
Alternation (|| or or).
可以取协议头部的偏移proto [ expr : size ]
size:可以是1、2、4默认为1
keyword len: gives the length of the packet
[root@localhost ~]# tcpdump -i ens33 -c 1 -nn 'port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
03:54:10.466728 IP 192.168.223.129.22 > 192.168.223.1.7552: Flags [P.], seq 774539442:774539654, ack 2040431551, win 274, length 212
1 packet captured
2 packets received by filter
0 packets dropped by kernel
3、
- 孤儿进程:一个父进程退出,而它的一个或多个子进程还在运行,那么那些子进程将成为孤儿进程。孤儿进程将被init进程(进程号为1)所收养,并由init进程对它们完成状态收集工作。
- 僵尸进程:一个进程使用fork创建子进程,如果子进程退出,而父进程并没有调用wait或waitpid获取子进程的状态信息,那么子进程的进程描述符仍然保存在系统中。这种进程称之为僵死进程。
危害:如果其父进程不调用wait / waitpid的话, 那么保留的那段信息就不会释放,其进程号就会一直被占用,但是系统所能使用的进程号是有限的,如果大量的产生僵死进程,将因为没有可用的进程号而导致系统不能产生新的进程。
4、vmstat命令
- Report virtual memory statistics
vmstat [options] [delay [count]]
[root@localhost ~]# vmstat
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
r b swpd free buff cache si so bi bo in cs us sy id wa st
1 0 0 450368 2108 418460 0 0 22 17 25 30 0 0 99 0 0
-
procs:
r:等待运行的进程的个数;CPU上等待运行的任务的队列长度;
b:处于不可中断睡眠态的进程个数;被阻塞的任务队列的长度; -
memory:
swpd:交换内存使用总量;
free:空闲的物理内存总量;
buffer:用于buffer的内存总量;
cache:用于cache的内存总量; -
swap
si:数据进入swap中的数据速率(kb/s)
so:数据离开swap的速率(kb/s) -
io
bi:从块设备读入数据到系统的速度(kb/s)
bo:保存数据至块设备的速率(kb/s) -
system
in:interrupts,中断速率;
cs:context switch, 上下文 切换的速率; -
cpu
us: user space
sy:system
id:idle
wa:wait
st: stolen -
选项:
-s:显示内存统计数据;
网友评论