tcpdump -vv -i ens33跟踪指定的网卡
tcpdump -vv -i ens33 port http指定支持显示的协议有http。
`-r 从文件中读取流量包,
-c表示最大能抓到的packet的数量。
hose结合port利用对发往或来自特定主机的i像那些链接。
0x02 ngrep是tcpdump和grep的结合体。
ngrep -q -c 64 linux port 80
-q只答应载荷的头部
-c显示多少列
-xx用16进制在流量包中搜索。
️查看当前的路由表
dem0@ubuntu:~/Desktop/bash$ ip route default via 192.168.76.2 dev ens33 proto dhcp metric 100 169.254.0.0/16 dev ens33 scope link metric 1000 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 172.18.0.0/16 dev br-3c117fa30e74 proto kernel scope link src 172.18.0.1 linkdown 192.168.76.0/24 dev ens33 proto kernel scope link src 192.168.76.128 metric 100
️查看最近链接的主机
ip neighbor 192.168.76.254 dev ens33 lladdr 00:50:56:eb:d9:b5 STALE 192.168.76.2 dev ens33 lladdr 00:50:56:f7:f5:18 STALE
跟踪路由
ip route get 192.168.76.20x03 srace 跟踪系统调用
#include#include #include void main(){ char *tmp; tmp = malloc(400); strcat(tmp,"testing"); printf("TMP:%s",tmp); free(tmp); exit(0); }
strace
execve("./a.out", ["./a.out"], 0x7ffda59d1c70 ) = 0
brk(NULL) = 0x55b2e9c2d000
arch_prctl(0x3001 , 0x7ffe24287490) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDonLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=67877, ...}) = 0
mmap(NULL, 67877, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f63fc812000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDonLY|O_CLOEXEC) = 3
read(3, "177ELF2113��������3�>�1���360q2�����"..., 832) = 832
pread64(3, "6���4���@�������@�������@�������"..., 784, 64) = 784
pread64(3, "4���20���5���GNU�2��3004���3�������", 32, 848) = 32
pread64(3, "4���24���3���GNU�t233222%2742603203133132610204276X>263"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029224, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f63fc810000
pread64(3, "6���4���@�������@�������@�������"..., 784, 64) = 784
pread64(3, "4���20���5���GNU�2��3004���3�������", 32, 848) = 32
pread64(3, "4���24���3���GNU�t233222%2742603203133132610204276X>263"..., 68, 880) = 68
mmap(NULL, 2036952, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f63fc61e000
mprotect(0x7f63fc643000, 1847296, PROT_NONE) = 0
mmap(0x7f63fc643000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7f63fc643000
mmap(0x7f63fc7bb000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7f63fc7bb000
mmap(0x7f63fc806000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f63fc806000
mmap(0x7f63fc80c000, 13528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f63fc80c000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7f63fc811540) = 0
mprotect(0x7f63fc806000, 12288, PROT_READ) = 0
mprotect(0x55b2e84eb000, 4096, PROT_READ) = 0
mprotect(0x7f63fc850000, 4096, PROT_READ) = 0
munmap(0x7f63fc812000, 67877) = 0
brk(NULL) = 0x55b2e9c2d000
brk(0x55b2e9c4e000) = 0x55b2e9c4e000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
write(1, "TMP:testing", 11TMP:testing) = 11
exit_group(0) = ?
+++ exited with 0 +++
malloc和free是管理任务内存的用户空间函数,他们仅仅在程序总的内存发生改变时猜调用brk.
0x04 lstarcedem0@ubuntu:~/Desktop/bash$ ltrace ./a.out TMP:testing+++ exited (status 0) +++
因为我们没有定义用户空间函数,所以程序没有输出
dem0@ubuntu:~/Desktop/bash$ ltrace -S ./a.out
SYS_brk(0) = 0x55cb08b6b000
SYS_arch_prctl(0x3001, 0x7ffd0b602e10, 0x7f38bc5372c0, 13) = -22
SYS_access("/etc/ld.so.preload", 04) = -2
SYS_openat(0xffffff9c, 0x7f38bc540b80, 0x80000, 0) = 3
SYS_fstat(3, 0x7ffd0b602010) = 0
SYS_mmap(0, 0x10925, 1, 2) = 0x7f38bc50a000
SYS_close(3) = 0
SYS_openat(0xffffff9c, 0x7f38bc54ae10, 0x80000, 0) = 3
SYS_read(3, "177ELF�02�01�01�03", 832) = 832
SYS_pread(3, 0x7ffd0b601dd0, 784, 64) = 784
SYS_pread(3, 0x7ffd0b601da0, 32, 848) = 32
SYS_pread(3, 0x7ffd0b601d50, 68, 880) = 68
SYS_fstat(3, 0x7ffd0b602060) = 0
SYS_mmap(0, 8192, 3, 34) = 0x7f38bc508000
SYS_pread(3, 0x7ffd0b601cb0, 784, 64) = 784
SYS_pread(3, 0x7ffd0b601990, 32, 848) = 32
SYS_pread(3, 0x7ffd0b601970, 68, 880) = 68
SYS_mmap(0, 0x1f14d8, 1, 2050) = 0x7f38bc316000
SYS_mprotect(0x7f38bc33b000, 1847296, 0) = 0
SYS_mmap(0x7f38bc33b000, 0x178000, 5, 2066) = 0x7f38bc33b000
SYS_mmap(0x7f38bc4b3000, 0x4a000, 1, 2066) = 0x7f38bc4b3000
SYS_mmap(0x7f38bc4fe000, 0x6000, 3, 2066) = 0x7f38bc4fe000
SYS_mmap(0x7f38bc504000, 0x34d8, 3, 50) = 0x7f38bc504000
SYS_close(3) = 0
SYS_arch_prctl(4098, 0x7f38bc509540, 0xffff80c743af61a0, 64) = 0
SYS_mprotect(0x7f38bc4fe000, 12288, 1) = 0
SYS_mprotect(0x55cb06edb000, 4096, 1) = 0
SYS_mprotect(0x7f38bc548000, 4096, 1) = 0
SYS_munmap(0x7f38bc50a000, 67877) = 0
SYS_brk(0) = 0x55cb08b6b000
SYS_brk(0x55cb08b8c000) = 0x55cb08b8c000
SYS_fstat(1, 0x7ffd0b602630) = 0
SYS_write(1, "TMP:testing", 11TMP:testing) = 11
SYS_exit_group(0
+++ exited (status 0) +++
-S选项可以将系统和用户的显示出来。
系统调优 0x01 简介常用的监视工具
cpu: top,dstat,perf,ps,mpstat,strace,trace
网络:netstat,ss,iotop,ip,iptraf,nicstat,ethtool
磁盘: ftrace,iostat,dstat和blktrace
内存:top,dstsat,perf,vmstat和swapon
0x02 识别服务ps -p 1 -o cmd查看当前系统的初始化进程
/sbin/init auto noprompt
dem0@ubuntu:~/Desktop/bash$ ps -eaf | grep upstart dem0 18547 9828 0 18:01 pts/0 00:00:00 grep --color=auto upstart dem0@ubuntu:~/Desktop/bash$ ps -eaf | grep systemd root 356 1 0 13:45 ? 00:00:00 /lib/systemd/systemd-journald
很明显,我的电脑运行的时systemd.
查看运行的服务
[ + ] acpid [ - ] alsa-utils [ - ] anacron [ - ] apache-htcacheclean [ - ] apache2 [ + ] apparmor [ + ] apport [ + ] avahi-daemon [ + ] bluetooth [ - ] console-setup.sh [ + ] cron [ + ] cups [ + ] cups-browsed [ + ] dbus [ + ] docker [ + ] gdm3 [ + ] grub-common [ - ] hwclock.sh [ + ] irqbalance [ + ] kerneloops [ - ] keyboard-setup.sh [ + ] kmod [ + ] mongodb [ + ] network-manager [ + ] open-vm-tools [ + ] openvpn [ - ] plymouth [ - ] plymouth-log [ - ] pppd-dns [ + ] procps [ - ] pulseaudio-enable-autospawn [ - ] redis-server [ - ] rsync [ + ] rsyslog [ - ] saned [ - ] screen-cleanup [ - ] speech-dispatcher [ - ] spice-vdagent [ + ] udev [ + ] ufw [ + ] unattended-upgrades [ - ] uuidd [ + ] whoopsie [ - ] x11-common
前面是+表示正在运行,-表示没有运行。
0x03 禁用服务systemctl disable
相反启用就是enable
0x04 补充以上内容都是通过系统提供的来运行的,但是还有许多是用户手动添加的。xinetd:按需启用
直接在他的配置文件中修改,并且重启就可以了。
0x05 ss命令ss -t查看TCP套接字
ss -l查看处于LISTEN状态的链接
ss -u查看处于udp
️演示过程
ss -el 查看到在services中没有显示的端口服务。
我们用 lsof -i:port来查看具体服务是什么
0x06 dstat收集IOdtsat : 默认每秒收集磁盘额IO信息。
--top-bio 显示出执行IO最多的进程
--top-cpu CPU占用最多的进程
--top-io网络io站哟个
--top-latency 系统负载
--top-mem内存负载
0x07 pidstatdstat如果一个程序有多个进程,他就探测不出来了。
找出同一个进程所有的资源占用。
-d 输出io
-r 缺页故障和内存使用
-u 输出cpu
-w输出任务切换
0x08 sysctl 系统调参 0x09 nice可以调整任务的优先级 结语这个系列终于结束了(歇逼,花了一周时间过了一下强大的linux系统
