API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 15th, 2019
135
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.78 KB | None | 0 0
raw download clone embed print report
  1. -A INPUT --state NEW -p tcp --dport 4711 -j LOG
  2.  
  3. tcpdump "dst port 4711 and tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn"
  4.  
  5. tcpdump "src port 4711 and tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)"
  6.  
  7. #!/usr/bin/env stap
  8. # To monitor another TCP port run:
  9. # stap -G port=80 tcp_connections.stp
  10. # or
  11. # ./tcp_connections.stp -G port=80
  12. global port = 22
  13. global connections
  14.  
  15. function report() {
  16. foreach (addr in connections) {
  17. printf("%s: %dn", addr, @count(connections[addr]))
  18. }
  19. }
  20.  
  21. probe end {
  22. printf("n=== Summary ===n")
  23. report()
  24. }
  25.  
  26. probe kernel.function("tcp_accept").return?,
  27. kernel.function("inet_csk_accept").return? {
  28. sock = $return
  29. if (sock != 0) {
  30. local_port = inet_get_local_port(sock)
  31. if (local_port == port) {
  32. remote_addr = inet_get_ip_source(sock)
  33. connections[remote_addr] <<< 1
  34. printf("%s New connection from %sn", ctime(gettimeofday_s()), remote_addr)
  35. }
  36. }
  37. }
  38.  
  39. [root@bubu ~]# ./tcp_connections.stp -G port=80
  40. Mon Mar 17 04:13:03 2014 New connection from 192.168.122.1
  41. Mon Mar 17 04:13:04 2014 New connection from 192.168.122.1
  42. Mon Mar 17 04:13:08 2014 New connection from 192.168.122.4
  43. ^C
  44. === Summary ===
  45. 192.168.122.1: 2
  46. 192.168.122.4: 1
  47.  
  48. strace -r -f -e trace=accept -o /tmp/strace ${PROGRAM} ${ARGS}
  49.  
  50. strace -r -f -e trace=accept -o /tmp/strace -p ${PID_OF_PROGRAM}
  51.  
  52. 999 0.000000 accept(3, {sa_family=AF_INET, sin_port=htons(34702), sin_addr=inet_addr("192.168.122.4")}, [16]) = 5
  53. 999 0.008079 --- SIGCHLD (Child exited) @ 0 (0) ---
  54. 999 1.029846 accept(3, {sa_family=AF_INET, sin_port=htons(34703), sin_addr=inet_addr("192.168.122.4")}, [16]) = 5
  55. 999 0.008276 --- SIGCHLD (Child exited) @ 0 (0) ---
  56. 999 3.580122 accept(3, {sa_family=AF_INET, sin_port=htons(50114), sin_addr=inet_addr("192.168.122.1")}, [16]) = 5
  57.  
  58. # gawk 'match($0, /^([0-9]+)[[:space:]]+([0-9.]+)[[:space:]]+accept(.*htons(([^)]+)),.*inet_addr("([^"]+)").*[[:space:]]+=[[:space:]]+([1-9][0-9]*)/, m) {connections[m[4]]++} END {for (addr in connections) printf("%s: %dn", addr, connections[addr]); }' /tmp/strace
  59. 192.168.122.4: 3
  60. 192.168.122.1: 2
  61.  
  62. cat conn_minute.sh
  63. #!/bin/bash
  64.  
  65. function save_log {
  66. LOG_DIR=/mnt/logs/ip_conntrack/`date +%Y%m%d`
  67. TEMP_FILE=$LOG_DIR/`date +%Y%m%d_%H%M%S`.gz
  68. LOG_FILE=$LOG_DIR/`date +%Y%m%d_%H`.tar
  69. if [ ! -d $LOG_DIR ]
  70. then
  71. mkdir $LOG_DIR
  72. fi
  73. gzip -c /proc/net/ip_conntrack > $TEMP_FILE
  74. if [ -f $LOG_FILE ]; then
  75. tar -rf $LOG_FILE $TEMP_FILE 2> /dev/null
  76. else
  77. tar -cf $LOG_FILE $TEMP_FILE 2> /dev/null
  78. fi
  79. rm $TEMP_FILE
  80. }
  81. function log_minute {
  82. i=1;
  83. LOOP_COUNTER=3
  84. LOOP_TIME=20
  85. while [ $i -le $LOOP_COUNTER ]; do
  86. save_log
  87. i=$[i+1]
  88. sleep $LOOP_TIME
  89. done
  90. }
  91.  
  92. log_minute
  93.  
  94. nohup netstat -c | grep -E "xxx|xxxx" >> netstat_log 2>&1 &
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!