Linux tshoot commands

1. ++ netstat -> list of network sockets
2. # get list of TCP/UDP sockets in LISTENING state along with corresponding processes
3. netstat -ltunp
4.  
5. # get list of active TCP/UDP sockets along with corresponding processes, exclude localhost connections
6. netstat -tunp | egrep -v '127.0.0.1'
7.  
8. # get list of active TCP connections with corresponding processes and timers
9. netstat -tnp -o
10.  
11. # get detailed network statistic
12. nestat -s
13.  
14. # get list of network interfaces with brief statistic
15. netstat -I
16.  
17.  
18. ++ iptables -> tool for managing embedded firewall nf
19. # get detailed list of rules in filter(actual firewall) table
20. iptables -L -v -n
21.  
22. # the same as above, but for NAT table, basically NAT rules
23. iptables -L -t nat -v -n
24.  
25. # stop iptables, essentially disable firewall
26. /etc/init.d/iptables stop
27.  
28. # start iptables, enable firewall
29. /etc/init.d/iptables start
30.  
31. # reset iptables counters to 0, can be useful when troubleshooting connections
32. iptables -Z
33.  
34.  
35. ++ arp -> checking arp table
36. arp -v -n -e
37.  
38.  
39. ++ ethtool -> tool for managing network cards
40. # get detailed statistic from interface eth0
41. ethtool -S eth0
42.  
43. # show features such as LRO/GRO/GSO of network interface
44. ethtool -k eth0
45.  
46.  
47. ++ nc -> network swiss-knife
48. # test TCP connection to remote host 10.0.0.1 on port 8443
49. nc -v -z 10.0.0.1 8443
50.  
51. # open a UDP "connection" to remote host 10.0.0.1 on port 123
52. nc -u -v 10.0.0.1 123
53.  
54. # test connection between two hosts on a given port
55. host1$ nc -l 8500
56. host2$ nc -v -z host1 8500
57.  
58.  
59. ++ arping -> tool which can generate arp-requests, useful for layer 2 network troubleshooting
60. # send broadcast arp-request for ip 10.0.0.1
61. arping -b 10.0.0.1
62.  
63. # detect duplicate addresses of 10.0.0.1 on your broadcast domain
64. arping -D 10.0.0.1
65.  
66.  
67. ++ tcpdump -> packet-capture utility (for more filter expressions see "man pcap-filter")
68. # sniff packets for TCP port 5060 from/to host 10.0.0.1 on interface eth0 and print each packet in ASCII
69. tcpdump -nn -i eth0 -A tcp port 5060 and host 10.0.0.1
70.  
71. # the same as above, but write output to pcap file which later can be opened with Wireshark
72. tcpdump -i eth0 -w /var/log/active/capture1.pcap tcp port 5060 and host 10.229.16.97
73.  
74. # sniff packets for UDP port 123 with verbose protocol decoding
75. tcpdump -i eth0 -nnvv udp port 123
76.  
77. # read packets from pcap file instead of capturing from interface and display them in verbose, protocol-decoded form
78. tcpdump -nnvv -r /var/log/active/capture1.pcap
79.  
80.  
81. ++ openssl -> OpenSSL command line tool
82. # print certificate which is stored in PEM form(base64 encoded)
83. openssl x509 -in /path/to/certificate.pem -noout -text
84.  
85. # print certificate which is stored in DER form(binary, ASN-encoded)
86. openssl x509 -inform DER -in /path/to/certificate.der -noout -text
87.  
88. # don't print all details, print only certain fields such subject/issues/serial/validity
89. openssl x509 -in /path/to/certificate.pem -noout -serial -subject -issuer -dates
90.  
91. # convert certificate from DER-form to PEM-form, the same can be done vice versa
92. openssl x509 -inform DER -in /path/to/certificate.der -outform PEM -out /path/to/certificate.pem
93.  
94. # display certificate SHA fingerprint
95. openssl x509 -in /path/to/certificate.pem -noout -text -fingerprint
96.  
97. # display hash of subject, used to create links in /usr/local/platform/.security/tomcat/trust-certs/
98. openssl x509 -in /path/to/certificate.pem -noout -hash
99.  
100. # calculate hash of public key in CSR and compare it with hash of public key of signed certificate which was issued based on that CSR, no output means that keys are matching, and certificate was generated from that CSR
101. diff <(openssl x509 -in ./signed_certificate.pem -noout -modulus | md5sum) <(openssl req -in ./cert_request.csr -noout -modulus | md5sum)
102.  
103. # verify certificate chain, certificate is signed by inter-ca, inter-ca signed by root-ca
104. openssl verify -CAfile ./root-ca.pem -untrusted ./inter-ca.pem ./signed-cert.pem
105.  
106. # connect to host 10.0.0.1 on port 8443, verify certificate with CA-certificate cacert.pem and print all certificate chain received from server
107. openssl s_client -CAfile ./cacert.pem -showcerts -connect 10.0.0.1:8443
108.  
109. # connect to host 10.0.0.1 on port 8443 using only TLS 1.2 standard
110. openssl s_client -tls1_2 -showcerts -connect 10.0.0.1:8443
111.  
112. # the same as above, but not using neither SSL 2.0 neither 3.0
113. openssl s_client -no_ssl3 -no_ssl2 -showcerts -connect 10.0.0.1:8443
114.  
115. # get list of supported ciphersuits
116. openssl ciphers | sed 's/:/\n/g'
117.  
118. # the same as above, but get only ciphersuites which incorporate RSA certificate
119. openssl ciphers | sed 's/:/\n/g' | egrep '\-RSA-'
120.  
121. # connect to host using specific ciphersuit
122. openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -showcerts -connect 10.0.0.1:8443
123.  
124. # connect to host and decode presented certificate to text instantly
125. openssl s_client -showcerts -connect 10.0.0.1:8443 | openssl x509 -noout -text
126.  
127.  
128. ++ find -> find objects in file-system
129. # find files in directory /var/log/active which filename ends with .log or .txt modified less than 30 hour back
130. find /var/log/active/ -type f -mmin -30 \( -name '*.log' -o -name '*.txt' \)
131.  
132. # find files in directory /var/log/active which filename ends with .log or .txt modified more than 10 days back
133. find /var/log/active/ -type f -mtime +10 \( -name '*.log' -o -name '*.txt' \)
134.  
135. # find executable files which contain ccm in it's filename
136. find /usr/local/ -type f -executable -iname '*ccm*'
137.  
138. # find all .pem certificates in /usr/local/ and print it's file-location and x509 details(if possible)
139. find /usr/local/ -type f -name '*.pem' -exec echo {} \; -exec openssl x509 -in {} -noout -subject -issuer -serial -dates \; -exec echo "----" \; 2>/dev/null
140.  
141.  
142. ++ tar -> archive utility
143. # create archive gzip compressed and add all .log file from current directory to it
144. tar -czf ./myarchive.tar.gz ./*.log
145.  
146. # unpack tar archive
147. tar -xzf ./myarchive.tar.gz
148.  
149. # print what is inside archive
150. tar -tzf ./myarchive.tar.gz
151.  
152. # find .log or .txt files modified less than 30 minutes back in /var/log/active/platform/ directory and add them to archive
153. find /var/log/active/platform/ -type f -mmin -120 \( -name '*.log' -o -name '*.txt' \) -print0 | tar -czf ./myarchive.tar.gz --null -T -
154.  
155. # the same as previous, but add to archive files only by filenames, without path
156. /var/log/active/platform/ -type f -mmin -30 \( -name '*.log' -o -name '*.txt' \) -print0 | tar --transform='s,/.*/\(.*\),\1,' -czf ./myarchive.tar.gz --null -T -
157.  
158. # the same as previous, but instead of creating local archive, archive will be transferred on remote server via ssh
159. find /var/log/active/platform/ -type f -mmin -120 \( -name '*.log' -o -name '*.txt' \) -print0 | tar --transform='s,/.*/\(.*\),\1,' -czf - --null -T - | ssh omozol@10.48.53.219 "cat > ./myarchive.tar.gz"
160.  
161.  
162. ++ top -> interactive tool for monitoring overall system state
163. # launch top with refresh rate i
164. top -d i
165.  
166. # launch top with refresh rate n, exit after screen will be refreshed t times
167. top -d i -n t
168.  
169. # while running top
170. shift + p -> sort based on CPU utilization
171. shift + m -> sort based on memory utilization
172.  
173.  
174. ++ ps -> get list of processes
175. # list all processes in long and full form
176. ps -elf
177.  
178. # list all processes with child-parent relations via ASCII drawing
179. ps -elf --forest
180.  
181. # list specific process by specifying his PID
182. ps -lf PID
183.  
184. # list processes started by user with UID
185. ps -lf -u 500
186. ps -lf -u root
187.  
188. # list specific process with his LWP(threads) by specifying PID
189. ps -lfL PID
190.  
191. # get top 10 processes by cpu usage with detailed info
192. ps -e -o state,user,pid,ppid,%cpu,%mem,rss,vsize,nlwp,time,cmd | sort -rnk5 | head -10
193.  
194. # get top 10 processes by memory usage with detailed info
195. ps -e -o state,user,pid,ppid,%cpu,%mem,rss,vsize,nlwp,time,cmd | sort -rnk6 | head -10
196.  
197.  
198. ++ lsof -> get list of file descriptors
199. # get list of opened file descriptors by process with PID
200. lsof -p PID -P
201.  
202. # get PID for process which open file file
203. lsof -n -t /path/to/file
204.  
205. # get list of opened TCP sockets by process with PID
206. lsof -p PID -P | egrep 'IPv.*TCP'
207.  
208. # list file descriptors for opened files which have following characters in their full path
209. lsof +D /some/path
210.  
211.  
212. ++ jobs/bg/fg -> job manipulation
213. # get list of current jobs
214. jobs
215.  
216. # put job with ID to foreground execution
217. fg %ID
218.  
219. # put job with ID to background execution
220. bg %ID
221.  
222.  
223. ++ strace -> monitor syscalls of specific process or command, process tracing
224. # get trace of command in long form with timestamps following child processes and LWP threads
225. strace -fvvTt -s 256 command
226.  
227. # same as above, but write output to the file for further analysis
228. strace -fvvTt -s 256 -o /path/to/tracefile.txt command
229.  
230. # same as above but track only specific syscalls, such as open,read,write
231. strace -fvvTt -s 256 -e open,read,write -o /path/to/tracefile.txt command
232.  
233. # same as above, but instead of launching new command/process, connect to existing process with PID
234. strace -fvvTt -s 256 -e open,read,write -o /path/to/tracefile.txt -p PID
235.  
236.  
237. ++ auditctl -> tool for managing kernel audit system
238. # add a rule to monitor read/write operations on particular file
239. auditctl -w /path/to/the/file -p rw -k myauditrule1
240.  
241. # remove rule which monitors read/write operations on particular file
242. auditctl -W /path/to/the/file -p rw -k myauditrule1
243.  
244. # get list of audit rules
245. auditctl -l
246.  
247. # get audit information about file from audit logs
248. egrep -a 'filename' /var/log/active/audit/vos/vos-audit*
249.  
250.  
251. ++ free -> concise output of memory stats
252. # memory stats in MB
253. free -m
254.  
255.  
256. ++ vmstat -> more detailed memory statistic, can be told to execute multiple times to compare outputs dynamically
257. # get statistic for active virtual memory
258. vmstat -a -w
259.  
260. Description of output
261.     FIELD DESCRIPTION FOR VM MODE
262.        Procs
263.            r: The number of runnable processes (running or waiting for run time).
264.            b: The number of processes in uninterruptible sleep.
265.        Memory
266.            swpd: the amount of virtual memory used.
267.            free: the amount of idle memory.
268.            buff: the amount of memory used as buffers.
269.            cache: the amount of memory used as cache.
270.            inact: the amount of inactive memory.  (-a option)
271.            active: the amount of active memory.  (-a option)
272.        Swap
273.            si: Amount of memory swapped in from disk (/s).
274.            so: Amount of memory swapped to disk (/s).
275.        IO
276.            bi: Blocks received from a block device (blocks/s).
277.            bo: Blocks sent to a block device (blocks/s).
278.        System
279.            in: The number of interrupts per second, including the clock.
280.            cs: The number of context switches per second.
281.        CPU
282.            These are percentages of total CPU time.
283.            us: Time spent running non-kernel code.  (user time, including nice time)
284.            sy: Time spent running kernel code.  (system time)
285.            id: Time spent idle.  Prior to Linux 2.5.41, this includes IO-wait time.
286.            wa: Time spent waiting for IO.  Prior to Linux 2.5.41, included in idle.
287.            st: Time stolen from a virtual machine.  Prior to Linux 2.6.11, unknown.
288.  
289. # the same as above, but get output 10 times with interval of 1 second, first row in this mode always represent stats from the moment from system startup
290. vmstat -a -w 1 10
291.  
292. # get detailed statistic for virtual memory usage
293. vmstat -s
294.  
295.  
296. ++ iostat -> get detailed I/O statistic
297. # display detailed statistic for sda disk
298. iostat -x sda
299.  
300. Description of output
301.        tps
302.                      Indicate the number of transfers per second that were issued to the device. A transfer is an I/O request to the device. Multiple logical requests can be combined  into  a  single  I/O
303.                      request to the device. A transfer is of indeterminate size.
304.               Blk_read/s (kB_read/s, MB_read/s)
305.                      Indicate  the  amount of data read from the device expressed in a number of blocks (kilobytes, megabytes) per second. Blocks are equivalent to sectors and therefore have a size of 512
306.                      bytes.
307.               Blk_wrtn/s (kB_wrtn/s, MB_wrtn/s)
308.                      Indicate the amount of data written to the device expressed in a number of blocks (kilobytes, megabytes) per second.
309.               Blk_read (kB_read, MB_read)
310.                      The total number of blocks (kilobytes, megabytes) read.
311.               Blk_wrtn (kB_wrtn, MB_wrtn)
312.                      The total number of blocks (kilobytes, megabytes) written.
313.               rrqm/s
314.                      The number of read requests merged per second that were queued to the device.
315.               wrqm/s
316.                      The number of write requests merged per second that were queued to the device.
317.               r/s
318.                      The number (after merges) of read requests completed per second for the device.
319.               w/s
320.                      The number (after merges) of write requests completed per second for the device.
321.               rsec/s (rkB/s, rMB/s)
322.                      The number of sectors (kilobytes, megabytes) read from the device per second.
323.               wsec/s (wkB/s, wMB/s)
324.                      The number of sectors (kilobytes, megabytes) written to the device per second.
325.               avgrq-sz
326.                      The average size (in sectors) of the requests that were issued to the device.
327.               avgqu-sz
328.                      The average queue length of the requests that were issued to the device.
329.               await
330.                      The average time (in milliseconds) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.
331.               r_await
332.                      The average time (in milliseconds) for read requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.
333.        w_await
334.                      The average time (in milliseconds) for write requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.
335.               svctm
336.                      The average service time (in milliseconds) for I/O requests that were issued to the device. Warning! Do not trust this field any more.  This field will be removed in a future  sysstat
337.                      version.
338.               %util
339.                      Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.
340.  
341. # the same as above, but get output 10 times with interval of 1 second, first row in this mode always represent stats from the moment from system startup
342. iostat -x sda 1 10
343.  
344.  
345. ++ iotop -> top for I/O stats, useful for real-time monitoring of systems I/O and determing I/O offenders
346. # get I/O statistic, print only processes who perform I/O operations, accumulate I/O statistic
347. iotop -a -o -P
348.  
349. # print I/O statistic only for a processes which run under user tomcat
350. iotop -a -o -P -u tomcat
351.  
352.  
353. ++ sar -> get historical statistic of systems resource utilization, similar to Perfmon, files of collected statistic are stored in /var/log/active/sa/, files are retained for last 30 days
354. # display CPU statistic from file sa24, which correspond of last days with date 24
355. sar -u -f /var/log/active/sa/sa24
356.  
357. # display detailed memory statistic for the same day
358. sar -r -f /var/log/active/sa/sa24
359.  
360. # display detailed I/O statistic for the same day
361. sar -d -f /var/log/active/sa/sa24
362.  
363. # display detailed network statistic for the same day
364. sar -n DEV -f /var/log/active/sa/sa24