[[email protected] ~]# iostat    ##靜態顯示
Linux 3.10.0-514.el7.x86_64 (server01)  2017年07月11日  _x86_64_        (1 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           0.32    0.00    4.05    0.29    0.00   95.34

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sda               1.62        53.20         3.89     234652      17158
sdb               0.03         0.21         0.00        920          0
scd0              0.00         0.01         0.00         44          0

[[email protected]

[[email protected] ~]# free
              total        used        free      shared  buff/cache   available
Mem:        1008392      113948      614756        6868      279688      719948
Swap:       2097148           0     2097148
[[email protected] ~]# free -m                         ##兆
              total        used        free      shared  buff/cache   available
Mem:            984         111         600           6         273         703
Swap:          2047           0        2047
[[email protected]

buffer：cpu傳給內存（buffer），再寫入磁盤。

cache：從磁盤讀進內存（cache），再提交cpu。

total=used+free+buff/cache；

available包含free和buff/cache剩余部分。

3、ps 系統進程

[[email protected] ~]# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.6 128092  6708 ?        Ss   7月10   0:01 /usr/lib/syste
root         2  0.0  0.0      0     0 ?        S    7月10   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    7月10   0:00 [ksoftirqd/0]
......
[[email protected] ~]# ps -elf
F S UID        PID  PPID  C PRI  NI ADDR SZ WCHAN  STIME TTY          TIME CMD
4 S root         1     0  0  80   0 - 32023 ep_pol 7月10 ?       00:00:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
1 S root         2     0  0  80   0 -     0 kthrea 7月10 ?       00:00:00 [kthreadd]
1 S root         3     2  0  80   0 -     0 smpboo 7月10 ?       00:00:00 [ksoftirqd/0]
......

“ps aux”和“ps -elf”的作用是一致的，使用哪個取決於用戶使用習慣。

▎STAT部分詳解：

D 不能中斷的進程 < 高優先級進程

R run狀態的進程 N 低優先級進程

S sleep狀態的進程 L 內存中被鎖了內存分頁

T 暫停的進程 s 主進程

Z 僵屍進程 l 多線程進程

+ 前臺進程

4、netstat 網絡狀態

[[email protected] ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     64 server01:ssh            gateway:51102           ESTABLISHED
udp        0      0 server01:53475          marla.ludost.net:ntp    ESTABLISHED
udp        0      0 server01:44876          61-216-153-107.HINE:ntp ESTABLISHED
udp        0      0 server01:40498          ntp1.ams1.nl.leasew:ntp ESTABLISHED
udp        0      0 server01:49814          ntp4.itcompliance.d:ntp ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    7564     /run/systemd/notify
......
[[email protected] ~]# netstat -lnp      ##能顯示端口和連接狀態
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1293/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1793/master
tcp6       0      0 :::22                   :::*                    LISTEN      1293/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1793/master
udp        0      0 127.0.0.1:323           0.0.0.0:*                           492/chronyd
udp6       0      0 ::1:323                 :::*                                492/chronyd
raw6       0      0 :::58                   :::*                    7           510/NetworkManager
Active UNIX domain sockets (only servers)
......
[[email protected] ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0     64 192.168.137.100:22      192.168.137.1:51102     ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:25                  :::*                    LISTEN
udp        0      0 192.168.137.100:53475   79.98.105.18:123        ESTABLISHED
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp        0      0 192.168.137.100:58381   61.216.153.107:123      ESTABLISHED
......
[[email protected] ~]# netstat -lntp         ##只顯示TCP
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:22          0.0.0.0:*           LISTEN      1293/sshd
tcp        0      0 127.0.0.1:25        0.0.0.0:*           LISTEN      1793/master
tcp6       0      0 :::22               :::*                LISTEN      1293/sshd
tcp6       0      0 ::1:25              :::*                LISTEN      1793/master
[[email protected] ~]# netstat -lnup         ##只顯示UDP
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address     State       PID/Program name
udp        0      0 127.0.0.1:323       0.0.0.0:*                       492/chronyd
udp6       0      0 ::1:323             :::*                            492/chronyd
[[email protected] ~]# netstat -an |awk ‘/^tcp/{++sta[$NF]}END{for(key in sta)print key,"\t",sta[key]}‘                     ##統計連接數
LISTEN   4
ESTABLISHED      1
[[email protected] ~]# ss -an
......

u_str ESTAB      0      0    * 13719                                  * 13718
u_str ESTAB      0      0    * 17908                                  * 17907
u_str ESTAB      0      0    * 14545                                  * 14546
u_str ESTAB      0      0    * 13612                                  * 13720
udp   UNCONN     0      0    :::58                                    :::*
udp   ESTAB      0      0    192.168.137.100:56524                    163.172.177.158:123
udp   ESTAB      0      0    192.168.137.100:42723                       79.98.105.18:123
udp   UNCONN     0      0    127.0.0.1:323                                    *:*
udp   ESTAB      0      0    192.168.137.100:58381                     61.216.153.107:123
......

5、tcpdump 抓包

[[email protected] ~]# tcpdump -nn -i ens33  ##指定抓包網卡
......
00:43:14.089076 IP 192.168.137.100.22 > 192.168.137.1.51102: Flags [P.], seq 1265808:1266096, ack 18561, win 260, length 288
00:43:14.089308 IP 192.168.137.1.51102 > 192.168.137.100.22: Flags [.], ack 1266096, win 251, length 0
00:43:14.089335 IP 192.168.137.100.22 > 192.168.137.1.51102: Flags [P.], seq 1266096:1266272, ack 18561, win 260, length 176
^C
8213 packets captured
8215 packets received by filter
0 packets dropped by kernel

其他用法：

tcpdump -nn port 80                 ##指定抓包端口
tcpdump -nn not port 25 and host 192.168.137.1 ##“and”匹配多個過濾條件
tcpdump -nn -c 100 -w 1.cap         ##100個包寫入文件
tcpdump -r /tmp/1.cap               ##讀取抓包文件

▎除了tcpdump外，wireshark也可以用於抓包：

[[email protected] ~]# tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.mothod" -e "http.request.uri" 
                                                   ##顯示訪問http請求的域名以及uri

參數解讀：

-e  <field>
    Add a field to the list of fields to display if -T fields is selected.  This option can be used multiple times on the command line.  At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "col."
    Example: -e frame.number -e ip.addr -e udp -e col.info
    Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field.  Fields are separated by tab characters by default.  -E controls the format of the printed fields.
           
-R  <Read filter>
    Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied during the first pass of analysis. Packets not matching the filter are not considered for future passes. Only makes sense with multiple passes, see -2. For regular filtering on single-pass dissect see -Y instead.
    Note that forward-looking fields such as ‘response in frame #‘ cannot be used with this filter, since they will not have been calculate when this filter is applied.

其他用法：

①抓取mysql的查詢：
tshark -n -i eth1 -R ‘mysql.query‘ -T fields -e "ip.src" -e "mysql.query"
tshark -i eth1 port 3307  -d tcp.port==3307,mysql -z "proto,colinfo,mysql.query,mysql.query"
②抓取指定類型的MySQL查詢：
tshark -n -i eth1 -R ‘mysql matches "SELECT|INSERT|DELETE|UPDATE"‘ -T fields -e "ip.src" -e "mysql.query"
③統計http的狀態：
tshark -n -q -z http,stat, -z http,tree
④增加時間標簽：
tshark  -t  ad
tshark  -t  a

本文出自 “亂碼時代” 博客，請務必保留此出處http://juispan.blog.51cto.com/943137/1946485

[CentOS 7系列]監控系統狀態（下）