Monday, October 18, 2010

What Network Services are Running

$ netstat -tanup

     or if you just want tcp services
 
          $ netstat -tanp

     or

          $ netstat -ap|grep LISTEN|less

     This can be helpful to determine the services running.

     Need stats on dropped UDP packets?

          $ netstat -s -u

     or TCP

          $ netstat -s -t

     or summary of everything

          $ netstat -s

     or looking for error rates on the interface?

          $ netstat -i

     Listening interfaces?

          $ netstat -l

awk - common awk commands.

Find device names "sd" or with major number 4 and device name "tty". Print the
     record number NR, plus the major number and minor number.

          $ awk '$2 == "sd"||$1 == 4 && $2 == "tty" { print NR,$1,$2}' /proc/devices

     Find device name equal to "sound".

          $ awk '/sound/{print NR,$1,$2}' /proc/devices

     Print the 5th record, first field, in file test

          $ awk 'NR==5{print $1}' test

     Print a record, skip 4 records, print a record etc from file1

          $ awk '(NR-1) % 4 == 0 {print $1}' file1

     Print all records except the last one from file1

          $ tac file1|awk 'NR > 1 {print $0}'|tac

     Print A,B,C ..Z on each line, cycling back to A if greater than 26 lines

          $ awk '{ print substr("ABCDEFGHIJKLMNOPQRSTUVWXYZ",(NR-1)%26+1,1),$0}' file1

     Number of bytes in a directory.

          $ ls -l|awk 'BEGIN{ c=0}{ c+=$5} END{ print c}'

     Remove duplicate, nonconsecutive line. As an advantage over "sort|uniq"
     you can eliminate duplicate lines in an unsorted file.

          $ awk '! a[$0]++' file1

     Or the more efficient script

          $ awk '!($0 in a) {a[$0];print}' file1

     Print only the lines in file1 that have 80 characters or more

          $ awk 'length < 80' file1

     Print line number 25 on an extremely large file -- note it has
     to be efficient and exit after printing line number 25.

          $ awk 'NR==25 {print; exit}'  verybigfile

Using the "find" Command.

List only directories, max 2 nodes down that have "net" in the name

       $ find /proc -type d -maxdepth 2 -iname '*net*'

     Find all *.c and *.h files starting from the current "." position.

       $ find . \( -iname '*.c'  -o -iname '*.h' \) -print

     Find all, but skip what's in "/CVS" and "/junk". Start from "/work"


       $ find /work \( -iregex '.*/CVS'  -o -iregex '.*/junk' \)  -prune -o -print

     Note -regex and -iregex work on the directory as well, which means
     you must consider the "./" that comes before all listings.

     Here is another example. Find all files except what is under the CVS, including
     CVS listings. Also exclude "#" and "~".

       $ find . -regex '.*' ! \( -regex '.*CVS.*'  -o -regex '.*[#|~].*' \)

     Find a *.c file, then run grep on it looking for "stdio.h"

       $ find . -iname '*.c' -exec grep -H 'stdio.h' {} \;
         sample output -->  ./prog1.c:#include 
                            ./test.c:#include 

     Looking for the disk-hog on the whole system?

       $ find /  -size +10000k 2>/dev/null

     Looking for files changed in the last 24 hours? Make sure you add the
     minus sign "-1", otherwise, you will only find files changed exactly
     24 hours from now. With the "-1" you get files changed from now to 24
     hours.


       $ find  . -ctime -1  -printf "%a %f\n"
       Wed Oct  6 12:51:56 2010 .
       Wed Oct  6 12:35:16 2010 Linux_and_Open_Source.txt

     Or if you just want files.

       $ find . -type f -ctime -1  -printf "%a %f\n"

     Details on file status change in the last 48 hours, current directory. Also note "-atime -2").

       $ find . -ctime -2 -type f -exec ls -l {} \;

             NOTE: if you don't use -type f, you make get "." returned, which
             when run through ls "ls ." may list more than what you want.

             Also you may only want the current directory

       $ find . -ctime -2 -type f -maxdepth 1 -exec ls -l {} \;

     To find files modified within the last 5 to 10 minutes

       $ find . -mmin +5 -mmin -10 

Monitor all Network Traffic Except Your Current ssh Connection

$ tcpdump -i eth0 -nN -vvv -xX -s 1500 port not 22

       Or to filter out port 123 as well getting the full length of the packet
       (-s 0), use the following:

           $ tcpdump -i eth0 -nN -vvv -xX -s 0 port not 22  and port not 123

       Or to filter only a certain host say 192.168.158.205

           $ tcpdump -i eth0 -nN -vvv -xX  port not 22 and host 192.168.158.205

     Just want ip addresses and a little bit of data, then,
     use this. The "-c 20" is to stop after 20 packets.

           $ tcpdump -i eth0 -nN  -s 1500 port not 22 -c 20

     If you're looking for sign of DOS attacks, the following show just the SYN
     packets on all interfaces:

           $ tcpdump 'tcp[13] & 2 == 2'