2

我从 netstat -naputeo 得到这个输出:

    tcp        0      0 :::44500                    :::*                        LISTEN      2000       773788772  18117/java          off (0.00/0/0)
    tcp        0      0 :::22                       :::*                        LISTEN      0          9419       4186/sshd           off (0.00/0/0)
    tcp        0      0 ::ffff:127.0.0.1:61666      ::ffff:127.0.0.1:43940      ESTABLISHED 2000       788032760  18122/java          off (0.00/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56510  ::ffff:192.168.1.202:3000   ESTABLISHED 0          791652028  6804/java_ndsagent  keepalive (7185.05/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56509  ::ffff:192.168.1.202:3000   TIME_WAIT   0          0          -                   timewait (41.13/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56508  ::ffff:192.168.1.202:3000   TIME_WAIT   0          0          -                   timewait (21.13/0/0)
    tcp        0   4656 ::ffff:192.168.1.202:22     ::ffff:84.208.36.125:48507  ESTABLISHED 0          791474860  24141/1             on (0.19/0/0)
    tcp        0      0 ::ffff:127.0.0.1:61616      ::ffff:127.0.0.1:45121      ESTABLISHED 2000       788032761  18117/java          off (0.00/0/0)
    tcp        0      0 ::ffff:192.168.1.202:3000   ::ffff:192.168.1.202:56510  ESTABLISHED 0          791651217  8044/rmiregistry    off (0.00/0/0)

Send-Q 是第三个字段,这里的攻击者是端口 22 和 4656KB。问题是我需要将该特定行和该编号/端口/进程输出到输出文件[仅当它高于 4000 时,才会发送到我的收件箱并提醒我。

我已经看到了类似的答案,但我无法使用这些建议提取该行。我不知道什么进程将填充 Q,但我知道端口。不只是 22 个,任何时候都可能更多。

我试过了:

netstat -naputeo | awk '$3 == 0 && $4 ~ /[^0-9]22$/'

但这给了我错误的路线。[即 :::22]

netstat -naputeo | awk '{if(($3)>0) print $3;}'

这完全是错误的,因为它以某种方式产生了该字段的所有行。

我需要的只是发送到 csv 的数字和线路,仅此而已。我可以稍后处理错误检查,并可能对其进行改进。

有什么建议么??

使用了这个,它现在可以工作,但还有改进的余地

filterQs() {
    while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"


        if [[ ${port} -eq 35487||  ${port} -eq 65485||  ${port} -eq CalorisPort || ${port} -eq 22 ]]
                then
                        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}" >> Qmonitor.txt

        fi


done < <(netstat -napute 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 500 || $3 > 500) { print $2, $3, $4, $9 }')

}

谢谢大家

4

4 回答 4

0

就像是

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 4000 { sub(/^.+:/, "", $4); print $3, $4, $9 }'

?

这将输出第 3 列 ( Send-Q)、第 4 列 ( ) 的端口部分 ( Local Address) 和第 9 列 ( PID/Program name) Send-Q > 4000,用分号分隔,以便您可以将其通过管道传输到 CSV。

例如(Send-Q > 0在我的盒子上)

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 0 { sub(/^.+:/, "", $4); print $3, $4, $9 }'
52;22;4363/sshd:

编辑

如果您确实需要进一步处理 中的值bash,那么您可以通过打印相应的列awk并遍历如下所示的行:

#!/bin/bash

while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"
        # do stuff here
done < <(netstat -naputeo 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 4000 || $3 > 4000) { print $2, $3, $4, $9 }')

例如:

$ ./t.sh
recv=0 send=52 ip=x.x.x.x port=22 pid=12345 program=sshd:

注意:我不明白您为什么需要-o切换到,netstat因为您似乎对计时器输出不感兴趣,所以您可能会放弃它。

于 2013-09-11T12:07:22.570 回答
0

尝试这个:

netstat -naputeo | awk '{ if (($3 + 0) >= 4000) { sub(/.*:/, "", $4); print $3, $4, $9;} }'

这会过滤掉标题行,并从字段 $4 中提取端口号。

于 2013-09-11T12:31:32.733 回答
0

纯 bash 解决方案:

#!/bin/bash

filterHuge() {
    while read -r -a line; do
        if (( line[2] > 4000 )) && [[ ${line[3]##*:} == '22' ]]; then # if Send-Q is higher than 4000 and port number is 22
            echo "Size: ${line[2]} Whole line: ${line[@]}"
        fi
    done
}

netstat -naputeo | filterHuge
于 2013-09-11T15:16:10.427 回答
-1

我有一个 lineage2 服务器并且有一些问题sent-q

我使用你的脚本和......:

Size: 84509 Whole line: tcp 0 84509 144.217.255.80:6254 179.7.212.0:35176 ESTABLISHED 0 480806 2286/java on (46.42/11/0)
Size: 12130 Whole line: tcp 0 12130 144.217.255.80:6254 200.120.203.238:52295 ESTABLISHED 0 410043 2286/java on (0.69/0/0)
Size: 13774 Whole line: tcp 0 13774 144.217.255.80:6254 190.30.75.253:63749 ESTABLISHED 0 469361 2286/java on (0.76/0/0)
Size: 12319 Whole line: tcp 0 12319 144.217.255.80:6254 200.120.203.238:52389 ESTABLISHED 0 487569 2286/java on (0.37/0/0)
Size: 9800 Whole line: tcp 0 9800 144.217.255.80:6254 186.141.200.7:63572 ESTABLISHED 0 478974 2286/java on (0.38/0/0)
Size: 12150 Whole line: tcp 0 12150 144.217.255.80:6254 200.120.203.238:52298 ESTABLISHED 0 410128 2286/java on (0.26/0/0)
Size: 9626 Whole line: tcp 0 9626 144.217.255.80:6254 186.141.200.7:63569 ESTABLISHED 0 482721 2286/java on (0.44/0/0)
Size: 11443 Whole line: tcp 0 11443 144.217.255.80:6254 200.120.203.238:52291 ESTABLISHED 0 411061 2286/java on (0.89/0/0)
Size: 79254 Whole line: tcp 0 79254 144.217.255.80:6254 179.7.212.0:6014 ESTABLISHED 0 501998 2286/java on (89.42/10/0)
Size: 10722 Whole line: tcp 0 10722 144.217.255.80:6254 179.7.111.208:12925 ESTABLISHED 0 488352 2286/java on (0.23/0/0)
Size: 126708 Whole line: tcp 0 126708 144.217.255.80:6254 190.11.106.181:3481 ESTABLISHED 0 487867 2286/java on (85.32/7/0)

问题出在一个端口:62​​54

我可以将大于 4000 的连接发送到重新启动到 0 或删除它们

于 2018-03-26T05:41:24.573 回答