Linux 查看实时网络连接或端口的流量带宽占用情况

小助手读文章 00:00 / 00:00

关于 Linux 下的流量监控,之前介绍过《Linux 下如何查看指定进程发起的所有连接信息》和《Linux 下如何实时监控网速》,其中指定查看进程使用的是 pslsof 命令结合, 实时监控网速使用的是 nethogs 命令,我们先来回顾一下。

本文示例基于华为云 199 元高配学生机 CentOS7 环境。

指定进程连接

[[email protected] zones]# ps -ef|grep nginx|grep -v grep
www       4037  8028  0 Jun14 ?        00:10:02 nginx: worker process
www       4038  8028  0 Jun14 ?        00:00:00 nginx: cache manager process
root      8028     1  0 Jun04 ?        00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
[[email protected] zones]# lsof -p 8028 -nP|grep TCP
nginx   8028 root    9u  IPv4           13360517      0t0      TCP *:80 (LISTEN)
nginx   8028 root   10u  IPv6           13360518      0t0      TCP *:80 (LISTEN)
nginx   8028 root   11u  IPv4           13360519      0t0      TCP *:443 (LISTEN)
nginx   8028 root   12u  IPv6           13360520      0t0      TCP *:443 (LISTEN)
[[email protected] zones]# lsof -p 4037 -nP|grep TCP
nginx   4037  www    9u     IPv4           13360517      0t0      TCP *:80 (LISTEN)
nginx   4037  www   10u     IPv6           13360518      0t0      TCP *:80 (LISTEN)
nginx   4037  www   11u     IPv4           13360519      0t0      TCP *:443 (LISTEN)
nginx   4037  www   12u     IPv6           13360520      0t0      TCP *:443 (LISTEN)
nginx   4037  www   15u     IPv4           35805655      0t0      TCP 172.21.99.28:443->61.241.202.208:20160 (ESTABLISHED)
nginx   4037  www   18u     IPv4           35806454      0t0      TCP 172.21.99.28:443->122.95.169.84:57832 (ESTABLISHED)
nginx   4037  www   19u     IPv4           35806456      0t0      TCP 172.21.99.28:443->110.121.234.163:53006 (ESTABLISHED)
nginx   4037  www   22u     IPv4           35806458      0t0      TCP 172.21.99.28:443->110.99.187.30:59462 (ESTABLISHED)
nginx   4037  www   23u     IPv4           35806460      0t0      TCP 172.21.99.28:443->110.219.183.201:16918 (ESTABLISHED)

进程流量监控

[[email protected] zones]# nethogs
NetHogs version 0.8.5

    PID USER     PROGRAM                                                                DEV        SENT      RECEIVED       
   4037 www     nginx: worker process                                                  eth0        8.154    3.133 KB/sec
  18936 root     python                                                                 eth0        0.796    0.336 KB/sec
  10463 root     sshd: [email protected]/1                                                       eth0        0.198    0.047 KB/sec
      ? root     172.21.99.28:46896-42.56.79.189:80                                                 0.013    0.013 KB/sec
      ? root     172.21.99.28:30413-178.19.108.202:54574                                            0.000    0.012 KB/sec
      ? root     172.21.99.28:55002-123.6.2.101:80                                                  0.000    0.000 KB/sec
      ? root     172.21.99.28:12070-178.19.108.202:54574                                            0.000    0.000 KB/sec
      ? root     172.21.99.28:8546-178.19.108.202:54574                                             0.000    0.000 KB/sec
      ? root     unknown TCP                                                                        0.000    0.000 KB/sec

  TOTAL                                                                                             9.162       3.540 KB/sec
 

使用场景分析

虽然上述各个命令可能最终达到的效果都是查看网络连接,但使用场景是不一样的。

比如说通过 lsof 可以查看已知进程开启的端口监听和有哪些网络连接(静态非实时),但无法查看该连接的实时带宽占用;nethogs 可以查看系统当下实时的网络连接和带宽(按进程实时更新),但不能查看具体开启了哪些端口监听和流量到底是哪个连接产生的;如果我们想要看系统当下连接的具体带宽占用情况,这时候我们就可以使用 iptraf 命令(按连接实时更新)。

连接流量监控

[[email protected] zones]# yum install iptraf
......
[[email protected] zones]# iptraf-ng
iptraf-ng 1.1.4
l TCP Connections (Source Host:Port) qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Packets qqqqqqqqqq Bytes qq Flag qq Iface qqqqqqqqk
xl110.99.43.51:45350                                                   =       9             1831    --A-    eth0          x
xm172.21.99.28:443                                                     =       8             5291    -PA-    eth0          x
xl172.21.99.28:41474                                                   =       1               60    S---    eth0          x
xm117.136.190.162:80                                                   =       0                0    ----    eth0          x
xl125.211.204.225:443                                                  >       1               52    CLOS    eth0          x
xm172.21.99.28:40568                                                   >       2              104    --A-    eth0          x
xl117.136.190.162:80                                                   =       0                0    ----    eth0          x
xm172.21.99.28:41458                                                   =       1               60    S---    eth0          x
xl117.136.190.162:443                                                  =       0                0    ----    eth0          x
xm172.21.99.28:37700                                                   =       1               60    S---    eth0          x
xl117.136.190.162:443                                                  =       0                0    ----    eth0          x
m TCP:     27 entries qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Active qj
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x UDP (252 bytes) from 100.100.2.138:53 to 172.21.99.28:39547 on eth0                                                      x
x UDP (64 bytes) from 172.21.99.28:56601 to 100.100.2.136:53 on eth0                                                       x
x UDP (284 bytes) from 100.100.2.136:53 to 172.21.99.28:56601 on eth0                                                      x
x ICMP dest unrch (ntwk) (56 bytes) from 203.208.145.17 to 172.21.99.28 on eth0                                            x
x UDP (58 bytes) from 172.21.99.28:40530 to 100.100.2.138:53 on eth0                                                       x
x UDP (74 bytes) from 100.100.2.138:53 to 172.21.99.28:40530 on eth0                                                       x
m Bottom qqqqqq Elapsed time:   0:00 qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
 Packets captured:                                         1645      x  TCP flow rate:           38.54 kbps
 Up/Dn/PgUp/PgDn-scroll  M-more TCP info   W-chg actv win  S-sort TCP  X-exit

从上面执行结果来看,iptraf可以很好地展示出本地连接的收发包情况(本质上是捕获发包情况,不是按正常的如 1Mbps 这种格式显示网速情况),甚至本地源端口与外部端口都可以显示出来,这是同类命令 iftop 无法做到的:

[[email protected] zones]# iftop
                        195Kb                    391Kb                    586Kb                    781Kb               977Kb
mqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqq
iZt4njc5pa52ijb9feuazqZ                        => 110.99.120.39                                    22.3Kb  11.1Kb  11.1Kb
                                                 <=                                                  8.05Kb  4.04Kb  4.04Kb
iZt4njc5pa52ijb9feuazqZ                        => 110.106.169.35                                   1.61Kb  6.64Kb  6.64Kb
                                                 <=                                                   924b   2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 100.100.2.138                                    1.63Kb  2.17Kb  2.17Kb
                                                 <=                                                  4.23Kb  5.52Kb  5.52Kb
iZt4njc5pa52ijb9feuazqZ                          => 122.89.192.108                                      0b   5.61Kb  5.61Kb
                                                 <=                                                     0b   2.06Kb  2.06Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.121.227.41                                      0b   5.57Kb  5.57Kb
                                                 <=                                                     0b   2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.99.128.172                                      0b   5.57Kb  5.57Kb
                                                 <=                                                     0b   2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.106.162.5                                    22.3Kb  5.57Kb  5.57Kb
                                                 <=                                                  8.10Kb  2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.101.101.254                                     0b   5.57Kb  5.57Kb
                                                 <=                                                     0b   2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.99.57.136                                    6.10Kb  5.57Kb  5.57Kb
                                                 <=                                                  5.73Kb  2.03Kb  2.03Kb
iZt4njc5pa52ijb9feuazqZ                          => 110.105.83.139                                      0b   5.57Kb  5.57Kb
                                                 <=                                                     0b   2.01Kb  2.01Kb
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TX:             cum:    160KB   peak:    237Kb                                              rates:    151Kb   160Kb   160Kb
RX:                    64.2KB           92.4Kb                                                       63.0Kb  64.2Kb  64.2Kb
TOTAL:                  224KB            329Kb                                                        214Kb   224Kb   224Kb

iftop 流量情况倒是按类似 1Mbps(128Kb,每秒更新)显示,但无法看到是哪个端口的连接。

同样的,到底是使用 iftop 还是 iptraf 来查看连接流量,要看我们的使用场景,比如我想知道 Nginx 产生的流量,就只能使用 iptraf,因为 iptraf 可以显示端口(监听端口可以使用第一节的 lsof(状态为 LISTEN 的是为监听端口)或者直接 netstat 来获取),而如果我只想知道某个 IP 产生的流量,则使用 iftop 更为合适。

iftopiptraf 都有其一定的局限性,于是乎二者功能的结合品 jnettop 诞生了!先来看下执行结果

[[email protected] zones]# yum install jnettop
......
[[email protected] zones]# jnettop
run   0:00:06 device eth0       pkt[f]ilter: none                                                                          .
[c]ntfilter: on  [b]ps=bytes/s [l]ocal aggr.: none [r]emote aggr.: none
[q]uit [h]elp [s]orting [p]ackets [.] pause [0]-[9] switch device
LOCAL <-> REMOTE                                                                                      TXBPS   RXBPS TOTALBPS
 (IP)                                    PORT  PROTO  (IP)                                    PORT       TX      RX    TOTAL
iZt4njc5pa52ijb9feuazqZ <-> 110.101.119.155                                                         2.64k/s  978b/s  3.59k/s
 172.21.99.28                             443    TCP  110.101.119.155                        47342    5.28k   1.91k    7.19k

iZt4njc5pa52ijb9feuazqZ <-> 110.106.177.211                                                         2.64k/s  978b/s  3.59k/s
 172.21.99.28                             443    TCP  110.106.177.211                        56702    5.27k   1.91k    7.19k

iZt4njc5pa52ijb9feuazqZ <-> 110.126.223.143                                                         1.90k/s  794b/s  2.67k/s
 172.21.99.28                             443    TCP  110.126.223.143                        13712    5.70k   2.33k    8.02k

iZt4njc5pa52ijb9feuazqZ <-> 110.126.223.143                                                         1.92k/s  752b/s  2.65k/s
 172.21.99.28                             443    TCP  110.126.223.143                        13702    5.75k   2.20k    7.95k

iZt4njc5pa52ijb9feuazqZ <-> 110.105.69.10                                                           1.92k/s  748b/s  2.65k/s
 172.21.99.28                             443    TCP  110.105.69.10                          32418    5.75k   2.19k    7.94k

iZt4njc5pa52ijb9feuazqZ <-> 110.99.160.103                                                          1.92k/s  726b/s  2.62k/s
 172.21.99.28                             443    TCP  110.99.160.103                         45963    5.75k   2.13k    7.88k

qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TOTAL                                                                                               28.3k/s 12.1k/s  40.4k/s
                                                                                                       122k   48.8k     170k

是不是很眼熟?是的,jnettop 命令把 iftop 的 IP 连接情况和 iptraf 的端口连接情况都集中在一起进行了展示,因此我们可以很好的判断某个 IP 连接在某个端口上产生了多大的流量。

在 Linux 下我们可以通过非常多的方式或命令来实现我们的需求,很多情况下我们都可以根据实际情况来选择更合适的,单独的命令或组合,而不必拘泥于某一固定方式或命令。


你可能还需要:

1、《Linux 下的流量监控统计工具 - Vnstat


ArmxMod for Typecho
个性化、自适应、功能强大的响应式主题

推广

 继续浏览关于 linux端口连接进程流量带宽 的文章

 本文最后更新于 2019/06/17 12:00:00,可能因经年累月而与现状有所差异

 引用转载请注明:VirCloud's Blog > 系统 > Linux 查看实时网络连接或端口的流量带宽占用情况

精选评论

  1. 武陵红苗
  2. 心灵博客

    有没有办法查到哪个网站耗费多少流量?

    1. 欧文斯

      虽然说那么多工具可以查看流量,但都是基于系统级的统计,哪个网站这是属于应用级的统计,因为对系统来说应用级是无法直接区别出来的,所以系统级软件很难直接做到应用级的统计,一般都是应用级的软件来统计应用级的流量。比如像你说的想统计网站流量,Nginx 的话就可以使用 ngx_req_status 模块来实现按域名、url、IP 等等统计总流量、总请求数量、当前带宽峰值等信息。