关于 Linux 下的流量监控,之前介绍过《Linux 下如何查看指定进程发起的所有连接信息》和《Linux 下如何实时监控网速》,其中指定查看进程使用的是 ps 和 lsof 命令结合, 实时监控网速使用的是 nethogs 命令,我们先来回顾一下。
本文示例基于华为云 199 元高配学生机 CentOS7 环境。
指定进程连接
[root@al-sg zones]# ps -ef|grep nginx|grep -v grep
www 4037 8028 0 Jun14 ? 00:10:02 nginx: worker process
www 4038 8028 0 Jun14 ? 00:00:00 nginx: cache manager process
root 8028 1 0 Jun04 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
[root@al-sg zones]# lsof -p 8028 -nP|grep TCP
nginx 8028 root 9u IPv4 13360517 0t0 TCP *:80 (LISTEN)
nginx 8028 root 10u IPv6 13360518 0t0 TCP *:80 (LISTEN)
nginx 8028 root 11u IPv4 13360519 0t0 TCP *:443 (LISTEN)
nginx 8028 root 12u IPv6 13360520 0t0 TCP *:443 (LISTEN)
[root@al-sg zones]# lsof -p 4037 -nP|grep TCP
nginx 4037 www 9u IPv4 13360517 0t0 TCP *:80 (LISTEN)
nginx 4037 www 10u IPv6 13360518 0t0 TCP *:80 (LISTEN)
nginx 4037 www 11u IPv4 13360519 0t0 TCP *:443 (LISTEN)
nginx 4037 www 12u IPv6 13360520 0t0 TCP *:443 (LISTEN)
nginx 4037 www 15u IPv4 35805655 0t0 TCP 172.21.99.28:443->61.241.202.208:20160 (ESTABLISHED)
nginx 4037 www 18u IPv4 35806454 0t0 TCP 172.21.99.28:443->122.95.169.84:57832 (ESTABLISHED)
nginx 4037 www 19u IPv4 35806456 0t0 TCP 172.21.99.28:443->110.121.234.163:53006 (ESTABLISHED)
nginx 4037 www 22u IPv4 35806458 0t0 TCP 172.21.99.28:443->110.99.187.30:59462 (ESTABLISHED)
nginx 4037 www 23u IPv4 35806460 0t0 TCP 172.21.99.28:443->110.219.183.201:16918 (ESTABLISHED)进程流量监控
[root@al-sg zones]# nethogs
NetHogs version 0.8.5
PID USER PROGRAM DEV SENT RECEIVED
4037 www nginx: worker process eth0 8.154 3.133 KB/sec
18936 root python eth0 0.796 0.336 KB/sec
10463 root sshd: root@pts/1 eth0 0.198 0.047 KB/sec
? root 172.21.99.28:46896-42.56.79.189:80 0.013 0.013 KB/sec
? root 172.21.99.28:30413-178.19.108.202:54574 0.000 0.012 KB/sec
? root 172.21.99.28:55002-123.6.2.101:80 0.000 0.000 KB/sec
? root 172.21.99.28:12070-178.19.108.202:54574 0.000 0.000 KB/sec
? root 172.21.99.28:8546-178.19.108.202:54574 0.000 0.000 KB/sec
? root unknown TCP 0.000 0.000 KB/sec
TOTAL 9.162 3.540 KB/sec
使用场景分析
虽然上述各个命令可能最终达到的效果都是查看网络连接,但使用场景是不一样的。
比如说通过 lsof 可以查看已知进程开启的端口监听和有哪些网络连接(静态非实时),但无法查看该连接的实时带宽占用;nethogs 可以查看系统当下实时的网络连接和带宽(按进程实时更新),但不能查看具体开启了哪些端口监听和流量到底是哪个连接产生的;如果我们想要看系统当下连接的具体带宽占用情况,这时候我们就可以使用 iptraf 命令(按连接实时更新)。
连接流量监控
[root@al-sg zones]# yum install iptraf
......
[root@al-sg zones]# iptraf-ng
iptraf-ng 1.1.4
l TCP Connections (Source Host:Port) qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Packets qqqqqqqqqq Bytes qq Flag qq Iface qqqqqqqqk
xl110.99.43.51:45350 = 9 1831 --A- eth0 x
xm172.21.99.28:443 = 8 5291 -PA- eth0 x
xl172.21.99.28:41474 = 1 60 S--- eth0 x
xm117.136.190.162:80 = 0 0 ---- eth0 x
xl125.211.204.225:443 > 1 52 CLOS eth0 x
xm172.21.99.28:40568 > 2 104 --A- eth0 x
xl117.136.190.162:80 = 0 0 ---- eth0 x
xm172.21.99.28:41458 = 1 60 S--- eth0 x
xl117.136.190.162:443 = 0 0 ---- eth0 x
xm172.21.99.28:37700 = 1 60 S--- eth0 x
xl117.136.190.162:443 = 0 0 ---- eth0 x
m TCP: 27 entries qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Active qj
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x UDP (252 bytes) from 100.100.2.138:53 to 172.21.99.28:39547 on eth0 x
x UDP (64 bytes) from 172.21.99.28:56601 to 100.100.2.136:53 on eth0 x
x UDP (284 bytes) from 100.100.2.136:53 to 172.21.99.28:56601 on eth0 x
x ICMP dest unrch (ntwk) (56 bytes) from 203.208.145.17 to 172.21.99.28 on eth0 x
x UDP (58 bytes) from 172.21.99.28:40530 to 100.100.2.138:53 on eth0 x
x UDP (74 bytes) from 100.100.2.138:53 to 172.21.99.28:40530 on eth0 x
m Bottom qqqqqq Elapsed time: 0:00 qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
Packets captured: 1645 x TCP flow rate: 38.54 kbps
Up/Dn/PgUp/PgDn-scroll M-more TCP info W-chg actv win S-sort TCP X-exit从上面执行结果来看,iptraf可以很好地展示出本地连接的收发包情况(本质上是捕获发包情况,不是按正常的如 1Mbps 这种格式显示网速情况),甚至本地源端口与外部端口都可以显示出来,这是同类命令 iftop 无法做到的:
[root@al-sg zones]# iftop
195Kb 391Kb 586Kb 781Kb 977Kb
mqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqq
iZt4njc5pa52ijb9feuazqZ => 110.99.120.39 22.3Kb 11.1Kb 11.1Kb
<= 8.05Kb 4.04Kb 4.04Kb
iZt4njc5pa52ijb9feuazqZ => 110.106.169.35 1.61Kb 6.64Kb 6.64Kb
<= 924b 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 100.100.2.138 1.63Kb 2.17Kb 2.17Kb
<= 4.23Kb 5.52Kb 5.52Kb
iZt4njc5pa52ijb9feuazqZ => 122.89.192.108 0b 5.61Kb 5.61Kb
<= 0b 2.06Kb 2.06Kb
iZt4njc5pa52ijb9feuazqZ => 110.121.227.41 0b 5.57Kb 5.57Kb
<= 0b 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 110.99.128.172 0b 5.57Kb 5.57Kb
<= 0b 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 110.106.162.5 22.3Kb 5.57Kb 5.57Kb
<= 8.10Kb 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 110.101.101.254 0b 5.57Kb 5.57Kb
<= 0b 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 110.99.57.136 6.10Kb 5.57Kb 5.57Kb
<= 5.73Kb 2.03Kb 2.03Kb
iZt4njc5pa52ijb9feuazqZ => 110.105.83.139 0b 5.57Kb 5.57Kb
<= 0b 2.01Kb 2.01Kb
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TX: cum: 160KB peak: 237Kb rates: 151Kb 160Kb 160Kb
RX: 64.2KB 92.4Kb 63.0Kb 64.2Kb 64.2Kb
TOTAL: 224KB 329Kb 214Kb 224Kb 224Kbiftop 流量情况倒是按类似 1Mbps(128Kb,每秒更新)显示,但无法看到是哪个端口的连接。
同样的,到底是使用 iftop 还是 iptraf 来查看连接流量,要看我们的使用场景,比如我想知道 Nginx 产生的流量,就只能使用 iptraf,因为 iptraf 可以显示端口(监听端口可以使用第一节的 lsof(状态为 LISTEN 的是为监听端口)或者直接 netstat 来获取),而如果我只想知道某个 IP 产生的流量,则使用 iftop 更为合适。
iftop 和 iptraf 都有其一定的局限性,于是乎二者功能的结合品 jnettop 诞生了!先来看下执行结果
[root@al-sg zones]# yum install jnettop
......
[root@al-sg zones]# jnettop
run 0:00:06 device eth0 pkt[f]ilter: none .
[c]ntfilter: on [b]ps=bytes/s [l]ocal aggr.: none [r]emote aggr.: none
[q]uit [h]elp [s]orting [p]ackets [.] pause [0]-[9] switch device
LOCAL <-> REMOTE TXBPS RXBPS TOTALBPS
(IP) PORT PROTO (IP) PORT TX RX TOTAL
iZt4njc5pa52ijb9feuazqZ <-> 110.101.119.155 2.64k/s 978b/s 3.59k/s
172.21.99.28 443 TCP 110.101.119.155 47342 5.28k 1.91k 7.19k
iZt4njc5pa52ijb9feuazqZ <-> 110.106.177.211 2.64k/s 978b/s 3.59k/s
172.21.99.28 443 TCP 110.106.177.211 56702 5.27k 1.91k 7.19k
iZt4njc5pa52ijb9feuazqZ <-> 110.126.223.143 1.90k/s 794b/s 2.67k/s
172.21.99.28 443 TCP 110.126.223.143 13712 5.70k 2.33k 8.02k
iZt4njc5pa52ijb9feuazqZ <-> 110.126.223.143 1.92k/s 752b/s 2.65k/s
172.21.99.28 443 TCP 110.126.223.143 13702 5.75k 2.20k 7.95k
iZt4njc5pa52ijb9feuazqZ <-> 110.105.69.10 1.92k/s 748b/s 2.65k/s
172.21.99.28 443 TCP 110.105.69.10 32418 5.75k 2.19k 7.94k
iZt4njc5pa52ijb9feuazqZ <-> 110.99.160.103 1.92k/s 726b/s 2.62k/s
172.21.99.28 443 TCP 110.99.160.103 45963 5.75k 2.13k 7.88k
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TOTAL 28.3k/s 12.1k/s 40.4k/s
122k 48.8k 170k是不是很眼熟?是的,jnettop 命令把 iftop 的 IP 连接情况和 iptraf 的端口连接情况都集中在一起进行了展示,因此我们可以很好的判断某个 IP 连接在某个端口上产生了多大的流量。
在 Linux 下我们可以通过非常多的方式或命令来实现我们的需求,很多情况下我们都可以根据实际情况来选择更合适的,单独的命令或组合,而不必拘泥于某一固定方式或命令。
你可能还需要:
Mac OS X 10_14_5Chrome 74.0.3729.157来自 江西 的大神
有没有办法查到哪个网站耗费多少流量?
虽然说那么多工具可以查看流量,但都是基于系统级的统计,哪个网站这是属于应用级的统计,因为对系统来说应用级是无法直接区别出来的,所以系统级软件很难直接做到应用级的统计,一般都是应用级的软件来统计应用级的流量。比如像你说的想统计网站流量,Nginx 的话就可以使用 ngx_req_status 模块来实现按域名、url、IP 等等统计总流量、总请求数量、当前带宽峰值等信息。
Windows 7Chrome 63.0.3239.132来自 湖南 的大神
学习了。