I use the following ps commands in order to check for performance probelms:
1) Displaying top CPU_consuming processes:
ps aux | head -1; ps aux | sort -rn +2 | head -10
2) Displaying top 10 memory-consuming processes:
ps aux | head -1; ps aux | sort -rn +3 | head
3) Displaying process in order of being penalized:
ps -eakl | head -1; ps -eakl | sort -rn +5
4) Displaying process in order of priority:
ps -eakl | sort -n +6 | head
5) Displaying process in order of nice value
ps -eakl | sort -n +7
6) Displaying the process in order of time
ps vx | head -1;ps vx | grep -v PID | sort -rn +3 | head -10
7) Displaying the process in order of real memory use
ps vx | head -1; ps vx | grep -v PID | sort -rn +6 | head -10
8) Displaying the process in order of I/O
ps vx | head -1; ps vx | grep -v PID | sort -rn +4 | head -10
9) Displaying WLM classes
ps -a -o pid, user, class, pcpu, pmem, args
10) Determinimg process ID of wait processes:
ps vg | head -1; ps vg | grep -w wait
11) Wait process bound to CPU
ps -mo THREAD -p
lsof:
To list all open files, use:
# lsof
To list all open Internet, x.25 (HP-UX), and UNIX domain files, use:
# lsof -i -U
To list all open IPv4 network files in use by the process whose PID is 1234, use:
# lsof -i 4 -a -p 1234
To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use:
# lsof -i @wonderland.cc.purdue.edu:513-515
To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
# lsof -i @mace
To list all open files for login name ââabeââ, or user ID 1234, or process 456, or process 123, or process 789, use:
# lsof -p 456,123,789 -u 1234,abe
To list all open files on device /dev/hd4, use:
# lsof /dev/hd4
To find the process that has /u/abe/foo open, use:
# lsof /u/abe/foo
To send a SIGHUP to the processes that have /u/abe/bar open, use:
# kill -HUP âlsof -t /u/abe/barâ
To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
# lsof /dev/log
To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point, use:
# lsof -b /nfs/mount/point
To do the preceding search with warning messages suppressed, use:
# lsof -bw /nfs/mount/point
To ignore the device cache file, use:
# lsof -Di
To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use:
# lsof -FpcfDi
To list the files at descriptors 1 and 3 of every process running the lsof command for login ID ââabeââ every 10 seconds, use:
# lsof -c lsof -a -d 1 -d 3 -u abe -r10
To list the current working directory of processes running a command that is exactly four characters long and has an âoâ or âOâ in character three, use this regular expression form of the -c c option:
# lsof -c /^..o.$/i -a -d cwd
To find an IP version 4 socket file by its associated numeric dot-form address, use:
# lsof -i@128.210.15.17
fuser:
# fuser -km /home
kills all processes accessing the file system /home in any way.
# if fuser -s /dev/ttyS1; then :; else something; fi
invokes something if no other process is using /dev/ttyS1.
# fuser telnet/tcp shows all processes at the (local) TELNET port.
Some Important Command to find DDOS Attack
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
netstat -ntu | grep -v TIME_WAIT | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
netstat -an | grep :80 | awk '{print $5}' | cut -f1 -d":" | sort | uniq -c | sort -n
netstat Command Example
# netstat –listen
Display open ports and established TCP connections:
# netstat -vatn
For UDP port try following command:
# netstat -vaun
If you want to see FQDN then remove -n flag:
# netstat -vat
lsof Command Examples
Display list of open ports
# lsof -i
To display all open files, use:
# lsof
To display all open IPv4 network files in use by the process whose PID is 9255, use:
# lsof -i 4 -a -p 9255
list information about TCP sessions on your server (specifically SSH in this example)
# lsof -i tcp@`hostname`:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd2 7585 root 5u IPv4 16105 TCP localbox:ssh->your.src.ip.here:5897 (ESTABLISHED)
sshd2 7653 root 5u IPv4 16188 TCP localbox:ssh->your.src.ip.here:2262 (ESTABLISHED)
list information about all TCP session
# lsof -i tcp@`hostname`
list information about all sockets using port 53 (will display named information on UDP/TCP)
# lsof -i @`hostname`:53
list information about all UDP sessions
# lsof -i udp@`hostname`
will list all open files with "ssh" in them
# lsof -c ssh
list everything but with UIDs insted of the UID name from /etc/passwd
# lsof -l
list all open files with "ssh" and only the UIDs
# lsof -l -c ssh
list all open files for the /tmp dir (very slow), but good for finding that nasty process that's holding a file open (although: fuser -m /tmp, will do the same thing)
# lsof +D /tmp
1) Displaying top CPU_consuming processes:
ps aux | head -1; ps aux | sort -rn +2 | head -10
2) Displaying top 10 memory-consuming processes:
ps aux | head -1; ps aux | sort -rn +3 | head
3) Displaying process in order of being penalized:
ps -eakl | head -1; ps -eakl | sort -rn +5
4) Displaying process in order of priority:
ps -eakl | sort -n +6 | head
5) Displaying process in order of nice value
ps -eakl | sort -n +7
6) Displaying the process in order of time
ps vx | head -1;ps vx | grep -v PID | sort -rn +3 | head -10
7) Displaying the process in order of real memory use
ps vx | head -1; ps vx | grep -v PID | sort -rn +6 | head -10
8) Displaying the process in order of I/O
ps vx | head -1; ps vx | grep -v PID | sort -rn +4 | head -10
9) Displaying WLM classes
ps -a -o pid, user, class, pcpu, pmem, args
10) Determinimg process ID of wait processes:
ps vg | head -1; ps vg | grep -w wait
11) Wait process bound to CPU
ps -mo THREAD -p
lsof:
To list all open files, use:
# lsof
To list all open Internet, x.25 (HP-UX), and UNIX domain files, use:
# lsof -i -U
To list all open IPv4 network files in use by the process whose PID is 1234, use:
# lsof -i 4 -a -p 1234
To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use:
# lsof -i @wonderland.cc.purdue.edu:513-515
To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
# lsof -i @mace
To list all open files for login name ââabeââ, or user ID 1234, or process 456, or process 123, or process 789, use:
# lsof -p 456,123,789 -u 1234,abe
To list all open files on device /dev/hd4, use:
# lsof /dev/hd4
To find the process that has /u/abe/foo open, use:
# lsof /u/abe/foo
To send a SIGHUP to the processes that have /u/abe/bar open, use:
# kill -HUP âlsof -t /u/abe/barâ
To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
# lsof /dev/log
To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point, use:
# lsof -b /nfs/mount/point
To do the preceding search with warning messages suppressed, use:
# lsof -bw /nfs/mount/point
To ignore the device cache file, use:
# lsof -Di
To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use:
# lsof -FpcfDi
To list the files at descriptors 1 and 3 of every process running the lsof command for login ID ââabeââ every 10 seconds, use:
# lsof -c lsof -a -d 1 -d 3 -u abe -r10
To list the current working directory of processes running a command that is exactly four characters long and has an âoâ or âOâ in character three, use this regular expression form of the -c c option:
# lsof -c /^..o.$/i -a -d cwd
To find an IP version 4 socket file by its associated numeric dot-form address, use:
# lsof -i@128.210.15.17
fuser:
# fuser -km /home
kills all processes accessing the file system /home in any way.
# if fuser -s /dev/ttyS1; then :; else something; fi
invokes something if no other process is using /dev/ttyS1.
# fuser telnet/tcp shows all processes at the (local) TELNET port.
Some Important Command to find DDOS Attack
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
netstat -ntu | grep -v TIME_WAIT | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
netstat -an | grep :80 | awk '{print $5}' | cut -f1 -d":" | sort | uniq -c | sort -n
netstat Command Example
# netstat –listen
Display open ports and established TCP connections:
# netstat -vatn
For UDP port try following command:
# netstat -vaun
If you want to see FQDN then remove -n flag:
# netstat -vat
lsof Command Examples
Display list of open ports
# lsof -i
To display all open files, use:
# lsof
To display all open IPv4 network files in use by the process whose PID is 9255, use:
# lsof -i 4 -a -p 9255
list information about TCP sessions on your server (specifically SSH in this example)
# lsof -i tcp@`hostname`:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd2 7585 root 5u IPv4 16105 TCP localbox:ssh->your.src.ip.here:5897 (ESTABLISHED)
sshd2 7653 root 5u IPv4 16188 TCP localbox:ssh->your.src.ip.here:2262 (ESTABLISHED)
list information about all TCP session
# lsof -i tcp@`hostname`
list information about all sockets using port 53 (will display named information on UDP/TCP)
# lsof -i @`hostname`:53
list information about all UDP sessions
# lsof -i udp@`hostname`
will list all open files with "ssh" in them
# lsof -c ssh
list everything but with UIDs insted of the UID name from /etc/passwd
# lsof -l
list all open files with "ssh" and only the UIDs
# lsof -l -c ssh
list all open files for the /tmp dir (very slow), but good for finding that nasty process that's holding a file open (although: fuser -m /tmp, will do the same thing)
# lsof +D /tmp
