awk脚本:

tag-icon tag-icon shell-script text-processing scripting logs ip
awk脚本:

我们已经要求客户运行一个常规套接字转储,我只是想知道社区是否有关于识别网络统计套接字列表中的多个连接地址的想法。

Active Internet connections (including servers)
PCB      Proto Recv-Q Send-Q  Local Address      Foreign Address    (state)
-------- ----- ------ ------  ------------------ ------------------ -------
18970e0  TCP        0      0  10.51.57.214.1028     10.51.57.211.20021    ESTABLISHED
1897374  TCP        0      0  10.51.57.214.23       10.51.102.86.58998    ESTABLISHED
18960e4  TCP        0      0  10.51.57.214.1028     10.51.102.48.59466    ESTABLISHED
189747c  TCP        0      0  10.51.57.214.1031     10.51.82.22.63682     ESTABLISHED
18972f0  TCP        0      0  10.51.57.214.1028     10.51.101.72.64318    ESTABLISHED
18969a8  TCP        0      0  10.51.57.214.1028     10.51.102.75.61478    ESTABLISHED
1896e4c  TCP        0      0  10.51.57.214.1028     10.51.102.74.52111    ESTABLISHED
1896924  TCP        0      0  10.51.57.214.1028     10.51.57.232.57303    ESTABLISHED
1896d44  TCP        0      0  10.51.57.214.1028     10.51.57.232.57302    ESTABLISHED
1896ed0  TCP        0      0  10.51.57.214.1028     10.51.57.202.49952    ESTABLISHED
1896cc0  TCP        0      0  10.51.57.214.1028     10.51.57.242.56605    ESTABLISHED
1896b34  TCP        0      0  10.51.57.214.1028     10.51.57.245.49418    ESTABLISHED
1895b38  TCP        0      0  10.51.57.214.1028     10.51.57.245.49402    ESTABLISHED
18958a4  TCP        0      0  10.51.57.214.1028     10.51.57.244.49390    ESTABLISHED
18968a0  TCP        0      0  10.51.57.214.1028     10.51.101.36.60993    ESTABLISHED
1896714  TCP        0      0  10.51.57.214.1028     10.51.82.22.53412     ESTABLISHED
1896ab0  TCP        0      0  10.51.57.214.1028     10.51.57.243.50377    ESTABLISHED
1895ed4  TCP        0      0  10.51.57.214.1113     10.51.57.203.62953    ESTABLISHED
1896a2c  TCP        0     25  10.51.57.214.1028     10.51.57.243.50362    ESTABLISHED
1895bbc  TCP        0      0  10.51.57.214.1028     10.51.57.196.49313    ESTABLISHED
189681c  TCP        0      0  10.51.57.214.1028     10.51.57.101.52556    ESTABLISHED
1896798  TCP        0      0  10.51.57.214.1028     10.51.57.201.53746    ESTABLISHED
1896c3c  TCP        0      0  10.51.57.214.1028     10.51.57.193.51058    ESTABLISHED
1896588  TCP        0      0  10.51.57.214.1028     10.51.57.195.49358    ESTABLISHED
18962f4  TCP        0      0  10.51.57.214.1028     10.51.101.92.59060    ESTABLISHED
1896504  TCP        0      0  10.51.57.214.1028     10.51.57.213.62754    ESTABLISHED
18963fc  TCP        0      0  10.51.57.214.1028     10.51.57.213.62753    ESTABLISHED
1896690  TCP        0      0  10.51.57.214.1052     10.51.57.203.62953    ESTABLISHED
189660c  TCP        0      0  10.51.57.214.1028     10.51.57.241.54348    ESTABLISHED
1896168  TCP        0      0  10.51.57.214.1047     10.51.57.203.62953    ESTABLISHED
1896378  TCP        0      0  10.51.57.214.1031     10.51.57.203.62961    ESTABLISHED
1895f58  TCP        0      0  10.51.57.214.1028     10.51.57.203.62958    ESTABLISHED
1896270  TCP        0      0  10.51.57.214.1028     10.51.57.181.55438    ESTABLISHED

我只对外部地址感兴趣,因为每个服务器的本地地址都会发生变化。它们要么实际上已建立,要么被视为过时的套接字,并且交换机已将它们孤立(这通常是多个已建立的套接字的原因)

看起来找到这些的唯一方法是寻找一个选项卡,然后是虚线四边形,后面是一个套接字号,然后是一个选项卡,然后是 ESTABLISHED。记录来自 vxworks 的旧版本,因此套接字号没有以冒号为前缀,但我们可以假设所有端点都大于 1024

我无法从逻辑上找出显示一组过滤的 IP 地址的最佳方法,然后按连接数对它们进行排序?我想看看哪些出现了两个以上的并发连接

我想我可以把本地地址留在那里,因为有 250 个以上的连接在逻辑上就是本地地址!

非常感谢

答案1

您可以使用awk脚本来搜索数据中的 IP;将它们的每次出现收集在一个counts数组中。当输入全部被读取后,循环遍历数组并打印计数和 IP,但前提是出现两次以上,然后将其全部通过管道进行排序:

awk脚本:

NF == 7 && $7 == "ESTABLISHED" {
  split($6, octets, ".")
  ip=octets[1] "." octets[2] "." octets[3] "." octets[4]
  counts[ip]++
}

END {
  for (i in counts)
    if (counts[i] > 2)
        print counts[i], i
}

像这样运行它:

awk -f awkscript < input | sort -n

通过示例输入,仅出现 1 个 IP,出现 5 次:

5 10.51.57.203

相关内容