tcpdump - dump traffic on a network

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]

• -w 写入文件
• -r 从文件读入 -F 读入的文件
• -V 从一批文件读入
• -c 处理多少 package
• -D or --list-interfaces 列出接口列表
• -i --interface= 制定接口
• -K --dont-verify-checksums 不验证 checksum 加快速度
• -n 不转换数字为地址
• -Q --direction=in|out|inout

samples here
sudo tcpdump host 10.102.196.239 -w /tmp/tcpdump.log.cap
sudo tcpdump -C 50 -W 10 -w /tmp/tcp.cap ##循环写 10个文件, 每个 50M
sudo tcpdump'(host 10.135.250.186 or host 10.189.248.238 or host 10.20.170.138 or host 10.21.233.128 or port 53)' -w /tmp/tcp.cap # 多个 IP 或者 DNS 查询

ping:
sudo tcpdump -e icmp[icmptype] == 8 //ping echo request
sudo tcpdump -e icmp[icmptype] == 0 //ping echo reply

Becoming a master of display filters is absolutely essential to the network analyst.

Wireshark capture filters and display filters look very different.Capture filters use the BPF format whereas display filters use a proprietary format.

samples: https://wiki.wireshark.org/CaptureFilters

1. wget
   -- wget -S --spider -T 1 -t 2 sellerprof.vip
   -- wget -S --spider -T 1 -t 2  --no-check-certificate https://esams.vip
2. curl
   -- curl -I --retry 2 --connect-timeout 1 sellerprof.vip
   -- curl -I --retry 2 --connect-timeout 1 -k https://esams.vip
3. telnet
4. nslookup
   -- nslookup -query=hinfo  -timeout=1 -retry=1 esams.vip
5. ping
   -- ping -c 10 -W 1 sellerprof.vip
6. traceroute/tracert
   -- traceroute esams.vip
7. mtr
   -- mtr -w --timeout=1 esams.vip

8. dig 由 BIND(互联网上最广泛使用的 DNS 软件) 提供的查询 DNS 的辅助工具,替换原来老的 nslookup 和 host

   dig //不带任何参数查询root dns .
   dig -h //help
   dig +short www.tianxiaohui.com // 简化输出
   dig +trace www.tianxiaohui.com //输出迭代式所有来回
   dig @8.8.8.8 tianxiaohui.com
   dig -x 54.222.60.252 //反向查询
   dig -f query.txt +short //从文件读
   dig google.com ANY //查询所有记录

9. netstat
   来自于 net-tools 软件包. 已不推荐使用, 由 ss 命令来替换此命令.
   -- netstat -t --wide
   -- netstat -t -l
   -- netstat -s
10. nstat
    来自于 iproute2 软件包
    -- nstat -a
    -- nstat #可以提供2 次使用间的 delta
    -- nstat --json #以 json 格式输出
11. ss
    来自 iproute2 软件包, 用以替换 netstat. 更偏重于 socket 连接, 数据来自 /proc/net/tcp.
    -- ss -t -l
    -- ss --info
    -- ss -it state syn-sent #根据状态查
    -- ss -it dst abc.tianxiaohui.com #根据地址过滤
    -- ss -it '( dport = :443 )' #根据目标端口查, 一定要注意这里面的空格, 括号里的空格每处都需要
    -- ss -it '( dport = :443 or dport = :80 )' #或者
    -- ss -it '( sport = :45321 )' #根据源端口查,
12. routetable
    -- netstat -r
13. ifconfig/ipconfig

where 可以包含:

=, <=, >, <, [ NOT ] LIKE, [ NOT ] IN, IMPLEMENTS (relational operations)
AND OR != , =
字段可以 [. ] . .

实现 group by 功能

1. 方法1: 如果是 group by 其中一个字段 可以这样: 菜单选择 -> Java Basics -> Group by Values -> 给出类名和需要group by 的字段:
   

2. 方法2: 使用 OQL. 举例: 假如我有很多 brave.handler.MutableSpan, 这个类有个实例字段是 name, 我想根据 name 去分组. 我们需要这么做:

   // 第0步, 我们查看我们要分组的对象
   SELECT toString(s.name), * FROM brave.handler.MutableSpan s
   
   // 第一步, 我们看看有多少唯一的 name
   SELECT DISTINCT toString(s.name) FROM brave.handler.MutableSpan s
   
   // 第二步, 做分组, 把上一步distinct的结果和原始列表对比, 第二列返回的每一行是一个list
   SELECT dn.name AS name, (SELECT OBJECTS lst FROM brave.handler.MutableSpan s WHERE (toString(s.name) = dn.name)) AS lst
   FROM 
   OBJECTS (SELECT DISTINCT toString(s.name) AS name FROM brave.handler.MutableSpan s) dn
   
   // 第三步, count 每个 group, 第二步第二列是一个list, 所以可以使用 .@length 来取长度
   SELECT g.name as name, g.lst.@length as size FROM OBJECTS ( eval((
   
   SELECT dn.name AS name, (SELECT OBJECTS s FROM brave.handler.MutableSpan s WHERE (toString(s.name) = dn.name)) AS lst
   FROM 
   OBJECTS (SELECT DISTINCT toString(s.name) AS name FROM brave.handler.MutableSpan s) dn
   
   )) ) g

3. 使用上面第一步的结果, 然后导出到csv(菜单栏 -> 最右边-> 导出CSV), 然后excel 操作

查询 URL 相关的:

- SELECT * FROM java.net.URL u where u.port = 443
- SELECT * FROM java.net.URL u where toString(u.host) = "api.google.com"
- SELECT * FROM java.net.URL u where u.@displayName like ".*api.google.com.*"
- SELECT * FROM "com.tianxiaohui.*" u where toString(u) like ".*Metrics.*"  //正则
- SELECT s.address.holder.hostName.toString(), s.timeout FROM java.net.SocksSocketImpl s WHERE (s.port = 443) //socket 的地址和 timeout 时间
- SELECT toString(u.string) FROM java.net.URI u WHERE (toString(u.schemeSpecificPart) LIKE ".+google.com.+")

查询其它相关的:

- SELECT x.capacity FROM java.nio.DirectByteBuffer x WHERE ((toString(x.att) = "null") and (toString(x.cleaner) != "null") and (x.capacity >= (1024 * 1024)))
- SELECT DISTINCT objects x.this$0 FROM java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask x 
- SELECT distinct objects x FROM java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask x WHERE (x.this$0.toString() LIKE ".+0x468369b50")
- SELECT * FROM INSTANCEOF java.lang.Object t WHERE (toHex(t.@objectAddress) >= "0xfbd4c000" AND toHex(t.@objectAddress) <= "0xfce94050") //一段地址空间中的所有对象
- select * from java.nio.DirectByteBuffer x where x.capacity > 65535 and x.cleaner != null
- SELECT o.toString() FROM OBJECTS ( SELECT OBJECTS outbounds(t) FROM org.apache.tomcat.util.threads.TaskThread t WHERE (t.toString() = "DefaultThreadPool-23") ) o WHERE (o.toString() LIKE ".+TracingInfoImpl.+")

如果 0x789342b78 对应的地址是一个类class(不是instance), 那么可以用下面这种查法:
select * from 0x789342b78

如果要查询某个 Class 的 static 字段里面的数据:

SELECT * FROM java.lang.Class x where x.toString() LIKE ".+com.tianxiaohui.platform.config.impl.ConfigProvider.*"

如果要查询一个抽象类的具体实现:

select * from INSTANCEOF java.net.AbstractPlainSocketImpl

Java JDBC 相关的

# 一个连接有多少 open 的 ResultSet
SELECT * FROM oracle.jdbc.driver.OracleResultSetImpl rs WHERE (rs.connection.toString() LIKE ".+0x7a3af6cf8")

查看是不是包含某个关键字的字符串String:

SELECT * FROM java.lang.String s where s.toString() like ".*agepsvc.*"

查看栈桢信息

SELECT u.Thread AS Thread, u.Frame.@text AS Frame 
  FROM OBJECTS ( 
    SELECT t AS Thread, ${snapshot}.getThreadStack(t.@objectId).@stackFrames AS Frame 
      FROM java.lang.Thread t  ) u

过滤栈上面的局部变量:

SELECT vr.Thread, vr.Name, vr.Frame, vr.Local FROM OBJECTS ( 
    SELECT v.Thread AS Thread, toString(v.Thread) AS Name, v.Frame AS Frame, ${snapshot}.getObject(v.Objs) AS Local FROM OBJECTS ( 
        SELECT u.Thread AS Thread, u.Frame.@text AS Frame, u.Frame.@localObjectsIds AS Objs FROM OBJECTS ( 
            SELECT t AS Thread, ${snapshot}.getThreadStack(t.@objectId).@stackFrames AS Frame FROM INSTANCEOF java.lang.Thread t WHERE (toString(t.name) = "DefaultThreadPool-32") 
        ) u  
    ) v WHERE (v.Objs != null) 
) vr WHERE (vr.Local.toString() LIKE ".*TracingInfoImpl.*")

内置函数:

1. toHex( number ) //转换数字为16进制
2. toString( object ) //转换对象为 String
3. dominators( object ) //被这个对象直接控制的
4. dominatorof( object ) //这个对象被那些对象直接控制
5. outbounds( object ) //
6. inbounds( object ) //
7. classof( object ) // 当前对象的类

如何查看一个对象的 dominator, 然后就可以用 dominatorof() 函数:

SELECT dominatorof(x) FROM OBJECTS 15038294 x 
SELECT * FROM org.ebayopensource.ginger.core.logging.impl.CalLogTransactionImpl x WHERE (dominatorof(x).toString() = "DefaultThreadPool-20")

更多OQL的官方文档参考: https://wiki.eclipse.org/MemoryAnalyzer/OQL

当前 MAT 可以分析 HPROF 二进制(produced by Sun, HP, SAP, etc… JVMs) 和 IBM system dumps (after preprocessing them), 以及 IBM portable heap dumps (PHD) .

• find the biggest objects, as MAT provides reasonable accumulated size (retained size)
• explore the object graph, both inbound and outbound references
• compute paths from the garbage collector roots to interesting objects
• find memory waste, like redundant String objects, empty collection objects, etc...

如何获得 heap dump

note: 从JDK 6 update 14 and above, HPROF 里面也包含所有线程的 callstatck.
参考: Heap Dump Analysis with Memory Analyzer, Part 1: Heap Dumps

如何分析 IBM J9 JVM dump?
https://help.eclipse.org/2020-03/index.jsp?topic=/org.eclipse.mat.ui.help/welcome.html