≡ Menu

grep command

netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:

      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     13 ESTABLISHED
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     14 ESTABLISHED
     91 TIME_WAIT
    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:

  15 CLOSE_WAIT
  37 LAST_ACK
  64 FIN_WAIT_1
  65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:

449

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:

    1 10.0.77.52
      2 10.1.11.3
      4 12.109.42.21
      6 12.191.136.3
.....
...
....
    13 202.155.209.202
     18 208.67.222.222
     28 0.0.0.0
    233 127.0.0.1

You can simply block all abusive IPs using iptables or just null route them.

Get Live View of TCP Connections

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Display Summary Statistics for Each Protocol

Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Output:

Ip:
    88354557 total packets received
    0 forwarded
    0 incoming packets discarded
    88104061 incoming packets delivered
    96037391 requests sent out
    13 outgoing packets dropped
    66 fragments dropped after timeout
    295 reassemblies required
    106 packets reassembled ok
    66 packet reassembles failed
    34 fragments failed
Icmp:
    18108 ICMP messages received
    58 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 7173
        timeout in transit: 472
        redirects: 353
        echo requests: 10096
    28977 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 18881
        echo replies: 10096
Tcp:
    1202226 active connections openings
    2706802 passive connection openings
    7394 failed connection attempts
    47018 connection resets received
    23 connections established
    87975383 segments received
    95235730 segments send out
    681174 segments retransmited
    2044 bad segments received.
    80805 resets sent
Udp:
    92689 packets received
    14611 packets to unknown port received.
    0 packet receive errors
    96755 packets sent
TcpExt:
    48452 invalid SYN cookies received
    7357 resets received for embryonic SYN_RECV sockets
    43 ICMP packets dropped because they were out-of-window
    5 ICMP packets dropped because socket was locked
    2672073 TCP sockets finished time wait in fast timer
    441 time wait sockets recycled by time stamp
    368562 delayed acks sent
    430 delayed acks further delayed because of locked socket
    Quick ack mode was activated 36127 times
    32318597 packets directly queued to recvmsg prequeue.
    741479256 packets directly received from backlog
    1502338990 packets directly received from prequeue
    18343750 packets header predicted
    10220683 packets header predicted and directly queued to user
    17516622 acknowledgments not containing data received
    36549771 predicted acknowledgments
    102672 times recovered from packet loss due to fast retransmit
    Detected reordering 1596 times using reno fast retransmit
    Detected reordering 1 times using time stamp
    8 congestion windows fully recovered
    32 congestion windows partially recovered using Hoe heuristic
    19 congestion windows recovered after partial ack
    0 TCP data loss events
    39951 timeouts after reno fast retransmit
    29653 timeouts in loss state
    197005 fast retransmits
    186937 retransmits in slow start
    131433 other TCP timeouts
    TCPRenoRecoveryFail: 20217
    147 times receiver scheduled too late for direct processing
    29010 connections reset due to unexpected data
    365 connections reset due to early user close
    6979 connections aborted due to timeout

Display Interface Table

You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0
Output:

Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0  2040929      0      0      0  3850539      0      0      0 BMRU

Other netstat related articles / tips:

  1. Get Information about All Running Services Remotely
  2. Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port

Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep

Updated for accuracy.

For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.
[click to continue…]

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.

To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
Where,

  • s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.

For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
Output:

CONNECTED(00000003)
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
   i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6
MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw
MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl
cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM
dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2
ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz
2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY
Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck
n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW
BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U
xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA
bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5
MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP
ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w==
-----END CERTIFICATE-----
subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
No client certificate CA names sent
---
SSL handshake has read 1066 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4
    Session-ID-ctx:
    Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D
    Key-Arg   : None
    Start Time: 1192732059
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
Output:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
SSL_connect:SSLv3 read finished A
SSL handshake has read 1066 bytes and written 316 bytes
SSL-Session:

Further readings:

=> OpenSSL man pages and documentation.

Generally you use ps command to find out all running process. You may also pipe out ps command output via grep command to pickup desired output.

Basically you don't want display grep command as the process.

Let us run combination of ps and grep command to find out all perl processes:
$ ps aux | grep perl
Output:

vivek      4611  0.0  0.7  10044  6068 ?        Ss   02:40   0:00 /usr/bin/perl apps/monitor/gwl.pl
root      4853  0.0  0.7  10044  6068 ?        Ss   02:40   0:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
vivek      5166  0.0  0.0   2884   748 pts/0    R+   03:06   0:00 grep perl

In above example you are getting the grep process itself. To ignore grep process from output, type any one of the following:
$ ps aux | grep perl | grep -v grep
OR
$ ps aux | grep '[p]erl'

grep command is the de facto tool for searching text files. However when there are too many matches, it can be difficult to find the requested text in the search results. grep comes with --color='auto' option. It surrounds the matching string with the colour, thus resulting enhanced output.

Finding string with color highlighting

Pass --color option to grep command:
# grep --color='auto' -i error /var/log/messages
Output:

............
...
Oct  9 16:12:14 vivek-desktop kernel: [   11.555442] bt878: probe of 0000:05:00.1 failed with error -22
Oct 10 17:35:28 vivek-desktop kernel: [   10.564710] bt878: probe of 0000:05:00.1 failed with error -22
Oct 11 10:15:34 vivek-desktop kernel: [   12.187477] bt878: probe of 0000:05:00.1 failed with error -22
Oct 11 14:29:56 vivek-desktop kernel: [   11.135309] bt878: probe of 0000:05:00.1 failed with error -22
..........
...
....

Now all matched text displayed using red color. The --color option to matches in the input in red color by default. Color is added via ANSI escape sequences. To change color use environment variable GREP_COLOR. Following will set background to red and foreground to white:
$ export GREP_COLOR='1;37;41'
$ egrep --color=auto -i '(error|fatal|warn|drop)' /var/log/messages

Output:
Quick tip: Easily find strings with gep color highlighting feature
I recommend putting following in ~/.bash_profile OR ~/.bashrc file:
$ vi ~/.bash_profile
Append following alias:
export GREP_COLOR='1;37;41'
alias grep='grep --color=auto'

Save and close the file. Please note that --color option works with many GNU text utilities, so feel free to use the same.

So how do you find an alert or warning words in a log file over text based session? Simply use old good grep command. Usually I recommend searching following words
=> fail
=> denied
=> segfault
=> segmentation
=> rejected
=> oops
=> warn

Find an alert or warning words from log files

You need to use grep command:
grep {search-word} /path/to/log/file

Find out all segfault error from /var/log/messages file, enter the following command as privileged user:
# grep -i segfault /var/log/messages
Output:

Sep 23 12:20:09 node10 kernel: mutt[8896]: segfault at 0000000000000010 rip 0000000000439d5e rsp 00007fff36a30040 error 6
Sep 24 12:20:10 node10 kernel: mutt[20107]: segfault at 0000000000000010 rip 0000000000439d5e rsp 00007fffd99dbac0 error 6
Sep 25 12:20:09 node10 kernel: mutt[19734]: segfault at 0000000000000010 rip 0000000000439d5e rsp 00007fff5d807290 error 6

Look like node10's mutt command generated segfault error while sending daily reports attachment via email.

GUI Tools

System Log Viewer is a graphical, menu-driven viewer that you can use to view and monitor your system logs. System Log Viewer comes with a few functions that can help you manage your logs, including a calendar, log monitor and log statistics display.

Redhat / CentOS tool

Redhat (RHEL) Linux offers gui tool called Log Viewer. Type the redhat-logviewer command at a shell prompt or use GUI menus to start the same. You can set filter words (alter words) by clicking on Edit > Preferences menu > Alter tab > Add button

Debian / Ubuntu tool

Debian / Ubuntu Linux also offers GUI tool to view and search log files by setting filters. Click on Applications menu > Choose System Tools > Admin > System Log.
Debian / Ubuntu Linux also offers GUI tool to view and search log files by setting filters

This is a reader contributed article.

These days almost all server / laptop / desktop system has a gigabit Ethernet card (NIC) pre installed. Most servers are directly connected to internet using 100Mbps connections. You can save real power on your Linux server or desktop by operating at 100Mbps Ethernet speed. For example 1 gigabit link is going to consume more power than the power used at 100Mbps speed. Also note that not all systems actually use gigabit speed. For example my desktop system only used for browsing or chatting purpose or Linux web server used to display just static web pages. Now just calculate power consumption for 100 servers or 1000 desktop systems. Bottom line use Gigabit Ethernet speeds only when needed. Did you know - you can save 2 watts or more per Linux/UNIX/Windows server/desktop by just setting a correct speed :)

See current Ethernet card speed

Use ethtool comment to display current speed:
ethtool eth0 | grep -i speed

Set new speed and save power

Following command will set card speed to 100Mbps:
ethtool -s eth0 autoneg off speed 100

=> For more information see ethtool command and network interface speed, duplex . auto negotiate settings on Linux

About the author: Rocky Jr., is an engineer with VSNL - a leading ISP / global telecom company in India and a good friend of nixCraft.