flowchart LR
A[TCP连接建立] --> B[慢启动<br>cwnd指数增长]
B --> C{到达ssthresh?}
C -- 是 --> D[拥塞避免<br>cwnd线性增长]
D -- 收到3个重复ACK --> E[快速重传]
E --> F[快速恢复<br>ssthresh = cwnd/2<br>cwnd = ssthresh + 3]
F -- 收到新数据的ACK --> D
D -- 超时重传 --> G[ssthresh = cwnd/2<br>cwnd重置为1]
G --> B
# 使用[(需要引号防止空变量错误) if [ "$name" = "John" ]; then echo "Hello John" fi # 使用[[(更安全,无需引号) if [[ $name == "John" ]]; then echo "Hello John" fi
举个例子
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
# 使用[] if [ $(grep not_there /dev/null) = '' ] then echo -n hi else echo -n lo fi # 使用[[]] if [[ $(grep not_there /dev/null) = '' ]] then echo -n hi else echo -n lo fi
If you go deep with bash, you might end up writing chunky utilities in it. If you do, then getting to grips with getopts can pay large dividends.
For fun, I once wrote a script called cheapci which I used to work like a Jenkins job.
The code here implements the reading of the two required, and 14 non-required arguments. Better to learn this than to build up a bunch of bespoke code that can get very messy pretty quickly as your utility grows.
Targeted capture: tcpdump -ni <iface> tcp port 443 (or port 53, icmp)
DNS: resolvectl query <name> or dig <name> A +short
5. ping
Compat: Linux; Root: may require CAP_NET_RAW depending on system; Requires: iputils-ping.
-4: ping IPv4 only
-6: ping IPv6 only
-A: adapts to roundtrip time
-b: allow pinging broadcast addresses
-I: ping through an interface
-M: set PMTU strategy
-s: set packetsize (default is 56B)
-t: set IP time-to-live
ping 224.0.0.1: ping multicast address
Notes: - Using average rtt values, you can determine whether there are huge variations causing jitter, especially in RT applications - ping will report duplications, however, duplicate packets should never occur, and seem to be caused by inappropriate link-level retransmissions - ping will report damaged packets, suggesting broken hardware in the network Requires: iputils-ping.
6. ip
Compat: Linux; Root: not required for reads; Requires: iproute2.
ip addr: Show information for all addresses
ip addr show dev wlo1: Display information only for device wlo1
ip link: Show information for all interfaces
ip link show dev wlo1: Display information only for device wlo1
ip -s: Display interface statistics (packets dropped, received, sent, etc.)
Quick recipes:
Path and source IP: ip route get <dest>
Interface counters: ip -s link show <iface> (rx/tx errors, drops)
Neighbors/ARP: ip neigh and ip neigh show dev <iface>
Multicast: ip maddr or ip maddr show dev <iface>
Example
1 2 3
# Query path and chosen source IP ip route get 8.8.8.8 # Expect: 8.8.8.8 via 192.168.1.1 dev wlo1 src 192.168.1.23
ip route: List all of the route entries in the kernel
ip route add: Add a route entry to the kernel routing table
ip route replace: Replace an existing route (add if not present)
ip maddr: Display multicast information for all devices
ip maddr show dev wlo1
ip neigh show dev wlo1: check for reachability of specific interfaces Requires: iproute2.
7. arp
Compat: Legacy; prefer ip neigh; Requires: net-tools.
arp: show all ARP table entries
arp -d address: delete ARP entry for address
arp -s address hw_addr: set up new table entry Note: legacy from net-tools; prefer ip neigh. Requires: net-tools.
8. arping
Compat: Linux; Root/CAP_NET_RAW required; Package: arping (iputils-arping on some distros).
arping -I wlo1 192.168.0.1: send ARP requests to host
arping -D -I wlo1 192.168.0.15: check for duplicate MAC address Requires: arping (iputils-arping on some distros).
9. ethtool
Compat: Linux; Root for changing settings, read stats usually ok; Requires: ethtool.
lastsnd:<lastsnd>: how long time since the last packet sent, the unit is millisecond
lastrcv:<lastrcv>: how long time since the last packet received, the unit is millisecond
lastack:<lastack>: how long time since the last ack received, the unit is millisecond
ss -A tcp,udp: dump socket tables Requires: iproute2.
37. tcpdump
Compat: Linux; Root/CAP_NET_RAW required for captures; Requires: tcpdump. What it does: capture packets for inspection and troubleshooting. Requires: tcpdump.
Interface and no name resolution: tcpdump -ni <iface>
Host or subnet: tcpdump -ni <iface> host <ip>; tcpdump -ni <iface> net 10.0.0.0/8
Ports/protocols: tcpdump -ni <iface> tcp port 443 or udp port 53
SYNs only (new TCP handshakes):
1 2
# New TCP handshakes only (SYN without ACK) tcpdump -ni <iface> 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0'
DNS queries: tcpdump -ni <iface> port 53
ICMP reachability: tcpdump -ni <iface> icmp
1 2 3 4 5 6
# Requires: tcpdump # Capture full packets to a file tcpdump -ni <iface> -s 0 -w capture.pcap # Rotate captures every 5m, keep 6 files tcpdump -ni <iface> -s 0 -G 300 -W 6 -w 'cap-%Y%m%d%H%M%S.pcap'
38. mtr
Compat: Linux; May need root/CAP_NET_RAW for certain probe types; Requires: mtr. What it does: combines ping and traceroute to visualize latency and loss per hop.
wAvs - Average size of packets written (transmitted).
%Util - Percentage utilization of the interface. For full-duplex interfaces, this is the greater of rKB/s or wKB/s as a percentage of the interface speed. For half-duplex interfaces, rKB/s and wKB/s are summed.
%rUtil, %wUtil - Percentage utilization for bytes read and written, respectively.
Sat - Saturation. This the number of errors/second seen for the interface
an indicator the interface may be approaching saturation. This statistic is combined from a number of kernel statistics. It is recommended to use the ‘-x’ option to see more individual statistics (those mentioned below) when attempting to diagnose a network issue.
IErr - Packets received that could not be processed because they contained errors
OErr - Packets that were not successfully transmitted because of errors
Coll - Ethernet collisions during transmit.
NoCP - No-can-puts. This is when an incoming packet can not be put to the process reading the socket. This suggests the local process is unable to process incoming packets in a timely manner.
Defer - Defer Transmits. Packets without collisions where first transmit attempt was delayed because the medium was busy.
Reset - tcpEstabResets. The number of times TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT state.
AttF - tcpAttemptFails - The number of times that TCP connections have made a direct transition to the CLOSED state from either the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state.
%ReTX - Percentage of TCP segments retransmitted - that is, the number of TCP segments transmitted containing one or more previously transmitted octets.
InConn - tcpPassiveOpens - The number of times that TCP connections have made a direct transition to the SYN-RCVD state from the LISTEN state.
OutCon - tcpActiveOpens - The number of times that TCP connections have made a direct transition to the SYN-SENT state from the CLOSED state.
Drops - tcpHalfOpenDrop + tcpListenDrop + tcpListenDropQ0. tcpListenDrop and tcpListenDropQ0 - Number of connections dropped from the completed connection queue and incomplete connection queue, respectively. tcpHalfOpenDrops - Number of connections dropped after the initial SYN packet was received.
41. nslookup
Compat: Legacy; prefer dig/resolvectl; Requires: dnsutils/bind-utils.query Internet name servers interactively
nslookup <domain>
Note: legacy tool. Prefer dig for detailed queries or resolvectl on systemd-based systems. Requires: dnsutils/bind-utils (for nslookup/dig).
Quick equivalents: dig <domain> A +short; resolvectl query <domain>
42. host
Compat: Linux; Requires: bind9-host/bind-utils. host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
host <domain>
Examples: host -t A <domain>; reverse lookup: host <ip>
Tip: for more control, use dig (if installed) or resolvectl. Requires: bind9-host (Debian/Ubuntu) or bind-utils.
Note: iwconfig is legacy (wireless-tools). Prefer iw for modern drivers, e.g., iw dev, iw dev wlo1 link. Requires: wireless-tools. Modern alternative: iw.
1 2 3 4 5 6 7 8
wlo1 IEEE 802.11 ESSID:"NETGEAR97" Mode:Managed Frequency:2.462 GHz Access Point: C4:04:15:58:60:C7 Bit Rate=72.2 Mb/s Tx-Power=20 dBm Retry short limit:7 RTS thr=2347 B Fragment thr:off Power Management:off Link Quality=70/70 Signal level=-32 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:22932 Missed beacon:0
44. brctl
Compat: Legacy; prefer ip link and bridge; Requires: bridge-utils.
brctl is used to set up, maintain, and inspect the ethernet bridge configuration in the linux kernel. Legacy: prefer ip link add name br0 type bridge and bridge (iproute2) tooling. Requires: bridge-utils.
findmnt: show mount hierarchy or lookup by target: findmnt /mount/point
adds or removes modules from the Linux Kernel
Caution: loading/unloading modules can destabilize systems; prefer persistent config and ensure module compatibility.
14. dd (DANGER: DESTRUCTIVE — READ FIRST)
Compat: Linux; Root required for raw devices; Highly destructive when writing; Requires: coreutils.
Danger: dd will overwrite data with no confirmation. Double-check devices (e.g., /dev/sdX) and consider read-only or safer alternatives first. Use lsblk, blkid to verify targets.
Safer tips: for copies, consider pv to visualize throughput; for imaging, dcfldd; for testing, prefer non-destructive reads.
# Requires: jq — show high-priority messages from journald journalctl -o json | jq -r 'select(.PRIORITY<=3) | .MESSAGE'
Keys and length: jq 'keys, length' file.json
16. diff
Compat: Linux; Requires: diffutils.
unified diff: diff -u old.txt new.txt
recursive dirs: diff -ruN dir_old dir_new
ignore whitespace changes: diff -u -w old new
handle CRLF: diff -u --strip-trailing-cr a b
color (if supported): diff --color=auto -u a b
apply a patch: patch -p1 < change.diff
17. uname
Compat: Linux; Requires: coreutils.
get all details about the computer
18. sync/fsync
Compat: Linux; sync is user command; fsync is a syscall.
fsync is a syscall that flushes a file’s in-memory data and metadata to storage. From the shell, use sync (flush all dirty data) or syncfs (flush a filesystem) when available.
slabtop: display kernel slab cache information in real time
Sort by size: slabtop -s c; one-shot: slabtop -o
31. uptime
Compat: Linux; Requires: procps.
information about how long the system has been up, and load averages
32. htop
Compat: Linux; Requires: htop package.
like top, but prettier
33. ps
Compat: Linux; Requires: procps. Cheat Card
Top CPU: ps -eo pid,ppid,user,%cpu,%mem,cmd --sort=-%cpu | head
Top RSS: ps -eo pid,user,rss,cmd --sort=-rss | head
Tree view: ps -ejH (or ps axjf)
By command: ps -C nginx -o pid,ppid,cmd,%mem,%cpu
Threads of a PID: ps -Lp <pid> -o pid,tid,pcpu,comm
ps aux: show all processes
ps axjf - print process tree
ps a - Lift the BSD-style “only yourself” restriction
ps -A - select all processes
ps -d - select all processes except session leaders
ps g - select all processes including session leaders
ps Ta - all process associated with this terminal
ps r - restrict to running processes
ps --pid pidlist - restrict to pidlist processes
ps -s|--sid - select by session ID
ps t ttylist - select by TTY list
ps U|-U - select by effective user-id
ps s - display signals
ps f - ASCII art process hierarchy
ps ax -o rss,pid,user,pcpu,command --sort -%cpu: sort by %cpu
ps ax -o rss,pid,user,pcpu,command --sort -rss: sort by rss
process states:
D - uninterruptible sleep (usually IO)
I - Idle kernel thread
R - running or runnable (on run queue)
S - interruptible sleep (waiting for an event to complete)
T - stopped by job control signal
t - stopped by debugger during the tracing
W - paging (not valid since the 2.6.xx kernel)
X - dead (should never be seen)
Z - defunct (“zombie”) process, terminated but not reaped by its parent
see STANDARD FORMAT SPECIFIERS in man ps
CPU
Cheat Card
CPU saturation: mpstat -P ALL 1 (sys/iowait/irq/soft)
Per-core view in top: top -1; over time per PID: pidstat -u 1 -p <pid>
Interrupt spikes: mpstat -I CPU 1
34. mpstat
Compat: Linux; Requires: sysstat.
The mpstat command writes to standard output activities for each available processor, processor 0 being the first one. Global average activities among all processors are also reported. Requires: sysstat.
Interpretation tips
High %iowait: CPUs idle while waiting on disk IO (check iostat).
High %irq/%soft: heavy interrupts/softirqs (often network or storage).
High %steal: hypervisor stealing time (noisy neighbor in a VM).
Compare per-core: hotspots can be isolated to specific cores (affinity).
CPU: Processor number. The keyword all indicates that statistics are calculated as averages among all processors.
%usr: Show the percentage of CPU utilization that occurred while executing at the user level (application).
%nice: Show the percentage of CPU utilization that occurred while executing at the user level with nice priority.
%sys: Show the percentage of CPU utilization that occurred while executing at the system level (kernel). Note that this does not include time spent servicing hardware and software interrupts.
%iowait: Show the percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
%irq: Show the percentage of time spent by the CPU or CPUs to service hardware interrupts.
%soft: Show the percentage of time spent by the CPU or CPUs to service software interrupts.
%steal: Show the percentage of time spent in involuntary wait by the virtual CPU or CPUs while the hypervisor was servicing another virtual processor.
%guest: Show the percentage of time spent by the CPU or CPUs to run a virtual processor.
%gnice: Show the percentage of time spent by the CPU or CPUs to run a niced guest.
mpstat -I: report interrupt stats
of interrupts per CPU
of times a particular interrupt occurred
Memory
Cheat Card
Snapshot: free -h --wide; paging: vmstat -a 1 (si/so)
used - Used memory (calculated as total - free - buffers - cache)
free - Unused memory (MemFree and SwapFree in /proc/meminfo)
shared - Memory used (mostly) by tmpfs (Shmem in /proc/meminfo)
buffers - Memory used by kernel buffers (Buffers in /proc/meminfo)
cache - Memory used by the page cache and slabs (Cached and SReclaimable in /proc/meminfo)
buff/cache - Sum of buffers and cache
available - Estimation of how much memory is available for starting new applications, without swapping. Unlike the data provided by the cache or free fields, this field takes into account page cache and also that not all reclaimable memory slabs will be reclaimed due to items being in use (MemAvailable in /proc/meminfo, available on kernels 3.14, emulated on kernels 2.6.27+, otherwise the same as free)
free -l: show low-high memory breakdown
free --wide: show free memory stats Interpretation tips
available approximates memory free for new apps without swapping; don’t confuse free with usable memory.
High buff/cache is normal; it’s the page cache and reclaimable slabs. Examples
Human-readable snapshot: free -h --wide
Example output:
1 2 3
total used free shared buff/cache available Mem: 31Gi 2.1Gi 22Gi 312Mi 7.2Gi 28Gi Swap: 8Gi 0B 8Gi
36. sar
Compat: Linux; Requires: sysstat; history needs sadc enabled. Cheat Card
CPU load/queue: sar -q 1 5; memory: sar -r 1 5
IO bw/ops: sar -b 1 5; per-device: sar -d 1 5 (watch await, %util)
Network: sar -n DEV 1 5; TCP: sar -n TCP,ETCP 1 5
Paging: sar -B 1 5 (pgsteal, pgscan, majflt/s) Requires: sysstat (includes pidstat). Field reference (click to expand)
sar -B: report paging stats
gpgin/s - Total number of kilobytes the system paged in from disk per second.
pgpgout/s - Total number of kilobytes the system paged out to disk per second.
fault/s - Number of page faults (major + minor) made by the system per second. This is not a count of page faults that generate I/O, because some page faults can be resolved without I/O.
majflt/s - Number of major faults the system has made per second, those which have required loading a memory page from disk.
pgfree/s - Number of pages placed on the free list by the system per second.
pgscank/s - Number of pages scanned by the kswapd daemon per second.
pgscand/s - Number of pages scanned directly per second.
pgsteal/s - Number of pages the system has reclaimed from cache (pagecache and swapcache) per second to satisfy its memory demands.
%vmeff - Calculated as pgsteal / pgscan, this is a metric of the efficiency of page reclaim. If it is near 100% then almost every page coming off the tail of the inactive list is being reaped. If it gets too low (e.g. less than 30%) then the virtual memory is having some difficulty. This field is displayed as zero if no pages have been scanned during the interval of time.
sar -b: Report I/O and transfer rate statistics.
tps - Total number of transfers per second that were issued to physical devices. A transfer is an I/O request to a physical device. Multiple logical requests can be combined into a single I/O request to the device. A transfer is of indeterminate size.
rtps - Total number of read requests per second issued to physical devices.
wtps - Total number of write requests per second issued to physical devices.
bread/s - Total amount of data read from the devices in blocks per second. Blocks are equivalent to sectors and therefore have a size of 512 bytes.
bwrtn/s - Total amount of data written to devices in blocks per second.
sar -d: report activity for each block device
tps - Total number of transfers per second that were issued to physical devices. A transfer is an I/O request to a physical device. Multiple logical requests can be combined into a single I/O request to the device. A transfer is of indeterminate size.
rkB/s - Number of kilobytes read from the device per second.
wkB/s - Number of kilobytes written to the device per second.
areq-sz - The average size (in kilobytes) of the I/O requests that were issued to the device. Note: In previous versions, this field was known as avgrq-sz and was expressed in sectors.
aqu-sz - The average queue length of the requests that were issued to the device. Note: In previous versions, this field was known as avgqu-sz.
await - The average time (in milliseconds) for I/O requests issued to the device to be served. This includes the time spent by the requests in queue and the time spent servicing them.
svctm - The average service time (in milliseconds) for I/O requests that were issued to the device. Warning! Do not trust this field any more. This field will be removed in a future sysstat version.
%util - Percentage of elapsed time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100% for devices serving requests serially. But for devices serving requests in parallel, such as RAID arrays and modern SSDs, this number does not reflect their performance limits.
sar -F: display stats. for currently mounted FSs:
MBfsfree - Total amount of free space in megabytes (including space available only to privileged user).
MBfsused - Total amount of space used in megabytes.
%fsused - Percentage of filesystem space used, as seen by a privileged user.
%ufsused - Percentage of filesystem space used, as seen by an unprivileged user.
Ifree - Total number of free file nodes in filesystem.
Iused - Total number of file nodes used in filesystem.
%Iused - Percentage of file nodes used in filesystem.
sar -m: power management statistics:
MHz - Instantaneous CPU clock frequency in MHz. With the FAN keyword, statistics about fans speed are reported. The following values are displayed:
rpm - Fan speed expressed in revolutions per minute.
drpm - This field is calculated as the difference between current fan speed (rpm) and its low limit (fan_min).
DEVICE - Sensor device name. With the FREQ keyword, statistics about CPU clock frequency are reported. The following value is displayed:
wghMHz - Weighted average CPU clock frequency in MHz. Note that the cpufreq-stats driver must be compiled in the kernel for this option to work.
With the IN keyword, statistics about voltage inputs are reported. The following values are displayed:
inV - Voltage input expressed in Volts.
%in - Relative input value. A value of 100% means that voltage input has reached its high limit (in_max) whereas a value of 0% means that it has reached its low limit (in_min).
DEVICE - Sensor device name.
With the USB keyword, the sar command takes a snapshot of all the USB devices currently plugged into the system. At the end of the report, sar will display a summary of all those USB devices. The following values are displayed:
BUS - Root hub number of the USB device.
idvendor - Vendor ID number (assigned by USB organization).
idprod - Product ID number (assigned by Manufacturer).
maxpower - Maximum power consumption of the device (expressed in mA).
manufact - Manufacturer name.
product - Product name.
sar -n DEV:
IFACE - Name of the network interface for which statistics are reported.
rxpck/s - Total number of packets received per second.
txpck/s - Total number of packets transmitted per second.
rxkB/s - Total number of kilobytes received per second.
txkB/s - Total number of kilobytes transmitted per second.
rxcmp/s - Number of compressed packets received per second (for cslip etc.).
txcmp/s - Number of compressed packets transmitted per second.
rxmcst/s - Number of multicast packets received per second.
%ifutil - Utilization percentage of the network interface. For half-duplex interfaces, utilization is calculated using the sum of rxkB/s and txkB/s as a percentage of the interface speed. For full-duplex, this is the greater of rxkB/S or txkB/s.
sar -n EDEV:
IFACE - Name of the network interface for which statistics are reported.
rxerr/s - Total number of bad packets received per second.
txerr/s - Total number of errors that happened per second while transmitting packets.
coll/s - Number of collisions that happened per second while transmitting packets.
rxdrop/s - Number of received packets dropped per second because of a lack of space in linux buffers.
txdrop/s - Number of transmitted packets dropped per second because of a lack of space in linux buffers.
txcarr/s - Number of carrier-errors that happened per second while transmitting packets.
rxfram/s - Number of frame alignment errors that happened per second on received packets.
rxfifo/s - Number of FIFO overrun errors that happened per second on received packets.
txfifo/s - Number of FIFO overrun errors that happened per second on transmitted packets.
sar -n ICMP:
imsg/s - The total number of ICMP messages which the entity received per second [icmpInMsgs]. Note that this counter includes all those counted by ierr/s.
omsg/s - The total number of ICMP messages which this entity attempted to send per second [icmpOutMsgs]. Note that this counter includes all those counted by oerr/s.
iech/s - The number of ICMP Echo (request) messages received per second [icmpInEchos].
iechr/s - The number of ICMP Echo Reply messages received per second [icmpInEchoReps].
oech/s - The number of ICMP Echo (request) messages sent per second [icmpOutEchos].
oechr/s - The number of ICMP Echo Reply messages sent per second [icmpOutEchoReps].
itm/s - The number of ICMP Timestamp (request) messages received per second [icmpInTimestamps].
itmr/s - The number of ICMP Timestamp Reply messages received per second [icmpInTimestampReps].
otm/s - The number of ICMP Timestamp (request) messages sent per second [icmpOutTimestamps].
otmr/s - The number of ICMP Timestamp Reply messages sent per second [icmpOutTimestampReps].
iadrmk/s - The number of ICMP Address Mask Request messages received per second [icmpInAddrMasks].
oadrmk/s - The number of ICMP Address Mask Request messages sent per second [icmpOutAddrMasks].
oadrmkr/s - The number of ICMP Address Mask Reply messages sent per second [icmpOutAddrMaskReps].
sar -n EICMP: Extended ICMP stats (errors, dest unreachable, time exceeded). Focus on spikes in ierr/s and oerr/s, and patterns in unreachable/time- exceeded when debugging path issues.
sar -n EIP: Extended IPv4 stats (header errors, addr errors, discards, no routes, reassembly, fragment fails). Use to spot header errors and routing/ no-route conditions.
sar -n IP6: IPv6 per-protocol counters (receive/deliver/forward, multicast, fragmentation). Check for anomalies similar to IPv4.
sar -n EIP6: Extended IPv6 errors and routing stats (header/addr errors, discards, no routes, reassembly/frag). Useful for IPv6-specific troubleshooting.
sar -n SOCK:
totsck - Total number of sockets used by the system.
tcpsck - TCP sockets in use; tcp-tw - TIME_WAIT sockets.
sar -n SOFT:
total/s - The total number of network frames processed per second.
dropd/s - The total number of network frames dropped per second because there was no room on the processing queue.
squeezd/s - The number of times the softirq handler function terminated per second because its budget was consumed or the time limit was reached, but more work could have been done.
rx_rps/s - The number of times the CPU has been woken up per second to process packets via an inter-processor interrupt.
flw_lim/s - The number of times the flow limit has been reached per second. Flow limiting is an optional RPS feature that can be used to limit the number of packets queued to the backlog for each flow to a certain amount. This can help ensure that smaller flows are processed even though much larger flows are pushing packets in.
sar -n TCP:
active/s - The number of times TCP connections have made a direct transition to the SYN-SENT state from the CLOSED state per second [tcpActiveOpens].
passive/s - The number of times TCP connections have made a direct transition to the SYN-RCVD state from the LISTEN state per second [tcpPassiveOpens].
iseg/s - The total number of segments received per second, including those received in error [tcpInSegs]. This count includes segments received on currently established connections.
oseg/s - The total number of segments sent per second, including those on current connections but excluding those containing only retransmitted octets [tcpOutSegs].
sar -n ETCP:
atmptf/s - The number of times per second TCP connections have made a direct transition to the CLOSED state from either the SYN-SENT state or the SYN-RCVD state, plus the number of times per second TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state [tcpAttemptFails].
estres/s - The number of times per second TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT state [tcpEstabResets].
retrans/s - The total number of segments retransmitted per second - that is, the number of TCP segments transmitted containing one or more previously transmitted octets [tcpRetransSegs].
isegerr/s - The total number of segments received in error (e.g., bad TCP checksums) per second [tcpInErrs].
orsts/s - The number of TCP segments sent per second containing the RST flag [tcpOutRsts].
sar -n UDP:
idgm/s - The total number of UDP datagrams delivered per second to UDP users [udpInDatagrams].
odgm/s - The total number of UDP datagrams sent per second from this entity [udpOutDatagrams].
noport/s - The total number of received UDP datagrams per second for which there was no application at the destination port [udpNoPorts].
idgmerr/s - The number of received UDP datagrams per second that could not be delivered for reasons other than the lack of an application at the destination port [udpInErrors].
sar -n UDP6:
idgm6/s - The total number of UDP datagrams delivered per second to UDP users [udpInDatagrams].
odgm6/s - The total number of UDP datagrams sent per second from this entity [udpOutDatagrams].
noport6/s - The total number of received UDP datagrams per second for which there was no application at the destination port [udpNoPorts].
idgmer6/s - The number of received UDP datagrams per second that could not be delivered for reasons other than the lack of an application at the destination port [udpInErrors].
sar -q:
runq-sz - Run queue length (number of tasks waiting for run time).
plist-sz - Number of tasks in the task list.
ldavg-1 - System load average for the last minute. The load average is calculated as the average number of runnable or running tasks (R state), and the number of tasks in uninterruptible sleep (D state) over the specified interval.
ldavg-5 - System load average for the past 5 minutes.
ldavg-15 - System load average for the past 15 minutes.
blocked - Number of tasks currently blocked, waiting for I/O to complete.
sar -r:
kbmemfree - Amount of free memory available in kilobytes.
kbavail - Estimate of how much memory in kilobytes is available for starting new applications, without swapping. The estimate takes into account that the system needs some page cache to function well, and that not all reclaimable memory slabs will be reclaimable, due to items being in use. The impact of those factors will vary from system to system.
kbmemused - Amount of used memory in kilobytes (calculated as total installed memory - kbmemfree - kbbuffers - kbcached - kbslab).
%memused - Percentage of used memory.
kbbuffers - Amount of memory used as buffers by the kernel in kilobytes.
kbcached - Amount of memory used to cache data by the kernel in kilobytes.
kbcommit - Amount of memory in kilobytes needed for current workload. This is an estimate of how much RAM/swap is needed to guarantee that there never is out of memory.
%commit - Percentage of memory needed for current workload in relation to the total amount of memory (RAM+swap). This number may be greater than 100% because the kernel usually overcommits memory.
kbactive - Amount of active memory in kilobytes (memory that has been used more recently and usually not reclaimed unless absolutely necessary).
kbinact - Amount of inactive memory in kilobytes (memory which has been less recently used. It is more eligible to be reclaimed for other purposes).
kbdirty - Amount of memory in kilobytes waiting to get written back to the disk.
kbanonpg - Amount of non-file backed pages in kilobytes mapped into userspace page tables.
kbslab - Amount of memory in kilobytes used by the kernel to cache data structures for its own use.
kbkstack - Amount of memory in kilobytes used for kernel stack space.
kbpgtbl - Amount of memory in kilobytes dedicated to the lowest level of page tables.
kbvmused - Amount of memory in kilobytes of used virtual address space.
sar -S:
kbswpfree - Amount of free swap space in kilobytes.
kbswpused - Amount of used swap space in kilobytes.
%swpused - Percentage of used swap space.
kbswpcad - Amount of cached swap memory in kilobytes. This is memory that once was swapped out, is swapped back in but still also is in the swap area (if memory is needed it doesn’t need to be swapped out again because it is already in the swap area. This saves I/O).
%swpcad - Percentage of cached swap memory in relation to the amount of used swap space.
sar -u:
%user - Percentage of CPU utilization that occurred while executing at the user level (application). Note that this field includes time spent running virtual processors.
%usr - Percentage of CPU utilization that occurred while executing at the user level (application). Note that this field does NOT include time spent running virtual processors.
%nice - Percentage of CPU utilization that occurred while executing at the user level with nice priority.
%system - Percentage of CPU utilization that occurred while executing at the system level (kernel). Note that this field includes time spent servicing hardware and software interrupts.
%sys - Percentage of CPU utilization that occurred while executing at the system level (kernel). Note that this field does NOT include time spent servicing hardware or software interrupts.
%iowait - Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
%steal - Percentage of time spent in involuntary wait by the virtual CPU or CPUs while the hypervisor was servicing another virtual processor.
%irq - Percentage of time spent by the CPU or CPUs to service hardware interrupts.
%soft - Percentage of time spent by the CPU or CPUs to service software interrupts.
%guest - Percentage of time spent by the CPU or CPUs to run a virtual processor.
%gnice - Percentage of time spent by the CPU or CPUs to run a niced guest.
%idle - Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.
sar -v:
dentunusd - Number of unused cache entries in the directory cache.
file-nr - Number of file handles used by the system.
inode-nr - Number of inode handlers used by the system.
pty-nr - Number of pseudo-terminals used by the system.
sar -W: Report swapping statistics. The following values are displayed:
pswpin/s - Total number of swap pages the system brought in per second.
pswpout/s - Total number of swap pages the system brought out per second.
sar -w: Report task creation and system switching activity.
proc/s - Tasks created per second; cswch/s - context switches per second.
sar -y: Report TTY devices activity. The following values are displayed:
rcvin/s - Number of receive interrupts per second for current serial line. Serial line number is given in the TTY column.
xmtin/s - Number of transmit interrupts per second for current serial line.
framerr/s - Number of frame errors per second for current serial line.
prtyerr/s - Number of parity errors per second for current serial line.
brk/s - Number of breaks per second for current serial line.
ovrun/s - Number of overrun errors per second for current serial line.
45. pidstat
Compat: Linux; Requires: sysstat.
monitor individual tasks currently being managed Requires: sysstat.
Cheat Card - CPU by PID: pidstat -u 1 -p <pid> (watch %usr/%system/%wait) - IO by PID: pidstat -d 1 -p <pid> (check kB_rd/s, kB_wr/s, iodelay) - Memory faults: pidstat -r 1 -p <pid> (watch majflt/s) - Threads: pidstat -t -u 1 -p <pid> - pidstat -d: - Key fields: kB_rd/s, kB_wr/s, iodelay (IO wait), kB_ccwr/s (cancelled writes). - pidstat -R: Report realtime priority and scheduling policy information. The following values may be displayed: - Key fields: prio, policy. - pidstat -r: Report page faults and memory utilization. When reporting statistics for individual tasks, the following values may be displayed: - Key fields: majflt/s (major faults), RSS, %MEM. When reporting global statistics for tasks and all their children, the following values may be displayed: - With children: majflt-nr, minflt-nr summarize faults. - pidstat -s: Report stack utilization. The following values may be displayed: - Key fields: StkRef (used), StkSize (reserved). - pidstat -t: Also display statistics for threads associated with selected tasks. List process and threads - pidstat -u: Report CPU utilization. When reporting statistics for individual tasks, the following values may be displayed: - Key fields: %usr, %system, %wait, %CPU, CPU. When reporting global statistics for tasks and all their children, the following values may be displayed: - With children: usr-ms, system-ms, guest-ms summarize CPU time.
46. lsof
Compat: Linux; May require root to see all descriptors; Requires: lsof.
blktrace is a block layer IO tracing mechanism which provides detailed information about request queue operations up to user space. There are three major components: a kernel component, a utility to record the i/o trace information for the kernel to user space, and utilities to analyse and view the trace information.
1 2
# Trace block I/O on /dev/sda and parse sudo blktrace -d /dev/sda -o - | blkparse -i -
Compat: Linux; Wrapper script from blktrace; Root required.
The btrace script provides a quick and easy way to do live tracing of block devices. It calls blktrace on the specified devices and pipes the output through blkparse for formatting. See blktrace (8) for more in-depth information about how blktrace works.
btrace /dev/sda Requires: blktrace.
54. tr
Compat: Linux; Requires: coreutils. Translate, squeeze, and/or delete characters from standard input, writing to standard output.
with headers: pair with head -1 to see column indexes
56. xargs
Compat: Linux; Requires: findutils; GNU -r may vary on BusyBox. Build and run argument lists; combine with find and null-terminated records for safety.
# Current mode and temporary permissive (diagnostic; requires root) getenforce setenforce 0 # Caution: reduces enforcement # Contexts and recent denials ls -Z ps -eZ | head ausearch -m AVC -ts recent journalctl -t setroubleshoot # Manage booleans (example: allow httpd network connect) getsebool -a | grep httpd setsebool -P httpd_can_network_connect on # Requires: selinux-utils/policycoreutils; setroubleshoot (optional)
AppArmor
1 2 3 4 5 6 7 8
# Status and service aa-status systemctl status apparmor # Toggle a profile mode aa-complain /path/to/bin aa-enforce /path/to/bin # Requires: apparmor-utils
Auditd
1 2 3 4 5 6 7 8 9 10 11 12 13 14
# Service and rules systemctl status auditd auditctl -l # Search recent denials / by PID ausearch -m avc -ts recent ausearch -p <pid> -ts recent # Watch a file for writes/attr changes (key: sshcfg) auditctl -w /etc/ssh/sshd_config -p wa -k sshcfg # Summary report aureport --summary -ts today # Requires: auditd (auditd, auditctl, ausearch, aureport)
K8s triage: kubectl get pods -A, kubectl describe pod <pod> -n <ns>, kubectl logs <pod> -n <ns> --previous nsenter (enter namespaces of a PID)
1 2 3 4 5 6 7 8 9
# Get target PID (e.g., container process) pidof <proc> # Enter multiple namespaces of a PID nsenter --target <pid> --mount --uts --ipc --net --pid -- bash # Inspect and chroot-like into the process rootfs ls -l /proc/<pid>/root nsenter --target <pid> --mount -- chroot /proc/<pid>/root bash
# Pods and events kubectl get pods -A -o wide kubectl get events -A --sort-by=.lastTimestamp | tail # Describe, logs, and exec kubectl describe pod <pod> -n <ns> kubectl logs <pod> -n <ns> --tail=200 kubectl logs <pod> -n <ns> --previous kubectl exec -it <pod> -n <ns> -- bash
CRI/containerd (if present)
1 2 3 4
# List, inspect, and logs via crictl crictl ps -a crictl inspect <id> crictl logs <id>
Notes
Without runtime CLIs, use nsenter by PID from ps/systemctl.
Requires: docker or podman for Docker-like commands; kubectl; crictl for containerd/CRI. # Incident Playbooks
High CPU
1 2 3 4 5 6 7 8
# Top CPU processes and hot threads ps -eo pid,ppid,user,%cpu,%mem,cmd --sort=-%cpu | head top -H ps -Lp <pid> -o pid,tid,pcpu,comm # Per-process CPU over time; optional perf if available pidstat -u 1 -p <pid> perf top # if installed
# Snapshot and top RSS processes free -h ps aux --sort=-rss | head # Per-process mappings and over-time faults pmap -x <pid> | sort -nrk 3 | head pidstat -r 1 -p <pid> smem -r # if installed # OOM evidence dmesg -T | grep -i oom || journalctl -k -g OOM
Packet loss / High latency
1 2 3 4 5 6 7 8 9 10 11 12
# Path and end-to-end latency ip route get <dest> mtr -ezbw <dest> # Interface health and TCP details ip -s link show <iface> ethtool -S <iface> ss -i dst <dest> # Targeted capture samples tcpdump -ni <iface> host <dest> and icmp tcpdump -ni <iface> tcp port 443 and 'tcp[tcpflags] & tcp-syn != 0'
DNS failures
1 2 3 4 5 6 7 8 9 10 11 12 13
# Resolve via systemd-resolved (or dig if available) resolvectl query example.com resolvectl status dig @8.8.8.8 example.com A +time=2 +tries=1 # Reachability and captures ss -u 'sport = :53 or dport = :53' tcpdump -ni <iface> port 53 # Config checks ls -l /etc/resolv.conf resolvectl flush-caches # Check firewall rules as appropriate
它显示 bash 决定根据有关 bash 运行上下文的决策(决定要遵循的颜色)从顶部运行哪些脚本。
