Recently, a network that I was using had a production server on it with some problems. One minute, we could connect to it just fine and the next minute, we couldn’t. I initially got in, ran ‘top’, tailed ‘/var/log/messages’, and ran ‘ps aux’ a few times. Absolutely nothing came up as strange.
It just so happened that we were pinging the server as we were rebooting it. As the machine shut down, it was still responding to pings. Red flag. There was an IP conflict with another machine. ‘nmap’ allowed for some OS fingerprinting, which gave us a little more information about the impostor (I’ll take the time here to tell you that it was a machine running Windows – massively underwhelming surprise there).
I looked around for something that might be useful as a monitor to let me know when that kind of thing happened. I didn’t really find anything. If you have any suggestions on tools that can do this, please leave a comment and point me in the right direction. Having found nothing, I set out to see if I could write something to do this.
I was quite pleased to notice that with an easy combination of the ‘ping’, ‘arp’, and ‘nslookup’ commands in a simple PHP script, I was able to acquire the information I needed to hack out a small monitor. It isn’t quite functional yet, but now it’s just a matter of how to store and report on the data. When I have it working, I’ll post it. Again, if you know of something that can monitor ARP tables on a local machine, and email a notification when things “look funny,” please enlighten me.
This also made me a little more aware of how I’d be able to monitor things on a given box in real-time, maybe with a handful of ‘screen’ sessions while connected in remotely. I was looking for things that could answer some questions like:
- Who is logged into the machine?
- What are they doing?
- Where are they logged in from?
- What active TCP/UDP connections are there?
- Where are these connections being made to/from?
- What running processes are there?
- Who do they belong to?
- What was the command used to invoke them?
I was looking for answers to these types of questions.
Searching around, it became apparent that there is a decent handful of commands, to be sure. Let’s take a look at some of these commands and a slick tool that Steve told me about. As a general rule, running these commands as root provides more information.
First of all, we have the ‘w’ command. From the man page, we learn that the purpose of this command is to “Show who is logged on and what they are doing.” Sample output is as follows:
[0908][scott@suse-linux:~]$ w
09:08:21 up 13 days, 22:10, 3 users, load average: 0.00, 0.06, 0.08
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
scott :0 Mon08 ?xdm? 4:50 0.10s /bin/sh /opt/kde3/bin/startkde
scott pts/0 Mon08 24:42m 0.00s 3.60s kded [kdeinit] --new-startup
scott pts/1 09:08 0.00s 0.02s 0.00s w
[0908][scott@suse-linux:~]$
|
Then there’s the ‘who’ command, which has a similar purpose, “show who is logged on.” Output:
[0939][scott@suse-linux:~]$ who
scott :0 2006-10-09 08:26 (console)
scott pts/0 2006-10-09 08:26
scott pts/1 2006-10-10 09:08
[0939][scott@suse-linux:~]$
|
Another command will display “info on the last login of each user.” Amazingly enough, it is the ‘lastlog’ command. Output:
[0942][scott@suse-linux:~]$ lastlog
Username Port Latest
at **Never logged in**
beagleindex **Never logged in**
bin **Never logged in**
daemon **Never logged in**
ftp **Never logged in**
games **Never logged in**
haldaemon **Never logged in**
lp **Never logged in**
mail **Never logged in**
man **Never logged in**
mdnsd **Never logged in**
messagebus **Never logged in**
news **Never logged in**
ntp **Never logged in**
postfix **Never logged in**
root tty1 Mon Sep 25 11:17:15 -0600 2006
sshd **Never logged in**
suse-ncc **Never logged in**
uucp **Never logged in**
wwwrun **Never logged in**
scott :0 Mon Oct 9 08:26:04 -0600 2006
[0942][scott@suse-linux:~]$
|
If you want to see the entire login history, you can get this with ‘last’. You can limit the number of lines displayed (15 in the example), as well. Output:
[0944][scott@suse-linux:~]$ last -15
scott pts/1 Tue Oct 10 09:08 still logged in
scott pts/4 Mon Oct 9 16:49 - 16:52 (00:03)
scott pts/6 Mon Oct 9 14:50 - 14:56 (00:06)
scott pts/4 Mon Oct 9 14:49 - 14:56 (00:07)
scott pts/7 Mon Oct 9 12:55 - 12:58 (00:03)
scott pts/6 Mon Oct 9 12:53 - 12:58 (00:05)
scott pts/4 Mon Oct 9 12:49 - 12:59 (00:09)
scott pts/6 Mon Oct 9 11:13 - 11:13 (00:00)
scott pts/4 Mon Oct 9 11:13 - 11:14 (00:01)
scott pts/4 Mon Oct 9 08:39 - 08:41 (00:01)
scott pts/2 Mon Oct 9 08:35 - 08:35 (00:00)
scott pts/7 Mon Oct 9 08:35 - 08:35 (00:00)
scott pts/17 Mon Oct 9 08:35 - 08:35 (00:00)
scott pts/2 Mon Oct 9 08:34 - 08:34 (00:00)
scott pts/16 Mon Oct 9 08:34 - 08:35 (00:00)
wtmp begins Mon Sep 25 08:28:24 2006
[0945][scott@suse-linux:~]$
|
One of the cooler commands is ‘netstat’. The man page states that its purpose is to “Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.” Experiement with the -u, -t, -a, -p, -e, and -n switches, or stick them all together:
suse-linux:/home/scott # netstat -utapen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:1863 0.0.0.0:* LISTEN 1000 6725360 29228/ssh
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 7728 2774/portmap
tcp 0 0 127.0.0.1:2544 0.0.0.0:* LISTEN 0 8763 3126/zmd
tcp 0 0 0.0.0.0:2803 0.0.0.0:* LISTEN 0 8066 -
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 0 10809 3029/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 8158 2987/master
tcp 0 0 192.168.0.162:2340 216.239.53.104:80 ESTABLISHED 1000 6933132 14485/firefox-bin
tcp 0 0 192.168.0.162:1023 192.168.0.161:2049 ESTABLISHED 0 6933362 -
tcp 0 0 192.168.0.162:1629 216.239.57.104:80 ESTABLISHED 1000 6933062 14485/firefox-bin
tcp 0 0 192.168.0.162:3980 202.181.132.131:80 ESTABLISHED 1000 6933068 14485/firefox-bin
tcp 0 0 192.168.0.162:3976 202.181.132.131:80 ESTABLISHED 1000 6933050 14485/firefox-bin
tcp 0 0 192.168.0.162:3973 202.181.132.131:80 ESTABLISHED 1000 6933047 14485/firefox-bin
tcp 0 0 192.168.0.162:3972 202.181.132.131:80 ESTABLISHED 1000 6933046 14485/firefox-bin
tcp 0 0 192.168.0.162:3975 202.181.132.131:80 ESTABLISHED 1000 6933049 14485/firefox-bin
tcp 0 0 192.168.0.162:3971 202.181.132.131:80 ESTABLISHED 1000 6933044 14485/firefox-bin
tcp 0 0 192.168.0.162:3970 202.181.132.131:80 ESTABLISHED 1000 6933043 14485/firefox-bin
tcp 0 0 192.168.0.162:2528 64.233.187.104:80 ESTABLISHED 1000 6933078 14485/firefox-bin
tcp 0 0 192.168.0.162:2140 65.204.194.118:22 ESTABLISHED 1000 6725356 29228/ssh
tcp 0 416 192.168.0.162:1199 192.168.0.3:22 ESTABLISHED 0 6933024 15247/ssh
tcp 0 0 ::1:1863 :::* LISTEN 1000 6725361 29228/ssh
tcp 0 0 :::22 :::* LISTEN 0 8792 3149/sshd
tcp 0 0 ::1:25 :::* LISTEN 0 8159 2987/master
udp 0 0 0.0.0.0:1024 0.0.0.0:* 0 7686 2709/mdnsd
udp 0 0 0.0.0.0:1025 0.0.0.0:* 0 8062 -
udp 0 0 127.0.0.1:4500 0.0.0.0:* 0 9121 3285/racoon
udp 0 0 192.168.0.162:4500 0.0.0.0:* 0 9119 3285/racoon
udp 9140 0 0.0.0.0:68 0.0.0.0:* 0 7210 2652/dhcpcd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 78 6592728 2709/mdnsd
udp 0 0 0.0.0.0:111 0.0.0.0:* 0 7727 2774/portmap
udp 0 0 127.0.0.1:500 0.0.0.0:* 0 9120 3285/racoon
udp 0 0 192.168.0.162:500 0.0.0.0:* 0 9118 3285/racoon
udp 0 0 0.0.0.0:631 0.0.0.0:* 0 10810 3029/cupsd
suse-linux:/home/scott #
|
Another way to view information on running processes is with the ‘ps’ command. Add in the ‘auxf’ options for extra goodness. Because of the amount of output that this command generates, I will only include a small snippet here:
suse-linux:/home/scott # ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 720 68 ? Ss Sep26 0:01 init [5]
root 2 0.0 0.0 0 0 ? SN Sep26 0:02 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? S< Sep26 0:02 [events/0]
root 4 0.0 0.0 0 0 ? S< Sep26 0:00 [khelper]
root 5 0.0 0.0 0 0 ? S< Sep26 0:00 [kthread]
root 7 0.0 0.0 0 0 ? S< Sep26 0:14 _ [kblockd/0]
root 8 0.0 0.0 0 0 ? S< Sep26 0:00 _ [kacpid]
root 67 0.0 0.0 0 0 ? S< Sep26 0:00 _ [kseriod]
root 109 0.0 0.0 0 0 ? S< Sep26 0:00 _ [aio/0]
root 314 0.0 0.0 0 0 ? S< Sep26 0:00 _ [cqueue/0]
root 352 0.0 0.0 0 0 ? S< Sep26 0:00 _ [kpsmoused]
root 700 0.0 0.0 0 0 ? S< Sep26 0:00 _ [ata/0]
root 709 0.0 0.0 0 0 ? S< Sep26 0:00 _ [scsi_eh_0]
root 710 0.0 0.0 0 0 ? S< Sep26 0:00 _ [scsi_eh_1]
root 742 0.0 0.0 0 0 ? S< Sep26 0:22 _ [reiserfs/0]
root 1163 0.0 0.0 0 0 ? S< Sep26 0:00 _ [khubd]
root 1278 0.0 0.0 0 0 ? S< Sep26 0:00 _ [shpchpd]
root 2908 0.0 0.0 0 0 ? S< Sep26 0:00 _ [kauditd]
root 2943 0.0 0.0 0 0 ? S< Sep26 0:00 _ [rpciod/0]
root 18915 0.0 0.0 0 0 ? S< Sep27 0:00 _ [cifsoplockd]
root 18916 0.0 0.0 0 0 ? S< Sep27 0:00 _ [cifsdnotifyd]
root 24503 0.0 0.0 0 0 ? S Oct03 0:07 _ [pdflush]
root 24504 0.0 0.0 0 0 ? S Oct03 0:08 _ [pdflush]
root 108 0.0 0.0 0 0 ? S Sep26 0:14 [kswapd0]
root 822 0.0 0.0 1860 284 ? S<s Sep26 0:00 /sbin/udevd --daemon
root 1965 0.0 0.0 1892 452 ? Ss Sep26 0:00 /sbin/syslog-ng
root 1968 0.0 0.0 1664 256 ? Ss Sep26 0:00 /sbin/klogd -c 1 -x -x
root 2009 0.0 0.0 1796 220 ? Ss Sep26 0:00 /sbin/resmgrd
100 2011 0.0 0.1 3416 576 ? Ss Sep26 0:02 /usr/bin/dbus-daemon --system
root 2048 0.0 0.0 1644 144 ? Ss Sep26 0:00 /sbin/acpid
root 2091 0.0 0.2 4400 1212 ? Ss Sep26 0:02 /usr/sbin/hald --daemon=yes --retain-privileges
root 2466 0.0 0.0 1816 132 ? S Sep26 0:00 _ hald-addon-acpi
root 2572 0.0 0.0 1816 140 ? S Sep26 0:53 _ hald-addon-storage
root 2591 0.0 0.0 2932 304 ? S Sep26 0:00 /opt/kde3/bin/kdm
root 21894 0.1 6.0 40372 31284 tty7 Ss+ Oct06 9:30 _ /usr/X11R6/bin/X -br -nolisten tcp :0 vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-P
root 21895 0.0 0.0 3984 352 ? S Oct06 0:00 _ -:0
scott 28134 0.0 0.0 4044 284 ? Ss Oct09 0:00 _ /bin/sh /opt/kde3/bin/startkde
scott 28179 0.0 0.0 4392 252 ? Ss Oct09 0:00 _ ssh-agent /bin/bash /etc/X11/xinit/xinitrc
scott 28232 0.0 0.0 1504 116 ? S Oct09 0:00 _ kwrapper ksmserver
(etcetera)
suse-linux:/home/scott #
|
There is also ‘top’:
top - 11:51:08 up 14 days, 52 min, 3 users, load average: 0.17, 0.18, 0.07
Tasks: 97 total, 2 running, 95 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.7% us, 0.0% sy, 0.0% ni, 99.3% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 515636k total, 458484k used, 57152k free, 61080k buffers
Swap: 1052216k total, 38060k used, 1014156k free, 143860k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
21894 root 15 0 168m 30m 3980 R 0.7 6.1 9:41.42 X
1 root 16 0 720 68 40 S 0.0 0.0 0:01.44 init
2 root 34 19 0 0 0 S 0.0 0.0 0:02.62 ksoftirqd/0
3 root 10 -5 0 0 0 S 0.0 0.0 0:02.04 events/0
4 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 khelper
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
7 root 10 -5 0 0 0 S 0.0 0.0 0:14.01 kblockd/0
8 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid
67 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kseriod
108 root 15 0 0 0 0 S 0.0 0.0 0:14.37 kswapd0
109 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
314 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/0
352 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
700 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 ata/0
709 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
710 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
742 root 10 -5 0 0 0 S 0.0 0.0 0:22.08 reiserfs/0
822 root 12 -4 1860 284 228 S 0.0 0.1 0:00.15 udevd
1163 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 khubd
1278 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 shpchpd
1965 root 15 0 1892 452 324 S 0.0 0.1 0:00.08 syslog-ng
1968 root 15 0 1664 256 192 S 0.0 0.0 0:00.00 klogd
2009 root 16 0 1796 220 216 S 0.0 0.0 0:00.01 resmgrd
2011 messageb 15 0 3416 576 444 S 0.0 0.1 0:02.88 dbus-daemon
2048 root 16 0 1644 144 140 S 0.0 0.0 0:00.00 acpid
2091 root 15 0 4400 1212 884 S 0.0 0.2 0:02.86 hald
2466 root 25 0 1816 132 128 S 0.0 0.0 0:00.00 hald-addon-acpi
2572 root 15 0 1816 140 124 S 0.0 0.0 0:53.57 hald-addon-stor
2591 root 15 0 2932 304 260 S 0.0 0.1 0:00.01 kdm
2652 root 16 0 1544 128 92 S 0.0 0.0 0:00.00 dhcpcd
2709 mdnsd 15 0 2220 384 308 S 0.0 0.1 0:00.52 mdnsd
2774 nobody 16 0 1560 220 164 S 0.0 0.0 0:00.01 portmap
2908 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kauditd
2930 root 13 -3 9984 336 264 S 0.0 0.1 0:00.00 auditd
2943 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 rpciod/0
2944 root 19 0 0 0 0 S 0.0 0.0 0:00.00 lockd
2987 root 16 0 5060 436 348 S 0.0 0.1 0:00.07 master
3021 root 16 0 1808 268 220 S 0.0 0.1 0:00.05 cron
3029 lp 15 0 7240 448 308 S 0.0 0.1 0:00.44 cupsd
3100 root 15 0 107m 972 644 S 0.0 0.2 0:04.83 nscd
3149 root 17 0 4952 152 148 S 0.0 0.0 0:00.09 sshd
3223 root 16 0 4264 708 588 S 0.0 0.1 0:00.63 powersaved
3285 root 15 0 3680 248 152 S 0.0 0.0 0:00.00 racoon
3293 root 17 0 1960 212 208 S 0.0 0.0 0:00.00 mingetty
3294 root 17 0 1960 196 192 S 0.0 0.0 0:00.00 mingetty
3295 root 17 0 1960 196 192 S 0.0 0.0 0:00.00 mingetty
3296 root 17 0 1960 196 192 S 0.0 0.0 0:00.00 mingetty
3297 root 17 0 1960 196 192 S 0.0 0.0 0:00.00 mingetty
|
You can also watch the system log with the ‘tail’ command. An example is as follows:
suse-linux:/home/scott # tail -f /var/log/messages
Oct 10 09:51:15 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 09:53:38 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 09:54:39 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 09:57:47 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 10:04:14 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 10:06:00 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 10:28:18 suse-linux syslog-ng[1965]: STATS: dropped 0
Oct 10 11:17:46 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 11:28:18 suse-linux syslog-ng[1965]: STATS: dropped 0
Oct 10 11:43:38 suse-linux su: (to root) scott on /dev/pts/3
|
It is a good idea to leave this window open as it refreshes automatically as more information is added to the log file.
Lastly, it is possible to view the open files by a user or process with ‘lsof’. Open files by process 14865:
suse-linux:/home/scott # lsof -p 14865
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 14865 root cwd DIR 3,7 2760 4 /home/scott
bash 14865 root rtd DIR 3,6 568 2 /
bash 14865 root txt REG 3,6 501804 109334 /bin/bash
bash 14865 root mem REG 0,0 0 [heap] (stat: No such file or directory)
bash 14865 root mem REG 3,6 217016 60456 /var/run/nscd/passwd
bash 14865 root mem REG 3,6 208464 17233 /usr/lib/locale/en_US.utf8/LC_CTYPE
bash 14865 root mem REG 3,6 880086 17234 /usr/lib/locale/en_US.utf8/LC_COLLATE
bash 14865 root mem REG 3,6 1404242 13934 /lib/libc-2.4.so
bash 14865 root mem REG 3,6 13814 13940 /lib/libdl-2.4.so
bash 14865 root mem REG 3,6 288188 17765 /lib/libncurses.so.5.5
bash 14865 root mem REG 3,6 26696 18379 /lib/libhistory.so.5.1
bash 14865 root mem REG 3,6 189436 18381 /lib/libreadline.so.5.1
bash 14865 root mem REG 3,6 54 17208 /usr/lib/locale/en_US.utf8/LC_NUMERIC
bash 14865 root mem REG 3,6 2451 15037 /usr/lib/locale/en_US.utf8/LC_TIME
bash 14865 root mem REG 3,6 286 15036 /usr/lib/locale/en_US.utf8/LC_MONETARY
bash 14865 root mem REG 3,6 52 17198 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
bash 14865 root mem REG 3,6 34 17039 /usr/lib/locale/en_US.utf8/LC_PAPER
bash 14865 root mem REG 3,6 77 17001 /usr/lib/locale/en_US.utf8/LC_NAME
bash 14865 root mem REG 3,6 155 15033 /usr/lib/locale/en_US.utf8/LC_ADDRESS
bash 14865 root mem REG 3,6 59 17000 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
bash 14865 root mem REG 3,6 23 17002 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
bash 14865 root mem REG 3,6 25404 50721 /usr/lib/gconv/gconv-modules.cache
bash 14865 root mem REG 3,6 373 15034 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
bash 14865 root mem REG 3,6 124463 13927 /lib/ld-2.4.so
bash 14865 root 0u CHR 136,1 3 /dev/pts/1
bash 14865 root 1u CHR 136,1 3 /dev/pts/1
bash 14865 root 2u CHR 136,1 3 /dev/pts/1
bash 14865 root 4r REG 3,7 4097 50837 /home/scott/.fonts.cache-2
bash 14865 root 255u CHR 136,1 3 /dev/pts/1
suse-linux:/home/scott #
|
Open files by user ‘postfix’:
suse-linux:/home/scott # lsof -u postfix
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
pickup 15122 postfix cwd DIR 3,6 384 42756 /var/spool/postfix
pickup 15122 postfix rtd DIR 3,6 568 2 /
pickup 15122 postfix txt REG 3,6 10412 42441 /usr/lib/postfix/pickup
pickup 15122 postfix mem REG 0,0 0 [heap] (stat: No such file or directory)
pickup 15122 postfix mem REG 3,6 217016 60458 /var/run/nscd/group
pickup 15122 postfix mem REG 3,6 217016 60456 /var/run/nscd/passwd
pickup 15122 postfix mem REG 3,6 100331 13960 /lib/libpthread-2.4.so
pickup 15122 postfix mem REG 3,6 13814 13940 /lib/libdl-2.4.so
pickup 15122 postfix mem REG 3,6 1404242 13934 /lib/libc-2.4.so
pickup 15122 postfix mem REG 3,6 74278 13962 /lib/libresolv-2.4.so
pickup 15122 postfix mem REG 3,6 87850 13945 /lib/libnsl-2.4.so
pickup 15122 postfix mem REG 3,6 931232 18430 /usr/lib/libdb-4.3.so
pickup 15122 postfix mem REG 3,6 1208240 33727 /usr/lib/libcrypto.so.0.9.8
pickup 15122 postfix mem REG 3,6 246884 221993 /usr/lib/libssl.so.0.9.8
pickup 15122 postfix mem REG 3,6 85772 23833 /usr/lib/libsasl2.so.2.0.21
pickup 15122 postfix mem REG 3,6 179596 18503 /usr/lib/libpcre.so.0.0.1
pickup 15122 postfix mem REG 3,6 58310 37480 /usr/lib/liblber-2.3.so.0.2.7
pickup 15122 postfix mem REG 3,6 255945 37482 /usr/lib/libldap-2.3.so.0.2.7
pickup 15122 postfix mem REG 3,6 152580 42426 /usr/lib/libpostfix-util.so.1.0.1
pickup 15122 postfix mem REG 3,6 158192 42417 /usr/lib/libpostfix-global.so.1.0.1
pickup 15122 postfix mem REG 3,6 22676 42420 /usr/lib/libpostfix-master.so.1.0.1
pickup 15122 postfix mem REG 3,6 124463 13927 /lib/ld-2.4.so
pickup 15122 postfix 0u CHR 1,3 2228 /dev/null
pickup 15122 postfix 1u CHR 1,3 2228 /dev/null
pickup 15122 postfix 2u CHR 1,3 2228 /dev/null
pickup 15122 postfix 3r FIFO 0,5 8265 pipe
pickup 15122 postfix 4w FIFO 0,5 8265 pipe
pickup 15122 postfix 5u unix 0xd8df8080 6722083 socket
pickup 15122 postfix 6u FIFO 3,6 46668 /var/spool/postfix/public/pickup
pickup 15122 postfix 7u unix 0xd8df8980 6931500 socket
qmgr 28927 postfix cwd DIR 3,6 384 42756 /var/spool/postfix
qmgr 28927 postfix rtd DIR 3,6 568 2 /
qmgr 28927 postfix txt REG 3,6 45508 42771 /usr/lib/postfix/qmgr
qmgr 28927 postfix mem REG 0,0 0 [heap] (stat: No such file or directory)
qmgr 28927 postfix mem REG 3,6 217016 60458 /var/run/nscd/group
qmgr 28927 postfix mem REG 3,6 217016 60456 /var/run/nscd/passwd
qmgr 28927 postfix mem REG 3,6 100331 13960 /lib/libpthread-2.4.so
qmgr 28927 postfix mem REG 3,6 13814 13940 /lib/libdl-2.4.so
qmgr 28927 postfix mem REG 3,6 1404242 13934 /lib/libc-2.4.so
qmgr 28927 postfix mem REG 3,6 74278 13962 /lib/libresolv-2.4.so
qmgr 28927 postfix mem REG 3,6 87850 13945 /lib/libnsl-2.4.so
qmgr 28927 postfix mem REG 3,6 931232 18430 /usr/lib/libdb-4.3.so
qmgr 28927 postfix mem REG 3,6 1208240 33727 /usr/lib/libcrypto.so.0.9.8
qmgr 28927 postfix mem REG 3,6 246884 221993 /usr/lib/libssl.so.0.9.8
qmgr 28927 postfix mem REG 3,6 85772 23833 /usr/lib/libsasl2.so.2.0.21
qmgr 28927 postfix mem REG 3,6 179596 18503 /usr/lib/libpcre.so.0.0.1
qmgr 28927 postfix mem REG 3,6 58310 37480 /usr/lib/liblber-2.3.so.0.2.7
qmgr 28927 postfix mem REG 3,6 255945 37482 /usr/lib/libldap-2.3.so.0.2.7
qmgr 28927 postfix mem REG 3,6 152580 42426 /usr/lib/libpostfix-util.so.1.0.1
qmgr 28927 postfix mem REG 3,6 158192 42417 /usr/lib/libpostfix-global.so.1.0.1
qmgr 28927 postfix mem REG 3,6 22676 42420 /usr/lib/libpostfix-master.so.1.0.1
qmgr 28927 postfix mem REG 3,6 124463 13927 /lib/ld-2.4.so
qmgr 28927 postfix 0u CHR 1,3 2228 /dev/null
qmgr 28927 postfix 1u CHR 1,3 2228 /dev/null
qmgr 28927 postfix 2u CHR 1,3 2228 /dev/null
qmgr 28927 postfix 3r FIFO 0,5 8265 pipe
qmgr 28927 postfix 4w FIFO 0,5 8265 pipe
qmgr 28927 postfix 5u unix 0xc4b5ae00 6722087 socket
qmgr 28927 postfix 6u FIFO 3,6 47906 /var/spool/postfix/public/qmgr
qmgr 28927 postfix 7u unix 0xdb47be00 6722148 socket
suse-linux:/home/scott #
|
With these types of commands, it becomes much more possible to determine what is going on with a given machine. Especially when you use the information from one command as input to the others. As a final note, my good bud Steve told me about this one tool, called whowatch that will give you some of this information real-time and refreshes continuously. It was helpful and useful to me, and I do recommend it.
These are the majority of useful tools and commands that I found to get detailed real-time information about who is doing what from where on a given box. I’m interested in any additional thoughts or suggestions that anyone may have on this. Leave a comment with such info, that all may benefit.
If you enjoyed this post, make sure you subscribe to my RSS feed!
October 11th, 2006 at 7:14 am
there’s usefull info with :
-dmesg
-pstree
and and all of the tools in combination with grep or xargs
e.g
ps -ef|grep amarok
find -print|xargs grep -i somestring
Cheers.
October 11th, 2006 at 8:44 am
Frederik Van Poucke, huh?! Hey, weren’t you the guy that won second place on our Desktop Shootout (http://www.novell.com/coolsolutions/feature/16573.html) competition? Great to hear from you. Thanks for the suggestions.