Archive for the tag 'activity'

sar - Collect, report, or save system activity information.

To have sar read a particular data file, use the -f /var/log/sa/saDD option. You can select multiple files by using multiple -f options. Since many of sar’s reports are lengthy, you may want to pipe the output to a file.

To create a basic report showing CPU usage and I/O wait time percentage, use sar with no flags. It produces a report similar to this:

01:10:00 PM CPU %user %nice %system %iowait %idle
01:20:00 PM all 7.78 0.00 3.34 20.94 67.94
01:30:00 PM all 0.75 0.00 0.46 1.71 97.08
01:40:00 PM all 0.65 0.00 0.48 1.63 97.23
01:50:00 PM all 0.96 0.00 0.74 2.10 96.19
02:00:00 PM all 0.58 0.00 0.54 1.87 97.01
02:10:00 PM all 0.80 0.00 0.60 1.27 97.33
02:20:01 PM all 0.52 0.00 0.37 1.17 97.94
02:30:00 PM all 0.49 0.00 0.27 1.18 98.06
Average: all 1.85 0.00 0.44 2.56 95.14

“The %user and %system columns simply specify the amount of time the CPU spends in user and system mode. The %iowait and %idle columns are of interest to us when doing performance analysis. The %iowait column specifies the amount of time the CPU spends waiting for I/O requests to complete. The %idle column tells us how much useful work the CPU is doing. A %idle time near zero indicates a CPU bottleneck, while a high %iowait value indicates unsatisfactory disk performance.”

Tcpdump to monitor SMTP activity from a IP or range of IP

The tcpdump is a useful utility to monitor the network activity in the server.

tcpdump -i eth0 -n src 192.168.1.22 \or dst 192.168.1.22 -w smtp.tcpdump -s 2048

You can monitor the SMTP activity to find out the mail account used by spammer.
The above command will monitor the SMTP activity from the IP address 192.168.1.4 and will log to the file smtp.tcpdump.

Use the following command to monitor a range of IP

tcpdump -i eth0 -n src net 119.91.0.0/16 \or dst net 119.91.0.0/16 -w smtp.tcpdump -s 2048

The above command will monitor the range of IP starting with 119.91. You can use Wireshark to analyze the dump file.

For VPS you need to use venet0:0

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]