1. Speedtest Script

wget https://bintray.com/ookla/download/download_file?file_path=ooklaspeedtest1.0.0x86_64linux.tgz O speedtestcli.tgz && tar xfvz speedtestcli.tgz && echo yes | ./speedtest
[root@centos7-zabbix-grafana-1 ~]# wget https://bintray.com/ookla/download/download_file?file_path=ookla-speedtest-1.0.0-x86_64-linux.tgz -O speedtest-cli.tgz && tar xfvz speedtest-cli.tgz && echo yes | ./speedtest
--2020-04-16 17:21:41--  https://bintray.com/ookla/download/download_file?file_path=ookla-speedtest-1.0.0-x86_64-linux.tgz
Resolving bintray.com (bintray.com)...
Connecting to bintray.com (bintray.com)||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://dl.bintray.com/ookla/download/ookla-speedtest-1.0.0-x86_64-linux.tgz?expiry=1587057731446&signature=N%2F%2FEyyWnLJRqFhHwYJ08IM0%2B0OU66hX1%2BgGCWG43CaY3dmuJOyA0M8gy36G2RwtgfT8Elro6jQpIhBd8yTOKNQ%3D%3D [following]
--2020-04-16 17:21:41--  https://dl.bintray.com/ookla/download/ookla-speedtest-1.0.0-x86_64-linux.tgz?expiry=1587057731446&signature=N%2F%2FEyyWnLJRqFhHwYJ08IM0%2B0OU66hX1%2BgGCWG43CaY3dmuJOyA0M8gy36G2RwtgfT8Elro6jQpIhBd8yTOKNQ%3D%3D
Resolving dl.bintray.com (dl.bintray.com)...,
Connecting to dl.bintray.com (dl.bintray.com)||:443... connected.
HTTP request sent, awaiting response... 302 
Location: https://akamai.bintray.com/5f/5fe2028f0d4427e4f4231d9f9cf70e6691bb890a70636d75232fe4d970633168?__gda__=exp=1587058421~hmac=bcc7e0e4e8f71f5d0af7ebf6178ae0534027fb63a80234c4870051da23c2fbfa&response-content-disposition=attachment%3Bfilename%3D%22ookla-speedtest-1.0.0-x86_64-linux.tgz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX19FmhEAfVfGnWNhHLMH9_FIedcu869F-5_L6eYlhAQ-vBUL-KjMmlOg3_Pt0gfPKOS-M8PpIXM7iVCKOdekGMaDStQwm92EfjfQDX_lGbiCXiYR9ao_wwmHjKOiB6RTgnyrDECxGx8spA&response-X-Checksum-Sha1=41ca19b8bea7614c27370453be3c6ef7ea7fa76a&response-X-Checksum-Sha2=5fe2028f0d4427e4f4231d9f9cf70e6691bb890a70636d75232fe4d970633168 [following]
--2020-04-16 17:21:41--  https://akamai.bintray.com/5f/5fe2028f0d4427e4f4231d9f9cf70e6691bb890a70636d75232fe4d970633168?__gda__=exp=1587058421~hmac=bcc7e0e4e8f71f5d0af7ebf6178ae0534027fb63a80234c4870051da23c2fbfa&response-content-disposition=attachment%3Bfilename%3D%22ookla-speedtest-1.0.0-x86_64-linux.tgz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX19FmhEAfVfGnWNhHLMH9_FIedcu869F-5_L6eYlhAQ-vBUL-KjMmlOg3_Pt0gfPKOS-M8PpIXM7iVCKOdekGMaDStQwm92EfjfQDX_lGbiCXiYR9ao_wwmHjKOiB6RTgnyrDECxGx8spA&response-X-Checksum-Sha1=41ca19b8bea7614c27370453be3c6ef7ea7fa76a&response-X-Checksum-Sha2=5fe2028f0d4427e4f4231d9f9cf70e6691bb890a70636d75232fe4d970633168
Resolving akamai.bintray.com (akamai.bintray.com)...
Connecting to akamai.bintray.com (akamai.bintray.com)||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 930614 (909K) [application/gzip]
Saving to: ‘speedtest-cli.tgz’100%[=========================================================================>] 930,614     --.-K/s   in 0.08s   

2020-04-16 17:21:41 (10.5 MB/s) - ‘speedtest-cli.tgz’ saved [930614/930614]


You may only use this Speedtest software and information generated
from it for personal, non-commercial use, through a command line
interface on a personal computer. Your use of this software is subject
to the End User License Agreement, Terms of Use and Privacy Policy at
these URLs:



Do you accept the license? [type YES to accept]: License acceptance recorded. Continuing.

   Speedtest by Ookla

     Server: ZeptoVM - Ashburn, VA (id = 30561)
        ISP: Google Cloud
    Latency:    25.69 ms   (4.63 ms jitter)
   Download:  3977.15 Mbps (data used: 6.2 GB)                               
     Upload:   918.83 Mbps (data used: 1.5 GB)                               
Packet Loss:     0.0%
 Result URL: 
[root@centos7-zabbix-grafana-1 ~]# 

2. Network Traffic Analysis Script

In fact, I mainly use this script to view the port occupancy, and which IP is desperately running traffic. 
The functions included in this script are:
1. Monitor the traffic of any network card in real time
2. Count the average traffic within 10 seconds
3. Count the average traffic of each port within 10 seconds, based on the client and server port statistics. It can be seen which ports account for more traffic. For web servers, port 80 is generally used. When other ports are attacked, there may be other ports with relatively large traffic. So this function can help us to check whether the port traffic is normal.
4. Count the top 10 IPs with the largest bandwidth in 10s. This function can help us to find out if there are malicious IPs occupying bandwidth.
5. Statistics connection status. This feature allows us to see which connection status is relatively large. If there are more SYN-RECV states, there may be a semi-connection attack. If ESTABLISED is very large, but it is found that there are not so many requests through the log, or if a large number of IPs are found through tcpdump and only the connection is established without requesting data, it may be a full connection attack. Add listen 80 deferred to prevent.
6. Count the connection status of each port. When it is possible to be attacked, this function can help us discover which port was attacked.
7. The statistics port is 80 and the top 10 IPs with the largest number of ESTAB connections. This feature can help us to find out too many connections to create Ip, and then shield.
8. Count the top 10 IPs with port 80 and status SYN-RECV with the most connections. This feature can help us find malicious ips when subjected to semi-connection attacks.

Run in your linux command line:

wget https://raw.githubusercontent.com/91yun/91yuncode/master/networkanalysis.sh && bash networkanalysis.sh
$wget https://raw.githubusercontent.com/91yun/91yuncode/master/network-analysis.sh && bash network-analysis.sh

$ bash network-analysis.sh
1) real time traffic.
2) traffic and connection overview.

please input your select(ie 1): 2
tcpdump not found,going to install it.
network-analysis.sh: line 125: apt-get: command not found

#################### nic setting ####################

1) docker0
2) eth0
3) eth1
4) veth49c9398

which nic you'd select: 3
your selection: eth1
please wait for 10s to generate network data...

network device ens3 average traffic in 10s:
ens3 Receive: 4.9Kb/s
ens3 Transmit: 8.7Kb/s                            average traffic in 10s base on client port:
                                         > server 8.1Kb/s
average traffic in 10s base on server port: > server 4.2Kb/s
clients > 8.1Kb/s      > server 396b/s
clients > 4.2Kb/s         > server 150b/s
clients > 396b/s          > server 83b/s
clients > 150b/s      > server 60b/s
clients > 83b/s       > server 60b/s
clients > 60b/s               top 10 ip average traffic in 10s base on client:
clients > 60b/s           > 8.1Kb/s
top 10 ip average traffic in 10s base on server: > 4.2Kb/s > 8.1Kb/s     > 396b/s > 4.2Kb/s   > 150b/s > 396b/s  > 83b/s > 150b/s     > 60b/s > 83b/s      > 60b/s > 60b/s   > 32b/s > 60b/s
connection state count: :22 32b/s
0 102

connection state count by port base on server:    connection state count by port base on client:
0 * 102                                           TIME-WAIT 5
TIME-WAIT 1                        CLOSE-WAIT 4
TIME-WAIT 1                        CLOSE-WAIT 2
TIME-WAIT 1                        TIME-WAIT 1
TIME-WAIT 1                        ESTAB 1
TIME-WAIT 1                        0 23041 1
TIME-WAIT 1                        0 23040 1
ESTAB 1                               0 22575 1
CLOSE-WAIT 1                       0 22574 1
CLOSE-WAIT 1                       0 22111 1

top 10 ip ESTAB state count at port 80:
* 102 1

top 10 ip SYN-RECV state count at port 80:
[root@centos7-test1 ~]#

By Jon

Leave a Reply