buyfakett/reference
1
0
Fork 0
mirror of https://github.com/jaywcjlove/reference.git synced 2025-06-17 04:31:22 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8fb6767edb86b1b6247f121ca3f6de2037233396
reference/docs/sysdig.html
jaywcjlove 196204fcdb doc: update docs/pip.md 4ca8110520
2025-05-11 17:34:02 +00:00

450 lines
44 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" data-color-mode="dark">
<head>
<meta charset="utf-8">
<title>Sysdig 备忘清单
&#x26; sysdig cheatsheet &#x26; Quick Reference</title>
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta description="该备忘单提供了使用 Sysdig 的常用命令参数和使用案例清单
入门,为开发人员分享快速参考备忘单。">
<meta keywords="sysdig,reference,Quick,Reference,cheatsheet,cheat,sheet">
<meta name="author" content="jaywcjlove">
<meta name="license" content="MIT">
<meta name="funding" content="https://jaywcjlove.github.io/#/sponsor">
<meta rel="apple-touch-icon" href="../icons/touch-icon-iphone.png">
<meta rel="apple-touch-icon" sizes="152x152" href="../icons/touch-icon-ipad.png">
<meta rel="apple-touch-icon" sizes="180x180" href="../icons/touch-icon-iphone.png">
<meta rel="apple-touch-icon" sizes="167x167" href="../icons/touch-icon-ipad-retina.png">
<meta rel="apple-touch-icon" sizes="120x120" href="../icons/touch-icon-iphone-retina.png">
<link rel="icon" href="../icons/favicon.svg" type="image/svg+xml">
<link href="../style/style.css" rel="stylesheet">
<link href="../style/katex.css" rel="stylesheet">
</head>
<body><nav class="header-nav"><div class="max-container"><a href="../index.html" class="logo"><svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
<path d="m21.66 10.44-.98 4.18c-.84 3.61-2.5 5.07-5.62 4.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2 1.17-2.42 3.16-3.07 6.5-2.28l1.67.39c4.19.98 5.47 3.05 4.49 7.23Z" fill="#c9d1d9"></path>
<path d="M15.06 19.39c-.62.42-1.4.77-2.35 1.08l-1.58.52c-3.97 1.28-6.06.21-7.35-3.76L2.5 13.28c-1.28-3.97-.22-6.07 3.75-7.35l1.58-.52c.41-.13.8-.24 1.17-.31-.3.61-.54 1.35-.74 2.2l-.98 4.19c-.98 4.18.31 6.24 4.48 7.23l1.68.4c.58.14 1.12.23 1.62.27Zm2.43-8.88c-.06 0-.12-.01-.19-.02l-4.85-1.23a.75.75 0 0 1 .37-1.45l4.85 1.23a.748.748 0 0 1-.18 1.47Z" fill="#228e6c"></path>
<path d="M14.56 13.89c-.06 0-.12-.01-.19-.02l-2.91-.74a.75.75 0 0 1 .37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z" fill="#228e6c"></path>
</svg>
<span class="title">Quick Reference</span></a><div class="menu"><a href="javascript:void(0);" class="searchbtn" id="searchbtn"><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
<path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><span>搜索</span><span>⌘K</span></a><a href="https://github.com/jaywcjlove/reference/blob/main/docs/sysdig.md" class="edit" target="__blank"><svg viewBox="0 0 36 36" fill="currentColor" height="1em" width="1em"><path d="m33 6.4-3.7-3.7a1.71 1.71 0 0 0-2.36 0L23.65 6H6a2 2 0 0 0-2 2v22a2 2 0 0 0 2 2h22a2 2 0 0 0 2-2V11.76l3-3a1.67 1.67 0 0 0 0-2.36ZM18.83 20.13l-4.19.93 1-4.15 9.55-9.57 3.23 3.23ZM29.5 9.43 26.27 6.2l1.85-1.85 3.23 3.23Z"></path><path fill="none" d="M0 0h36v36H0z"></path></svg><span>编辑</span></a><button id="darkMode" type="button"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor" class="light" height="1em" width="1em">
<path d="M6.995 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007-2.246-5.007-5.007-5.007S6.995 9.239 6.995 12zM11 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2H2zm17 0h3v2h-3zM5.637 19.778l-1.414-1.414 2.121-2.121 1.414 1.414zM16.242 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.344 7.759 4.223 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 24 24" class="dark" height="1em" width="1em">
<path d="M12 11.807A9.002 9.002 0 0 1 10.049 2a9.942 9.942 0 0 0-5.12 2.735c-3.905 3.905-3.905 10.237 0 14.142 3.906 3.906 10.237 3.905 14.143 0a9.946 9.946 0 0 0 2.735-5.119A9.003 9.003 0 0 1 12 11.807z"></path>
</svg>
</button><script src="../js/dark.js?v=1.8.3"></script><a href="https://github.com/jaywcjlove/reference" class="" target="__blank"><svg viewBox="0 0 16 16" fill="currentColor" height="1em" width="1em"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"></path></svg></a></div></div></nav><div class="wrap h1body-exist max-container"><header class="wrap-header h1wrap"><h1 id="sysdig-备忘清单"><svg viewBox="0 0 256 317" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
<path d="M198.814 98.655a10.349 10.349 0 0 1 8.975 5.244l35.586 61.635c25.367 43.937 11.463 104.796-32.341 141.562a10.331 10.331 0 0 1-3.116 1.8 128.641 128.641 0 0 1-43.96 7.784c-39.453 0-76.278-18.462-94.807-50.556l-42.35-73.35a10.348 10.348 0 0 1 3.788-14.136l28.846-16.655a10.349 10.349 0 1 1 10.349 17.924L49.9 191.387l37.175 64.388c20.152 34.905 68.066 49.46 112.043 34.282 35.13-30.495 46.485-79.27 26.334-114.174l-35.586-61.635a10.349 10.349 0 0 1 8.948-15.593Zm-108.74 96.59c.12.216 6.66 11.866 12.895 22.894l.583 1.032c3.298 5.832 6.45 11.381 8.448 14.842 14.574 25.244 41.265 34.887 71.401 25.778 5.472-1.653 11.247 1.443 12.9 6.914 1.652 5.472-1.444 11.247-6.915 12.9a95.73 95.73 0 0 1-27.672 4.247 76.222 76.222 0 0 1-67.639-39.49 2209.073 2209.073 0 0 1-8.391-14.737l-.576-1.018-.577-1.022-.579-1.023-.578-1.023-.576-1.02a7893.27 7893.27 0 0 1-10.805-19.202c-2.782-4.993-.989-11.296 4.004-14.077 4.993-2.781 11.295-.988 14.077 4.005ZM19.272 5.105l122.265 211.771c3.335 5.774 12.789 15.683 24.682 11.845 5.44-1.754 11.272 1.235 13.025 6.675 1.753 5.44-1.236 11.272-6.676 13.025a38.083 38.083 0 0 1-11.719 1.875c-16.345 0-30.2-10.884-37.236-23.07L1.348 15.454C-1.455 10.51.253 4.23 5.176 1.388 10.098-1.454 16.39.206 19.272 5.106Zm89.756 60.963 29.135 50.463 18.53-10.7c4.945-2.812 11.234-1.105 14.078 3.821 2.845 4.927 1.18 11.226-3.729 14.103L139.55 139.63a10.35 10.35 0 0 1-4.812 1.381l-.364.006-.324-.005a10.35 10.35 0 0 1-8.637-5.169L91.104 76.417c-2.803-4.945-1.095-11.225 3.828-14.067 4.922-2.842 11.215-1.182 14.096 3.718Z" fill="currentColor"></path>
</svg>
<a aria-hidden="true" tabindex="-1" href="#sysdig-备忘清单"><span class="icon icon-link"></span></a>Sysdig 备忘清单</h1><div class="wrap-body">
<p>该备忘单提供了使用 <a href="https://sysdig.com/">Sysdig</a> 的常用命令参数和使用案例清单</p>
</div></header><div class="menu-tocs"><div class="menu-btn"><svg aria-hidden="true" fill="currentColor" height="1em" width="1em" viewBox="0 0 16 16" version="1.1" data-view-component="true">
<path fill-rule="evenodd" d="M2 4a1 1 0 100-2 1 1 0 000 2zm3.75-1.5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zM3 8a1 1 0 11-2 0 1 1 0 012 0zm-1 6a1 1 0 100-2 1 1 0 000 2z"></path>
</svg></div><div class="menu-modal"><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#入门">入门</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令安装">命令安装</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#常用参数">常用参数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#输出含义">输出含义</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#chisels常用工具">chisels常用工具</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令帮助">命令帮助</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#捕获每个系统事件并将其写入标准输出">捕获每个系统事件并将其写入标准输出</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#自定义输出">自定义输出</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#抓取-kubernetes-pod-客户端-ip-的-udp-请求">抓取 kubernetes pod 客户端 ip 的 udp 请求</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#io案例">io案例</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#网络">网络</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#进程">进程</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#基本用法">基本用法</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#容器">容器</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#文件系统">文件系统</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#安全">安全</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#日志">日志</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#csysdig">CSysdig</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#另见">另见</a></div></div><div class="h1wrap-body"><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="入门"><a aria-hidden="true" tabindex="-1" href="#入门"><span class="icon icon-link"></span></a>入门</h2><div class="wrap-body">
</div></div><div class="h2wrap-body"><div class="wrap h3body-not-exist col-span-2"><div class="wrap-header h3wrap"><h3 id="命令安装"><a aria-hidden="true" tabindex="-1" href="#命令安装"><span class="icon icon-link"></span></a>命令安装</h3><div class="wrap-body">
<!--rehype:wrap-class=col-span-2-->
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line"><span class="token function">sudo</span> <span class="token function">rpm</span> <span class="token parameter variable">--import</span> https://download.sysdig.com/DRAIOS-GPG-KEY.public
</span><span class="code-line"><span class="token function">sudo</span> <span class="token function">curl</span> <span class="token parameter variable">-s</span> <span class="token parameter variable">-o</span> /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
</span><span class="code-line"><span class="token function">sudo</span> yum <span class="token parameter variable">-y</span> <span class="token function">install</span> sysdig
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="常用参数"><a aria-hidden="true" tabindex="-1" href="#常用参数"><span class="icon icon-link"></span></a>常用参数</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<table class="show-header"><thead><tr><th align="left">参数</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>-C 5</code></td><td align="left">每个文件不超过5M</td></tr><tr><td align="left"><code>-W 10</code></td><td align="left">保留不超过10个文件</td></tr><tr><td align="left"><code>-G 60</code></td><td align="left">每个文件只保留一分钟内的系统活动</td></tr><tr><td align="left"><code>-w dump.pcap</code></td><td align="left">保存到文件</td></tr><tr><td align="left"><code>-e 1000</code></td><td align="left">每个文件只有1000个事件</td></tr><tr><td align="left"><code>-z</code></td><td align="left">参数对保存的内容进行压缩</td></tr><tr><td align="left"><code>-A --print-ascii</code></td><td align="left">把buffer中数据按照ASCII格式打印方便阅读</td></tr><tr><td align="left"><code>-x --print-hex</code></td><td align="left">把buffer中数据按照十六进制打印</td></tr><tr><td align="left"><code>-X --printhex-ascii</code></td><td align="left">把buffer中数据同时按照ASCII格式和十六进制打印</td></tr><tr><td align="left"><code>-s 1024</code></td><td align="left">捕获buffer的数据大小默认为80设置过大文件会很大</td></tr><tr><td align="left"><code>-N</code></td><td align="left">不用把端口号转成可读名字</td></tr><tr><td align="left"><code>-r</code></td><td align="left">从文件读取</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="输出含义"><a aria-hidden="true" tabindex="-1" href="#输出含义"><span class="icon icon-link"></span></a>输出含义</h3><div class="wrap-body">
<table class="show-header"><thead><tr><th align="left">事件</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>evt.num</code></td><td align="left">递增的事件号</td></tr><tr><td align="left"><code>evt.time</code></td><td align="left">事件发生的时间</td></tr><tr><td align="left"><code>evt.cpu</code></td><td align="left">事件被捕获时所在cpu</td></tr><tr><td align="left"><code>proc.name</code></td><td align="left">生成事件的进程名字</td></tr><tr><td align="left"><code>thread.tid</code></td><td align="left">线程id单线程则为进程id</td></tr><tr><td align="left"><code>evt.dir</code></td><td align="left">事件方向(direction), > 代表进入事件, &#x3C; 代表退出事件</td></tr><tr><td align="left"><code>evt.type</code></td><td align="left">事件的名称比如open、stat等一般为系统调用</td></tr><tr><td align="left"><code>evt.args</code></td><td align="left">事件的参数。如果为系统调用,则对应系统调用的参数</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="chisels常用工具"><a aria-hidden="true" tabindex="-1" href="#chisels常用工具"><span class="icon icon-link"></span></a>chisels常用工具</h3><div class="wrap-body">
<table class="show-header"><thead><tr><th align="left">事件</th><th align="left">说明</th></tr></thead><tbody><tr><td align="left"><code>httplog</code></td><td align="left">输出所有的http请求</td></tr><tr><td align="left"><code>topprocs_cpu</code></td><td align="left">输出按照cpu使用率排序</td></tr><tr><td align="left"><code>topprocs_net</code></td><td align="left">按照网络使用情况对进程排序</td></tr><tr><td align="left"><code>fdcount_by</code></td><td align="left">按照建立连接书对进程排序</td></tr><tr><td align="left"><code>echo_fds</code></td><td align="left">输出进程读写数据</td></tr><tr><td align="left"><code>netsata</code></td><td align="left">列出网络连接情况</td></tr><tr><td align="left"><code>spy_file</code></td><td align="left">输出文件的读写数据,可以提供某个文件名作为参数</td></tr><tr><td align="left"><code>spy_ip</code></td><td align="left">抓取给定ip的数据交换</td></tr><tr><td align="left"><code>spy_port</code></td><td align="left">抓取给定端口的数据交换</td></tr></tbody></table>
<!--rehype:className=show-header-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="命令帮助"><a aria-hidden="true" tabindex="-1" href="#命令帮助"><span class="icon icon-link"></span></a>命令帮助</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-l</span> <span class="token comment">#事件类型</span>
</span><span class="code-line">sysdig <span class="token parameter variable">-cl</span> <span class="token comment">#chisels工具类型</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="捕获每个系统事件并将其写入标准输出"><a aria-hidden="true" tabindex="-1" href="#捕获每个系统事件并将其写入标准输出"><span class="icon icon-link"></span></a>捕获每个系统事件并将其写入标准输出</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="自定义输出"><a aria-hidden="true" tabindex="-1" href="#自定义输出"><span class="icon icon-link"></span></a>自定义输出</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"user:%user.name dir:%evt.arg.path"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>chdir
</span><span class="code-line">user:ubuntu dir:/root
</span><span class="code-line">user:ubuntu dir:/root/tmp
</span><span class="code-line">user:ubuntu dir:/root/Download
</span></code></pre>
<!--rehype:className=wrap-text-->
<p>字段必须用 <code>%</code> 作为前缀,所有 <code>sysdig -l</code> 列出来的字段都可以使用
如果某个字段在时间中不存在,默认这个事件会过滤掉,在这个字符串最前面加上 <code>*</code> 符号,会打印所有事件,不存在的字段会变成 <code>&#x3C;NA></code></p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"*%evt.type %evt.dir %evt.arg.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1399/stat
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1400/io
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">&#x3C;</span> /proc/1285/task/1400/statm
</span><span class="code-line"><span class="token function">open</span> <span class="token operator">></span> <span class="token operator">&#x3C;</span>NA<span class="token operator">></span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist col-span-2"><div class="wrap-header h3wrap"><h3 id="抓取-kubernetes-pod-客户端-ip-的-udp-请求"><a aria-hidden="true" tabindex="-1" href="#抓取-kubernetes-pod-客户端-ip-的-udp-请求"><span class="icon icon-link"></span></a>抓取 <code>kubernetes pod</code> 客户端 <code>ip</code><code>udp</code> 请求</h3><div class="wrap-body">
<!--rehype:wrap-class=col-span-2-->
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 列出容器监听端口</span>
</span><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-pc</span> <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> <span class="token function">netstat</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>aaa
</span><span class="code-line">
</span><span class="code-line"><span class="token comment"># 抓取kubernetes pod 的客户端ip为172.119.100.163000端口的的请求内容</span>
</span><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds k8s.pod.name contains datacenter-web-dev and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">3000</span> and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>read and <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">172.119</span>.100.16 <span class="token assign-left variable">fd.proto</span><span class="token operator">=</span>UDP
</span><span class="code-line">
</span><span class="code-line"><span class="token comment"># 按照建立连接数量对进程排序 并保存到sysdig.pcap文件中</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by fd.sport <span class="token string">"evt.type=accept"</span> <span class="token parameter variable">-w</span> sysdig.pcap
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>抓取 <code>kubernetes pod</code> 客户端 <code>ip</code><code>172.119.100.16</code><code>udp</code> 请求</p>
</div></div></div><div class="wrap h3body-not-exist row-span-3"><div class="wrap-header h3wrap"><h3 id="io案例"><a aria-hidden="true" tabindex="-1" href="#io案例"><span class="icon icon-link"></span></a>io案例</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-3-->
<p>查看 io 错误最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_errors
</span></code></pre>
<p>查看io错误最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_errors
</span></code></pre>
<p>查看磁盘io失败的调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">fd.type</span><span class="token operator">=</span>file and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<p>查看httpd打开失败的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token string">"proc.name=httpd and evt.type=open and evt.failed=true"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看最花费时间的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls_time
</span></code></pre>
<p>查看系统调用失败返回最多的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls <span class="token string">"evt.failed=true"</span>
</span></code></pre>
<p>查看打开文件失败</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>打印延迟大于1ms的文件I/O调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fileslower <span class="token number">1</span>
</span></code></pre>
<p>查看使用硬盘带宽最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_file
</span></code></pre>
<p>列出大量使用文件描述符的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by proc.name <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看读写bytes最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_bytes
</span></code></pre>
<p>打印httpd进程已经读取中和写入中的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_bytes <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd
</span></code></pre>
<p>基本 opensnoop:snoop 文件在发生时打开</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看活跃中的读和写最多的目录</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.directory <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看目录/tmp活跃中的读写最多的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.filename <span class="token string">"fd.directory=/tmp/"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看所有文件名为passwd的i/O活动</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token string">"fd.filename=passwd"</span>
</span></code></pre>
<p>展示FD类型的活跃I/O</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.type
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="网络"><a aria-hidden="true" tabindex="-1" href="#网络"><span class="icon icon-link"></span></a>网络</h3><div class="wrap-body">
<p>抓取 <code>kubernetes pod</code> 的客户端 <code>ip</code><code>172.119.100.17</code><code>3000</code> 端口的的请求内容</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ <span class="token function">sudo</span> sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds k8s.pod.name contains datacenter-web-dev and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">3000</span> and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>read and <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">172.119</span>.100.17 <span class="token assign-left variable">fd.proto</span><span class="token operator">=</span>UDP
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看占用网络带宽最多的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_net
</span><span class="code-line"><span class="token comment">#显示主机192.168.0.1的网络传输数据</span>
</span><span class="code-line"><span class="token comment">#作为二进制:</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-s2000</span> <span class="token parameter variable">-X</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">192.168</span>.0.1
</span><span class="code-line"><span class="token comment">#作为 ASCII</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-s2000</span> <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.cip</span><span class="token operator">=</span><span class="token number">192.168</span>.0.1
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看连接最多的服务器端口</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment">#在已建立的连接方面:</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by fd.sport <span class="token string">"evt.type=accept"</span>
</span><span class="code-line"><span class="token comment">#就总字节数而言:</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.sport
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看客户端连接最多的ip</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line"><span class="token comment">#在已建立的联系方面</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by fd.cip <span class="token string">"evt.type=accept"</span>
</span><span class="code-line"><span class="token comment">#就总字节数而言</span>
</span><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdbytes_by fd.cip
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>列出所有不是访问apache服务的访问连接</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"%proc.name %fd.name"</span> <span class="token string">"evt.type=accept and proc.name!=httpd"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>显示 wordpress1 容器在端口 80 上发送和接收的数据:</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-cecho_fds</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>wordpress1 and <span class="token assign-left variable">fd.port</span><span class="token operator">=</span><span class="token number">80</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>实时打印 <code>mysql</code> 容器接收的所有新连接</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig -p<span class="token string">"%fd.name"</span> <span class="token assign-left variable">container.name</span><span class="token operator">=</span>mysql and <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>accept
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="进程"><a aria-hidden="true" tabindex="-1" href="#进程"><span class="icon icon-link"></span></a>进程</h3><div class="wrap-body">
<p>查看哪些文件花费时间做多</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_time
</span></code></pre>
<p>查看httpd进程哪些文件花费最多时间</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_time <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd
</span></code></pre>
<p>查看io错误最多的进程</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_errors
</span></code></pre>
<p>查看io错误最多的文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topfiles_errors
</span></code></pre>
<p>查看磁盘io失败的调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">fd.type</span><span class="token operator">=</span>file and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<p>查看httpd打开失败的文件</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token string">"proc.name=httpd and evt.type=open and evt.failed=true"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看最花费时间的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls_time
</span></code></pre>
<p>查看系统调用失败返回最多的系统调用</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topscalls <span class="token string">"evt.failed=true"</span>
</span></code></pre>
<p>查看打开文件失败</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name"</span> <span class="token assign-left variable">evt.type</span><span class="token operator">=</span>open and <span class="token assign-left variable">evt.failed</span><span class="token operator">=</span>true
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>打印延迟大于1ms的文件I/O调用</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fileslower <span class="token number">1</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="基本用法"><a aria-hidden="true" tabindex="-1" href="#基本用法"><span class="icon icon-link"></span></a>基本用法</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>将事件捕获到跟踪文件以供以后分析</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig w myfile.scap
</span></code></pre>
<p>从跟踪文件中读取事件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig r myfile.scap
</span></code></pre>
<p>根据特定字段过滤事件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>httpd and evt.type<span class="token operator">!=</span>open
</span></code></pre>
<p>运行凿子以获得高级功能</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> topprocs_cpu
</span></code></pre>
<p>列出所有可用字段</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-l</span>
</span></code></pre>
<p>列出所有可用的凿子</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-cl</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="容器"><a aria-hidden="true" tabindex="-1" href="#容器"><span class="icon icon-link"></span></a>容器</h3><div class="wrap-body">
<p>查看具有容器上下文的进程列表</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-pc</span>
</span></code></pre>
<p>查看 <code>wordpress1</code> 容器中运行的进程的CPU使用率</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-pc</span> <span class="token parameter variable">-c</span> topprocs_cpu <span class="token assign-left variable">container.name</span><span class="token operator">=</span>wordpress1
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>查看对基于 <code>Kubernetes</code><code>mySQL</code> 服务发出的热门 <code>HTTP</code> 请求</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-k</span> http://127.0.0.1:8080 <span class="token parameter variable">-c</span> httptop <span class="token assign-left variable">k8s.svc.name</span><span class="token operator">=</span>mysql
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="文件系统"><a aria-hidden="true" tabindex="-1" href="#文件系统"><span class="icon icon-link"></span></a>文件系统</h3><div class="wrap-body">
<p>列出使用最多文件数的进程</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> fdcount_by proc.name <span class="token string">"fd.type=file"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>观察名为“passwd”的所有文件的 I/O 活动</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token string">"fd.filename=passwd"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="安全"><a aria-hidden="true" tabindex="-1" href="#安全"><span class="icon icon-link"></span></a>安全</h3><div class="wrap-body">
<p>显示 <code>root</code> 访问的目录</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-p</span> <span class="token string">"%evt.arg.path"</span> <span class="token string">"evt.type=chdir and user.name=root"</span>
</span></code></pre>
<!--rehype:className=wrap-text -->
<p>观察 <code>ssh</code> 活动</p>
<pre class="wrap-text "><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-A</span> <span class="token parameter variable">-c</span> echo_fds <span class="token assign-left variable">fd.name</span><span class="token operator">=</span>/dev/ptmx and <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>sshd
</span></code></pre>
<!--rehype:className=wrap-text -->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="日志"><a aria-hidden="true" tabindex="-1" href="#日志"><span class="icon icon-link"></span></a>日志</h3><div class="wrap-body">
<p>显示来自 python 的所有系统日志消息</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> spy_syslog <span class="token assign-left variable">proc.name</span><span class="token operator">=</span>python
</span></code></pre>
<p>超尾系统中的所有日志文件</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ sysdig <span class="token parameter variable">-c</span> spy_logs
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="csysdig"><a aria-hidden="true" tabindex="-1" href="#csysdig"><span class="icon icon-link"></span></a>CSysdig</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ csysdig <span class="token parameter variable">-m</span> http://127.0.0.1:8080
</span></code></pre>
<p>使用 Mesos 元数据运行 CsysdigSysdig 基于 curses 的 UI</p>
</div></div></div></div></div><div class="wrap h2body-not-exist"><div class="wrap-header h2wrap"><h2 id="另见"><a aria-hidden="true" tabindex="-1" href="#另见"><span class="icon icon-link"></span></a>另见</h2><div class="wrap-body">
<ul>
<li><a href="https://github.com/draios/sysdig/wiki">sysdig wiki</a> <em>(github.com)</em></li>
<li><a href="https://sysdig.com/">sysdig 官网</a> <em>(sysdig.com)</em></li>
<li><a href="https://sysdig.com/blog/linux-troubleshooting-cheatsheet/">Linux 故障排除速查表strace、htop、lsof、tcpdump、iftop 和 sysdig</a> <em>(sysdig.com)</em></li>
</ul>
</div></div><div class="h2wrap-body"></div></div></div><script src="https://giscus.app/client.js" data-repo="jaywcjlove/reference" data-repo-id="R_kgDOID2-Mw" data-category="Q&#x26;A" data-category-id="DIC_kwDOID2-M84CS5wo" data-mapping="pathname" data-strict="0" data-reactions-enabled="1" data-emit-metadata="0" data-input-position="bottom" data-theme="dark" data-lang="zh-CN" crossorigin="anonymous" async></script><div class="giscus"></div></div><footer class="footer-wrap"><footer class="max-container">© 2022 <a href="https://wangchujiang.com/#/app" target="_blank">Kenny Wang</a>.</footer></footer><script src="../data.js?v=1.8.3" defer></script><script src="../js/fuse.min.js?v=1.8.3" defer></script><script src="../js/main.js?v=1.8.3" defer></script><div id="mysearch"><div class="mysearch-box"><div class="mysearch-input"><div><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
<path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><input id="mysearch-input" type="search" placeholder="搜索" autocomplete="off"><div class="mysearch-clear"></div></div><button id="mysearch-close" type="button">搜索</button></div><div class="mysearch-result"><div id="mysearch-menu"></div><div id="mysearch-content"></div></div></div></div></body>
</html>
Reference in New Issue View Git Blame Copy Permalink