Commands & key bindings reminders

Published 09-28-2011 00:00:00

Commands & key bindings reminders

Sysdig

Record activity to file:

$ sudo sysdig -w tracefile.scap

Get top cpu usage from the trace file:

$ sudo sysdig -r tracefile.scap -c topprocs_cpu

Check open TCP port with bash and send data to TCP port

$ man bash

[ ... ]

REDIRECTION
[ ... ]

Bash handles several filenames specially when they are used in redirections,
as described in the following table:
   /dev/tcp/host/port
          If host is a valid hostname or Internet address, and port is an
          integer port number or service name, bash attempts to open a
          TCP  connection to the corresponding socket.

Port scan

$ > /dev/tcp/google.com/1234
# Wait tcp connection timeout
bash: connect: Network is unreachable
bash: /dev/tcp/google.com/1234: Network is unreachable
$ echo $?
1 # Port is closed

$ > /dev/tcp/google.com/80
$ echo $?
0 # Port is open

Send data

                                                | $ nc -l -p 4123
$ echo "stop whining" > /dev/tcp/localhost/4123 |
$                                               | stop whining
                                                | $

tcpdump (http://danielmiessler.com/study/tcpdump/)

Usefull parameters

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

Example

# tcpdump -i eth0 -nnvvXSs 0 tcp and host host.example.com and (dst port 80 or 443)

lsof

Basic, which file is using a process ?

$ lsof -p 41256

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
[...] 
tail    41256 root    3r   REG    8,2      336 1974899 /var/log/messages
[...]

Usefull information about internet connections

Use -i [46][protocol][@hostname|hostaddr][:service|port] switch

$ lsof -i4TCP@www.google.fr:80

COMMAND   PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
nc      10924   klyr    3u  IPv4 12514117      0t0  TCP 192.168.2.17:47553->fx-in-f99.1e100.net:www (ESTABLISHED)

Which process is using a file ?

Simply point to the file.

$ lsof /var/log/messages

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
tail    11248 root    3r   REG    8,2      336 1974899 /var/log/messages

Text manipulation

column - columnate lists join - join lines of two files on a common field comm - compare two sorted files line by line paste - merge lines of files tac - concatenate and print files in reverse

Editors

Zap to char

Deletes all characters to the next occurence of “)”.

  • Emacs: M-z )
  • Vim : dt)

Kill balanced expression forward.

  • Emacs: C-M-k

Rectangles

Emacs:

  • C-x r
    • k: Kill the rectangle
    • y: Yank the rectangle
    • o: Insert space into the rectangle
    • t: Replace text of the rectangle
    • c: Clear rectangle (replace with space)

Less

Use &pattern to display only lines which match the pattern, same as grep | less.