Sysdig 是一個超級系統(tǒng)工具，比 strace、tcpdump、lsof 加起來還強大?？捎脕聿东@系統(tǒng)狀態(tài)信息，保存數(shù)據(jù)并進行過濾和分析。使用 Lua 開發(fā)，提供命令行接口以及強大的交互界面。

使用示例：

網(wǎng)絡(luò)

• 查看占用網(wǎng)絡(luò)帶寬最多的進程

sysdig -c topprocs_net

• 顯示主機192.168.0.1的網(wǎng)絡(luò)傳輸數(shù)據(jù)

as binary:
sysdig -s2000 -X -c echo_fds fd.cip=192.168.0.1
as ASCII:
sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1

• 查看連接最多的服務(wù)器端口

in terms of established connections:
sysdig -c fdcount_by fd.sport "evt.type=accept"
in terms of total bytes:
sysdig -c fdbytes_by fd.sport

• 查看客戶端連接最多的ip

in terms of established connections
sysdig -c fdcount_by fd.cip "evt.type=accept"
in terms of total bytes
sysdig -c fdbytes_by fd.cip

• 列出所有不是訪問apache服務(wù)的訪問連接

sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"

容器

• 查看機器上運行的容器列表及其資源使用情況

sudo csysdig -vcontainers

• 查看容器上下文的進程列表

sudo csysdig -pc

• 查看運行在wordpress1容器里CPU的使用率

sudo sysdig -pc -c topprocs_cpu container.name=wordpress1

• 查看運行在wordpress1容器里網(wǎng)絡(luò)帶寬的使用率

sudo sysdig -pc -c topprocs_net container.name=wordpress1

• 查看在wordpress1容器里使用網(wǎng)絡(luò)帶寬最多的進程

sudo sysdig -pc -c topprocs_net container.name=wordpress1

• 查看在wordpress1 容器里占用 I/O 字節(jié)最多的文件

sudo sysdig -pc -c topfiles_bytes container.name=wordpress1

• 查看在wordpress1 容器里網(wǎng)絡(luò)連接的排名情況

sudo sysdig -pc -c topconns container.name=wordpress1

• 顯示wordpress1容器里所有命令執(zhí)行的情況

sudo sysdig -pc -c spy_users container.name=wordpress1

應(yīng)用

• 查看機器所有的HTTP請求

sudo sysdig -s 2000 -A -c echo_fds fd.port=80 and evt.buffer contains GET

• 查看機器所有的SQL select查詢

sudo sysdig -s 2000 -A -c echo_fds evt.buffer contains SELECT

• See queries made via apache to an external MySQL server happening in real time

sysdig -s 2000 -A -c echo_fds fd.sip=192.168.30.5 and proc.name=apache2 and evt.buffer contains SELECT

硬盤 I/O

• 查看使用硬盤帶寬最多的進程

sysdig -c topprocs_file

• 列出使用大量文件描述符的進程

sysdig -c fdcount_by proc.name "fd.type=file"

• See the top files in terms of read+write bytes

sysdig -c topfiles_bytes

• Print the top files that apache has been reading from or writing to

sysdig -c topfiles_bytes proc.name=httpd

• Basic opensnoop: snoop file opens as they occur

sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open

• See the top directories in terms of R+W disk activity

sysdig -c fdbytes_by fd.directory "fd.type=file"

• See the top files in terms of R+W disk activity in the /tmp directory

sysdig -c fdbytes_by fd.filename "fd.directory=/tmp/"

• Observe the I/O activity on all the files named 'passwd'

sysdig -A -c echo_fds "fd.filename=passwd"

• Display I/O activity by FD type

sysdig -c fdbytes_by fd.type

進程和CPU使用率

• See the top processes in terms of CPU usage

sysdig -c topprocs_cpu

• See the top processes for CPU 0

sysdig -c topprocs_cpu evt.cpu=0

• Observe the standard output of a process

sysdig -s4096 -A -c stdout proc.name=cat

性能和錯誤

• See the files where most time has been spent

sysdig -c topfiles_time

• See the files where apache spent most time

sysdig -c topfiles_time proc.name=httpd

• See the top processes in terms of I/O errors

sysdig -c topprocs_errors

• See the top files in terms of I/O errors

sysdig -c topfiles_errors

• See all the failed disk I/O calls

sysdig fd.type=file and evt.failed=true

• See all the failed file opens by httpd

sysdig "proc.name=httpd and evt.type=open and evt.failed=true"

• See the system calls where most time has been spent

sysdig -c topscalls_time

• See the top system calls returning errors

sysdig -c topscalls "evt.failed=true"

• snoop failed file opens as they occur

sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open and evt.failed=true

• Print the file I/O calls that have a latency greater than 1ms:

sysdig -c fileslower 1

安全

• Show the directories that the user "root" visits

sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"

• Observe ssh activity

sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd

• Show every file open that happens in /etc

sysdig evt.type=open and fd.name contains /etc

• Show the ID of all the login shells that have launched the "tar" command

sysdig -r file.scap -c list_login_shells tar

• Show all the commands executed by the login shell with the given ID

sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459