输入这两个个命令，看连接状态和80端口连接数netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'netstat -ano | grep -i “80”|wc -l输入如下命令：tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*'正常的输出结果类似于这样POST /ajax/validator.php HTTP/1.1POST /api_redirect.php HTTP/1.1GET /team/57085.html HTTP/1.1POST /order/pay.php HTTP/1.1GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1GET /static/js/index.js HTTP/1.1GET /static/js/customize.js HTTP/1.1GET /ajax/loginjs.php?type=topbar& HTTP/1.1GET /static/js/jquery.js HTTP/1.1GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1正常命令结果以静态文件为主，比如css,js,各种图片。如果是被攻击，会出现大量固定的地址比如攻击的是首页，会有大量的“GET / HTTP/1.1”，或者有一定特征的地址比如攻击的如果是Discuz论坛，那么可能会出现大量的“/thread-随机数字-1-1.html”这样的地址。如果机器上的网站太多，可以用下面的命令找出是哪个网站在被大量请求tcpdump -s0 -A -n -i any | grep ^Host一般系统不会默认安装tcpdump命令centos安装方法：yum install -y tcpdumpdebian/ubuntu安装方法：apt-get install -y tcpdump