2.1 ip:網絡配置工具
2.1.1 命令解釋
功能說明:
ip命令是iproute軟件包中的一個強大的網絡配置工具,用於顯示或管理Linux系統的路由,網絡設備,策略路由和隧道
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|
| -s | 輸出更詳細的信息,爲了相似更詳細的信息,可重複使用此選項 |
| -r | 顯示主機時,不使用IP地址,而是使用主機的域名 |
| 網絡對象 | 指定要管理的網絡對象(link:網絡設備 address:IP地址 addrlabel:協議地址標籤管理 route:路由表 rule:策略路由表 runnel:IP隧道 ) |
| help | ip help:查看ip命令的幫助 ip【object】help:查看指定的網絡對象的幫助 |
| 操作命令 | 對指定的網絡對象完成的具體操作。通常,每一個具體操作的命令後面又有一組相關的命令選項。不同的操作對象所支持的操作命令也不同。下面按照操作的網絡對象給出所支持的常見操作命令 |
| link對象支持的操作命令:set(修改設備屬性),show(顯示設備屬性) | |
| address對象支持的操作命令:add(添加協議地址),del(刪除協議地址),flush(清除協議地址),show(查看協議地址) | |
| addrlabel對象支持的操作命令:add,del,list,flush | |
| route對象支持的操作命令:add,change,replace,delete,show,flush,get | |
| rule對象支持的操作命令:add,delete,flush,show | |
| tunnel對象支持的操作命令:add,change,delete,prl,show |
2.1.2 使用範例
(1)顯示網絡設備屬性
[root@Mr_chen ~]# ip link show eth0 #顯示eth1網卡屬性
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:50 brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip -s link show eth0 #顯示詳細屬性
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:50 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast #顯示每個網絡設備上數據包的統計信息
37242 432 0 0 0 0
TX: bytes packets errors dropped carrier collsns
22769 178 0 0 0 0
[root@Mr_chen ~]# ip -s -s link show eth0 #使用兩個-s顯示更詳細屬性
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:50 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
44464 523 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
26699 209 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
(2)關閉和激活網絡設備
[root@Mr_chen ~]# ip link show eth1
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5a brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip link set eth1 up #激活eth1網卡
[root@Mr_chen ~]# ip link show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5a brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip link set eth1 down #關閉eth1網卡
[root@Mr_chen ~]# ip link show eth1
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5a brd ff:ff:ff:ff:ff:ff
(3)修改網卡MAC地址
[root@Mr_chen ~]# ip link show eth1
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5a brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip link set eth1 address 0:0c:29:a8:ca:5f #修改MAC地址
[root@Mr_chen ~]# ip link show eth1
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
(4)查看網卡信息
[root@Mr_chen ~]# ip a #效果與ip address一樣,顯示的結果包括激活和未激活的網卡
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:50 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fea8:ca50/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip link #和ip a對比,少了具體的IP地址信息
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:50 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
(5)添加或刪除IP地址
root@Mr_chen ~]# ip a show eth1 #顯示eth1的IP地址,沒有配置
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
[root@Mr_chen ~]# ip a add 192.168.0.222/24 dev eth1 #添加一個IP地址
[root@Mr_chen ~]# ip a show eth1 #雖然顯示出了IP地址,但是網卡狀態還是down
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1
[root@Mr_chen ~]# ip link set eth1 up #激活網卡
[root@Mr_chen ~]# ip a show eth1 #現在eth1網卡正常運行
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
[root@Mr_chen ~]# ip a add 192.168.0.223/24 dev eth1 #可添加多個IP,這種IP稱爲輔助IP
[root@Mr_chen ~]# ip a show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1
inet 192.168.0.223/24 scope global secondary eth1
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
[root@Mr_chen ~]# ip a del 192.168.0.222/24 dev eth1 #刪除主IP也就是第一個IP地址
[root@Mr_chen ~]# ip a show eth1 #所有IP都沒有了
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
[root@Mr_chen ~]# ip a add 192.168.0.222/24 dev eth1 #添加兩個IP地址
[root@Mr_chen ~]# ip a add 192.168.0.223/24 dev eth1
[root@Mr_chen ~]# ip a del 192.168.0.223/24 dev eth1 #刪除輔助IP
[root@Mr_chen ~]# ip a show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1 #主IP仍舊被保留了
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
小結:
- [x] :刪除網卡的主IP地址,同時會刪除該網卡的所有IP地址
- [x] :刪除網卡的輔助IP地址,不會影響該網卡的其他IP地址。
思考:
我們該如何用ip命令創建網卡的別名IP呢?
[root@Mr_chen ~]# ip a add 192.168.0.225/24 dev eth1 label eth1:1 #使用label選項創建別名IP
[root@Mr_chen ~]# ip a show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1 #eth1網卡的主IP
inet 192.168.0.223/24 scope global secondary eth1 #eth1網卡的輔助IP
inet 192.168.0.225/24 scope global secondary eth1:1 #eth1網卡的別名IP
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
知識擴展:
我們利用ifconfig命令只能查看到網卡的別名IP而看不到它的輔助IP
[root@Mr_chen ~]# ip a show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a8:ca:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.222/24 scope global eth1
inet 192.168.0.223/24 scope global secondary eth1 #輔助IP
inet 192.168.0.225/24 scope global secondary eth1:1 #別名IP
inet6 fe80::20c:29ff:fea8:ca5f/64 scope link
valid_lft forever preferred_lft forever
[root@Mr_chen ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:A8:CA:50
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea8:ca50/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5857 errors:0 dropped:0 overruns:0 frame:0
TX packets:1019 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:420049 (410.2 KiB) TX bytes:119175 (116.3 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:A8:CA:5F
inet addr:192.168.0.222 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea8:ca5f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4212 (4.1 KiB) TX bytes:936 (936.0 b)
eth1:1 Link encap:Ethernet HWaddr 00:0C:29:A8:CA:5F #別名IP
inet addr:192.168.0.225 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
(6)查看路由表
[root@Mr_chen ~]# ip route
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.222
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.0.1 dev eth0
[root@Mr_chen ~]# ip route | column -t #使用column命令格式化,選項-t,默認根據空格分隔判斷輸入行的列數來創建一個表
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.222
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.0.1 dev eth0
[root@Mr_chen ~]# route -n #與我們前面學習過的route命令對比一下
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
(7)添加或刪除路由表
[root@Mr_chen ~]# ip route add 192.168.1.0/24 via 192.168.0.254 dev eth1 #添加靜態路由
[root@Mr_chen ~]# ip route | column -t
192.168.1.0/24 via 192.168.0.254 dev eth1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.222
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.0.1 dev eth0
[root@Mr_chen ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
[root@Mr_chen ~]# ip route del 192.168.1.0/24 #刪除靜態路由
[root@Mr_chen ~]# ip route | column -t
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.222
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.0.1 dev eth0
2.2 netstat:查看網絡狀態
2.2.1 命令詳解
功能說明:
netstat命令用於顯示本機網絡的連接狀態,運行端口和路由表等信息。
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|
| -r | 顯示路由表信息,該功能類似與前面學過的route和ip route |
| -g | 顯示多播功能羣組成員,該功能類似於前面學過的ip maddr |
| -i | 顯示網絡接口信息,該功能類似於前面學過的ip -s link |
| -s | 顯示各類協議的統計信息 |
| -n | 顯示數字形式的地址而不是去解析主機,端口或用戶名。默認情況下,netstat命令會嘗試解析並顯示主機的主機名,這個過程通常比較長也是非必需的@ |
| -a | 顯示處於監聽狀態和非監聽狀態的socket信息@ |
| -A | 顯示指定網絡類型的網絡連接狀態 |
| -c<秒數> | 後面跟的秒數表示每隔幾秒就刷新顯示一次@ |
| -l | 僅顯示連接狀態爲“LISTEN”的服務的網絡狀態 |
| -t | 顯示所有的TCP連接情況@ |
| -u | 顯示所有的UDP連接情況@ |
| -p | 顯示socket所屬進程的PID和名稱@ |
2.2.2 使用範例
基礎範例
(1)常用選項組合一
[root@localhost ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 64 192.168.0.233:22 192.168.0.253:54737 ESTABLISHED
tcp 0 0 :::22 :::* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 7510 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 7857 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 8910 /dev/log
unix 2 [ ] DGRAM 9187
unix 2 [ ] DGRAM 8976
unix 3 [ ] DGRAM 7874
unix 3 [ ] DGRAM 7873
第一行活動網絡連接說明:
| 列數 | 名稱 | 含義 |
|---|---|---|
| 第一列 | Proto | socket使用的協議(TCP,UDP,RAW) |
| 第二列 | Recv-Q | 接收到但是還未處理的字節數 |
| 第三列 | Send-Q | 已經發送但是未被遠程主機確認收到的字節數 |
| 第四列 | Local Address | 本地主機地址和端口 |
| 第五列 | Foreign Address | 遠程主機地址和端口 |
| 第六列 | State | socket的狀態,通常僅僅有TCP的狀態,狀態值可能有ESTABLISHED,SYN_SENT,SYN_RECV,FIN_WAIT1,FIN_WAIT2,TIME_WAIT等 |
第6列State狀態信息詳解
| 狀態 | 含義 |
|---|---|
| ESTABLISHED | socket已經建立連接,表示處於連接的狀態,一般認爲有一個ESTABLISHED是一個服務的併發連接。該連接狀態在生產場景中很重要,需要重點關注 |
| SYN_SENT | socket正在積極嘗試建立一個連接,即處於發送後連接前的一個等待但未匹配進入連接的狀態 |
| SYN_RECV | 已經從網絡上收到一個連接請求 |
| FIN_WAIT1 | socket已關閉,連接正在或正要關閉 |
| FIN_WAIT2 | 連接已關閉,並且socket正在等待遠端結束 |
| TIME_WAIT | socket正在等待關閉處理仍在網絡上的數據包,這個連接狀態在生產場景中很重要,需要重點關注 |
| CLOSED | socket不再被佔用了 |
| CLOSE_WAIT | 遠端已經結束,等待socket關閉 |
| LAST_ACK | 遠端已經結束,並且socket也已經關閉,等待acknowledgement |
| LISTEN | socket正在監聽連接請求 |
| CLOSING | socket關閉,但是我們仍舊沒有發送數據 |
| UNKNOWN | socket狀態未知 |
(2)常用選項組合二
[root@localhost ~]# netstat -lntup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 879/sshd
tcp 0 64 192.168.0.233:22 192.168.0.253:54737 ESTABLISHED 923/sshd
tcp 0 0 :::22 :::* LISTEN 879/sshd 以上命令語句的作用爲顯示所有TCP和UDP正在監聽的連接信息
- [x] -l : 顯示所有LISTEN狀態的網絡連接
- [x] -n : 顯示IP地址,不進行DNS解析成主機名,域名
- [x] -t : 顯示所有TCP連接
- [x] -u : 顯示所有UDP連接
- [x] -p : 顯示進程號和進程名
(3)顯示當前系統的路由表
[root@localhost ~]# netstat -rn #使用-r顯示路由表信息,-n不進行DNS解析,加快命令執行速度
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
提示:該命令相當於route -n(4)選項-i顯示網絡的接口狀況
[root@localhost ~]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 4103 0 0 0 403 0 0 0 BMRU
lo 16436 0 0 0 0 0 0 0 0 0 LRU以下是命令結果解釋
- [x] Iface : 表示網絡設備的接口名稱
- [x] MTU : 表示最大傳輸單元,單位爲字節
- [x] RX-OK/TX-OK : 表示已經準確無誤地接收/發送了多少數據包
- [x] RX-ERR/TX-ERR : 表示接收/發送數據包時產生了多少錯誤
- [x] RX-DRP/TX-DRP : 表示接收/發送數據包時丟棄了多少數據包
- [x] RX-OVR/TX-OVR : 表示由於誤差而遺失了多少數據包。
- [x] Flg : 表示接口標記,其中各標記含義具體如下。
- L : 表示該接口是個迴環設備。
- B : 表示設置了廣播地址。
- M : 表示接收所有數據包。
- R : 表示接口正在運行。
- U : 表示接口處於活動狀態。
- O : 表示在該接口上禁用arp。
- P : 表示一個點到點的連接
正常情況下,RX-ERR/TX-ERR,RX-DRP/TX-DRP和RX-OVR/TX-OVR的值都應該爲0,如果這幾個選項的值不爲0,並且很大,那麼網絡質量肯定有問題,網絡傳輸性能也一定會下降。
生產案例
(5)統計各個狀態的網絡連接個數
[root@Mr_chen ~]#
TIME_WAIT 6163
FIN_WAIT1 42
FIN_WAIT2
netstat -n | awk '/^tcp/{Mr_chen[$NF]++}END{for(i in Mr_chen)print i,Mr_chen[i]}'
1056
ESTABLISHED 4542
SYN_RECV 53
LAST_ACK 302.3 ss : 查看網絡狀態
2.3.1 命令詳解
功能說明:
- ss命令是類似並將取代netstat的工具,它能用來查看網絡狀態信息,包括TCP,UDP連接,端口等。它的優點是能夠顯示更多更詳細的有關網絡連接狀態的信息,而且比netstat更快速更高效。
- 如果系統沒有ss命令,那就需要安裝一下,ss命令屬於iproute包,因此安裝命令是yum -y install iproute
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) | 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|---|---|
| -n | 顯示IP地址,不進行DNS解析@ | -s | 顯示socket使用統計 |
| -r | 嘗試解析數字IP地址和端口 | -4 | 僅顯示IPV4的socket |
| -a | 顯示所有socket連接@ | -6 | 僅顯示IPv6的socket |
| -l | 顯示所有監聽socket@ | -0 | 僅顯示PACKET的socket |
| -o | 顯示計時器信息 | -t | 僅顯示TCP的socket@ |
| -e | 顯示詳細的socket信息 | -u | 僅顯示UDP的socket@ |
| -m | 顯示socket的內存使用情況 | -d | 僅顯示DCCP的socket |
| -p | 顯示使用socket的進程@ | -w | 僅顯示RAW的socket |
| -i | 顯示TCP內部信息 | -x | 僅顯示Unix的socket |
2.3.2 使用範例
(1)常用選項組合一
[root@Mr_chen ~]# ss -an #顯示所有的socket連接
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
ESTAB 0 64 192.168.0.233:22 192.168.0.253:50985
[root@Mr_chen ~]# ss -an | column -t #上面的輸出寫在文檔中會有點亂,下面用column格式化一下。
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
ESTAB 0 64 192.168.0.233:22 192.168.0.253:50985(2)常用選項組合二
[root@Mr_chen ~]# ss -lntup | column -t #顯示所有正在監聽的TCP和UDP連接
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 :::22 :::* users:(("sshd",879,4))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",879,3))
(3)顯示socket統計
[root@Mr_chen ~]# ss -s #統計當前的established,closed,orphaned和waiting的TCP socket數量
Total: 282 (kernel 285)
TCP: 3 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 1
Transport Total IP IPv6
* 285 - -
RAW 0 0 0
UDP 0 0 0
TCP 3 2 1
INET 3 2 1
FRAG 0 0 0 當服務器產生大量的socket連接時,通常會使用該命令來做宏觀數據統計;ss的大部分參數應用和netstat很像。
2.4 ping : 測試主機之間的網絡連通性
2.4.1 命令詳解
功能說明:
ping命令可用於測試主機之間網絡的連通性。執行ping命令會使用ICMP傳輸協議,發出要求迴應的信息,若遠端主機的網絡功能沒有問題,就會迴應該信息,因而可得知該主機運作正常。
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|
| -c <次數> | 指定發送ICMP報文的次數。否則,ping命令將一直髮送報文@ |
| -i <時間間隔> | 相鄰兩次發送報文的時間間隔,默認時間間隔1s@ |
| -n | 不查詢主機名,直接顯示其IP地址 |
| -q | 只顯示命令開始時的信息和運行結束的統計信息。忽略命令運行過程中的輸出信息 |
| -s <數據包大小> | 設置發送數據包的大小,默認大小爲56字節,再加上8字節的ICMP頭,一共是64字節的ICMP包 |
| -t <生存期> | 設置發送的數據包其生存期(TTL)的值 |
| -w 截止時間 | 超過截止時間,立即退出ping程序 |
| -W 超時時間 | 等待響應的超時時間 |
2.4.2 使用範例
(1)測試到目標主機的網絡連通性
[root@localhost ~]# ping www.baidu.com #ping命令直接接域名或IP,會一直顯示ping結果
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
#顯示ping的域名及其IP地址,發送的是56字節的數據
64 bytes from 61.135.169.121: icmp_seq=1 ttl=57 time=10.1 ms
#從目標主機收到的數據是64字節,icmp_seq是收到包的序列號,ttl是數據包的生存期,time是延遲。
64 bytes from 61.135.169.121: icmp_seq=2 ttl=57 time=46.4 ms
64 bytes from 61.135.169.121: icmp_seq=3 ttl=57 time=62.5 ms
^C #直到Ctrl+c強制終止
--- www.a.shifen.com ping statistics --- #這裏是ping的統計結果
3 packets transmitted, 3 received, 0% packet loss, time 2632ms #發了3個包,收到3個,丟失率0%,時間爲2632ms
rtt min/avg/max/mdev = 10.175/39.730/62.569/21.911 ms
#rtt是傳輸的時間延遲。min/avg/max/mdev==>最小/平均/最大/算數平均差擴展知識:
1)ping命令會顯示一個時間作爲衡量網絡參數延遲的參數,以判斷源主機與目標主機之間網絡的質量。
2)ping命令的輸出信息中含有TTL值。TTL(Time To Life)稱爲生存週期,它是ICMP報文在網絡上的存活時間。不同的操作系統發出的ICMP報文的生存期各不相同,常見的生存期爲32,64,128和255等。TTL值反映了ICMP報文所能夠經過的路由器數目,每經過一個路由器,路由器都會將其數據包的生存期減去1,如果TTL值變爲0,則路由器將不再轉發此報文。
(2)使用ping參數的不同組合的例子
[root@Mr_chen ~]# ping -c 3 -i 3 -s 1024 -t 255 www.baidu.com
PING www.baidu.com (61.135.169.121) 1024(1052) bytes of data.
1032 bytes from 61.135.169.121: icmp_seq=1 ttl=57 time=5.29 ms
1032 bytes from 61.135.169.121: icmp_seq=2 ttl=57 time=4.79 ms
1032 bytes from 61.135.169.121: icmp_seq=3 ttl=57 time=5.50 ms
--- www.baidu.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6014ms
rtt min/avg/max/mdev = 4.795/5.198/5.507/0.304 ms以下是命令說明
- [x] -c 3:發送3次ICMP包
- [x] -i 3:每次發包時間間隔爲3s
- [x] -s 1024:設置發送的數據包大小爲1024字節
- [x] -t 255:設置發送數據包的ttl值爲255
2.5 nmap:網絡探測工具和安全/端口掃描器
2.5.1 命令詳解
功能說明:
nmap命令是一款開放源代碼的網絡探測和安全審覈工具,是Network Mapper的縮寫。其設計目標是快速地掃描大型網絡。nmap可以發現網絡上有哪些主機,主機提供了什麼服務(應用程序名稱和版本號),並探測操作系統的類型及版本信息。
如果系統沒有nmap命令,則可以使用下面的命令來安裝:yum -y install nmap
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|
| -sS | TCP同步掃描(TCP SYN)@ |
| -sT | TCP連接掃描 |
| -sn | 不進行端口掃描,只檢查主機正在運行。該選項與老版本的-sP相同@ |
| -sU | 掃描UDP端口 |
| -sV | 探測服務版本信息 |
| -Pn | 只進行掃描,不ping主機 |
| -PS | 使用SYN包對目標主機進行掃描。默認是80端口,也可以指定端口,格式爲-PS22或-PS22-25,80,113,1050,35000,記住PS和端口號之間不要有空格 |
| -PU | 使用udp ping掃描端口 |
| -O | 激活對TCP/IP指紋特徵(fingerprinting)的掃描,獲得遠程主機的標誌,也就是操作系統類型 |
| -v | 顯示掃描過程中的詳細信息@ |
| -S | 設置掃描的源IP地址 |
| -g port | 設置掃描的源端口 |
| -oN | 把掃描的結果重定向到文件中 |
| -iL filename | 從文件中讀取掃描的目標 |
| -p <端口> | 指定要掃描的端口,可以是一個單獨的端口,也可以用逗號分隔開多個端口,或者使用“-”表示端口範圍@ |
| -n | 不進行DNS解析,加快掃描速度@ |
| -exclude | 排除指定主機 |
| -excludefile | 排除指定文件中的主機 |
2.5.2 使用範例
(1)查看主機當前開放的端口
[root@Mr_chen ~]# nmap 192.168.0.1 #直接接目標主機,默認會掃描1~1000端口
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:23 EST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.014s latency). #目標主機正在運行
Not shown: 999 closed ports #999個端口關閉
PORT STATE SERVICE
80/tcp open http #開放的80端口http服務
MAC Address: CC:B2:55:DF:3C:83 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds(2)掃描主機的指定端口
[root@Mr_chen ~]# nmap -p 1024-65535 192.168.0.1 #-p選項指定掃描範圍
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:26 EST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.039s latency).
Not shown: 64511 closed ports
PORT STATE SERVICE
1780/tcp open unknown
MAC Address: CC:B2:55:DF:3C:83 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds
(3)掃描局域網內所有的IP
[root@Mr_chen ~]# nmap 192.168.0.0/24 #使用網段的格式掃描局域網
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:29 EST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.0072s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: CC:B2:55:DF:3C:83 (Unknown)
Nmap scan report for localhost (192.168.0.129)
Host is up (0.092s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: F0:FE:6B:69:5B:1E (Unknown)
Nmap scan report for localhost (192.168.0.133)
Host is up (0.33s latency).
All 1000 scanned ports on localhost (192.168.0.133) are closed
MAC Address: BC:3D:85:FE:3F:DA (Unknown)
Nmap scan report for localhost (192.168.0.233)
Host is up (0.0000010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for localhost (192.168.0.254)
Host is up (0.00016s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5678/tcp open rrac
10000/tcp open snet-sensor-mgmt
MAC Address: 30:B4:9E:74:1B:3B (Unknown)
Nmap done: 256 IP addresses (5 hosts up) scanned in 19.27 seconds
[root@Mr_chen ~]# nmap -sn 192.168.0.0/24 #使用-sn選項不掃描端口
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:32 EST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.0027s latency).
MAC Address: CC:B2:55:DF:3C:83 (Unknown)
Nmap scan report for localhost (192.168.0.233)
Host is up.
Nmap scan report for localhost (192.168.0.254)
Host is up (0.000071s latency).
MAC Address: 30:B4:9E:74:1B:3B (Unknown)
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.56 seconds
[root@Mr_chen ~]# nmap -sn 192.168.0.232-234 #使用這種地址範圍進行掃描
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:34 EST
Nmap scan report for localhost (192.168.0.233)
Host is up.
Nmap done: 3 IP addresses (1 host up) scanned in 0.81 seconds
(4)探測目標主機的服務和操作系統的版本
[root@Mr_chen ~]# nmap -O -sV 192.168.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-28 08:43 EST
Nmap scan report for localhost (192.168.0.1)
Host is up (0.0037s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Linksys wireless-G WAP http config (Name D-Link Wireless N Router DIR-600M)
MAC Address: CC:B2:55:DF:3C:83 (Unknown)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Device: WAP
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
上邊的輸出信息中不僅包含了端口號,而且還包括了服務的版本號。在網絡安全性要求較高的主機上,最好能夠屏蔽服務版本號,以防止黑客利用特定版本的服務漏洞進行攻擊。
2.6 tcpdump:監聽網絡流量
2.6.1 命令詳解
功能說明:
- tcpdump命令是一個截獲網絡數據包的包分析工具。tcpdump可以將網絡中傳送的數據包的“頭”完全截獲下來以提供分析。它支持針對網絡層,協議,主機,端口等的過濾,並支持與,或,非邏輯語句協助過濾有效信息。
- tcpdump命令工作時要先把網卡的工作模式切換到混雜模式(promiscuous mode)。因爲要修改網絡接口的工作模式,所以tcpdump命令需要以root的身份運行。
選項說明:
| 參數選項 | 解釋說明(帶@的爲重點) |
|---|---|
| -A | 以ASCII碼的方式顯示每一個數據包(不會顯示數據包中鏈路層的頭部信息)。在抓取包含網頁數據的數據包時,可方便查看數據 |
| -c <數據包數目> | 接收到指定的數據包數目後退出命令@ |
| -e | 每行的打印輸出中將包含數據包的數據鏈路層頭部信息 |
| -i <網絡接口> | 指定要監聽數據包的網絡接口@ |
| -n | 不進行DNS解析,加快顯示速度@ |
| -nn | 不將協議和端口數字等轉換成名字@ |
| -q | 以快速輸出的方式運行,此選項僅顯示數據包的協議概要信息,輸出信息較短@ |
| -s <數據包大小> | 設置數據包抓取長度,如果不設置則默認爲68字節,設置爲0則自動選擇合適的長度來抓取數據包 |
| -t | 在每行輸出信息中不顯示時間戳標記 |
| -tt | 在每行輸出信息中顯示無格式的時間戳標記 |
| -ttt | 顯示當前行與前一行的延遲 |
| -tttt | 在每行打印的時間戳之前添加日期 |
| -ttttt | 顯示當前行與第一行的延遲 |
| -v | 顯示命令執行的詳細信息 |
| -vv | 顯示比-v選項更加詳細的信息 |
| -vvv | 顯示比-vv選項更加詳細的輸出 |
2.6.2 使用範例
(1)不加參數運行tcpdump命令監聽網絡
[root@localhost ~]# tcpdump #默認情況下,直接啓動tcpdump將監視第一個網絡接口上所有流過的數據包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:12:45.464963 IP localhost.ssh > localhost.50832: Flags [P.], seq 898292388:898292596, ack 861396487, win 317, length 208
05:12:45.465055 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 523, length 0
05:12:45.465215 IP localhost.57595 > localhost.domain: 4104+ PTR? 254.0.168.192.in-addr.arpa. (44)
05:12:45.467851 IP localhost.domain > localhost.57595: 4104 1/0/0 PTR localhost. (67)
05:12:45.467906 IP localhost.57067 > localhost.domain: 107+ PTR? 233.0.168.192.in-addr.arpa. (44)
05:12:45.469444 IP localhost.domain > localhost.57067: 107 1/0/0 PTR localhost. (67)
05:12:45.469504 IP localhost.34192 > localhost.domain: 2703+ PTR? 1.0.168.192.in-addr.arpa. (42)
05:12:45.621206 IP localhost.ssh > localhost.50832: Flags [P.], seq 3120:3280, ack 1, win 317, length 160
05:12:45.621258 IP localhost.50832 > localhost.ssh: Flags [.], ack 3280, win 524, length 0
05:12:45.636742 IP localhost.ssh > localhost.50832: Flags [P.], seq 3280:3536, ack 1, win 317, length 256
05:12:45.643843 IP localhost.50832 > localhost.ssh: Flags [P.], seq 1:65, ack 3536, win 523, length 64
05:12:45.643889 IP localhost.ssh > localhost.50832: Flags [P.], seq 3536:3696, ack 65, win 317, length 160
^C #tcpdump命令在運行期間可以使用組合Ctrl+C終止程序
29 packets captured #最後三行就是按CTRL+C後輸出的監聽到的數據包彙總信息
32 packets received by filter
0 packets dropped by kernel
使用tcpdump命令時,如果不輸入過濾規則,則輸出的數據量將會很大。
(2)精簡輸出信息
[root@localhost ~]# tcpdump -q #默認情況下,tcpdump命令的輸出信息較多,爲了顯示精簡的信息,可以使用-q選項
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:33:01.438200 IP localhost.ssh > localhost.50832: tcp 208
05:33:01.479036 IP localhost.50832 > localhost.ssh: tcp 0
05:33:01.494539 IP localhost.ssh > localhost.50832: tcp 176
05:33:01.510460 IP localhost.ssh > localhost.50832: tcp 112
05:33:01.510907 IP localhost.50832 > localhost.ssh: tcp 0
05:33:01.525789 IP localhost.ssh > localhost.50832: tcp 176
05:33:01.541450 IP localhost.ssh > localhost.50832: tcp 112
05:33:01.541548 IP localhost.50832 > localhost.ssh: tcp 0
05:33:01.557049 IP localhost.ssh > localhost.50832: tcp 176
05:33:01.574173 IP localhost.ssh > localhost.50832: tcp 112
05:33:01.574486 IP localhost.50832 > localhost.ssh: tcp 0
05:33:01.583765 IP localhost.50832 > localhost.ssh: tcp 64
05:33:01.583857 IP localhost.ssh > localhost.50832: tcp 176
^C
24 packets captured
26 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# tcpdump -c 5 #使用-c選項指定監聽的數據包數量,這樣就不需要使用Ctrl+C了
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:34:24.515192 IP localhost.ssh > localhost.50832: Flags [P.], seq 898300004:898300212, ack 861398503, win 317, length 208
05:34:24.515301 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 519, length 0
05:34:24.515445 IP localhost.60389 > localhost.domain: 26412+ PTR? 254.0.168.192.in-addr.arpa. (44)
05:34:24.518180 IP localhost.domain > localhost.60389: 26412 1/0/0 PTR localhost. (67)
05:34:24.518247 IP localhost.38804 > localhost.domain: 7473+ PTR? 233.0.168.192.in-addr.arpa. (44)
5 packets captured
10 packets received by filter
0 packets dropped by kernel
(3)監聽指定網卡收到的數據包
[root@Mr_chen ~]# tcpdump -i eth0 #使用-i選項可以指定要監聽的網卡
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:46:06.865643 IP localhost.ssh > localhost.50832: Flags [P.], seq 898335828:898336036, ack 861403175, win 317, length 208
05:46:06.865721 IP localhost.50832 > localhost.ssh: Flags [.], ack 208, win 524, length 0
05:46:06.865876 IP localhost.37090 > localhost.domain: 16313+ PTR? 254.0.168.192.in-addr.arpa. (44)
^C
49 packets captured
52 packets received by filter
0 packets dropped by kernel
以下是命令的結果說明
- [x] 05:46:06.865643:當前時間,精確到微妙
- [x] IP localhost.ssh > localhost.50832:從主機localhost的SSH端口發送數據到localhost的50832端口,“>”代表數據流向
- [x] Flags [P.]:TCP包中的標誌信息,S是SYN標誌的縮寫,F(FIN),P(PUSH),R(RST),“.”(沒有標記)。
- [x] seq:數據包中的數據的順序號。
- [x] ack:下次期望的順序號
- [x] win:接收緩存的窗口大小
- [x] length:數據包長度
(4)監聽指定主機的數據包
[root@Mr_chen ~]# tcpdump -n -c 5 host 192.168.0.254 #使用-n選項不進行DNS解析,加快顯示速度。監聽指定主機的關鍵字爲host,後面直接接主機名或IP地址即可。本行命令的作用是監聽所有192.168.0.254的主機收到的和發出的數據包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:18:59.812585 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 898389300:898389508, ack 861410071, win 317, length 208
06:18:59.812763 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 208, win 524, length 0
06:18:59.813478 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 208:496, ack 1, win 317, length 288
06:18:59.814441 IP 192.168.0.233.ssh > 192.168.0.254.50832: Flags [P.], seq 496:672, ack 1, win 317, length 176
06:18:59.814534 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 672, win 522, length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@Mr_chen ~]# tcpdump -n -c 5 src host 192.168.0.254 #只監聽從192.168.0.254發出的數據包,即源地址爲192.168.0.254,關鍵字爲src(source,源地址)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:19:45.439633 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 898393156, win 522, length 0
06:19:45.511489 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 161, win 521, length 0
06:19:45.589521 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 321, win 520, length 0
06:19:45.667712 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 481, win 520, length 0
06:19:45.733979 IP 192.168.0.254.50832 > 192.168.0.233.ssh: Flags [.], ack 641, win 519, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@Mr_chen ~]# tcpdump -n -c 5 dst host 192.168.0.254 #只監聽192.168.0.254收到的數據包,即目標地址爲192.168.0.254,關鍵字爲dst(destination,目的地)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:21:33.783811 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 1885784800:1885785008, ack 322191067, win 317, length 208
18:21:33.785709 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 208:400, ack 1, win 317, length 192
18:21:33.786677 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 400:576, ack 1, win 317, length 176
18:21:33.787676 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 576:752, ack 1, win 317, length 176
18:21:33.788684 IP 192.168.0.233.ssh > 192.168.0.254.55962: Flags [P.], seq 752:928, ack 1, win 317, length 176
5 packets captured
5 packets received by filter
0 packets dropped by kernel
(5)監聽指定端口的數據包
[root@Mr_chen ~]# tcpdump -nn -c 5 port 22 #-nn不進行DNS解析,不將端口轉換成服務名字, port指定監聽端口
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:27:25.472624 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 1886385856:1886386064, ack 322195131, win 317, length 208
18:27:25.472764 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 208, win 522, length 0
18:27:25.473731 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 208:496, ack 1, win 317, length 288
18:27:25.474746 IP 192.168.0.233.22 > 192.168.0.254.55962: Flags [P.], seq 496:672, ack 1, win 317, length 176
18:27:25.474836 IP 192.168.0.254.55962 > 192.168.0.233.22: Flags [.], ack 672, win 520, length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
(6)監聽指定協議的數據包
[root@Mr_chen ~]# tcpdump -n -c 5 arp #監聽arp協議數據包,因此表達式直接寫arp即可
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:29:08.056959 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46
18:29:08.978765 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46
18:29:09.900334 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46
18:29:10.822093 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46
18:29:12.050836 ARP, Request who-has 192.168.0.111 tell 192.168.0.1, length 46
5 packets captured
5 packets received by filter
0 packets dropped by kernel
[root@Mr_chen ~]# tcpdump -n -c 5 icmp #監聽icmp數據包(想要查看下面的監控數據,可以使用其他機器ping本機即可)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:30:55.576828 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19956, length 40
18:30:55.576844 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19956, length 40
18:30:56.578427 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19958, length 40
18:30:56.578445 IP 192.168.0.233 > 192.168.0.254: ICMP echo reply, id 1, seq 19958, length 40
18:30:57.582167 IP 192.168.0.254 > 192.168.0.233: ICMP echo request, id 1, seq 19960, length 40
5 packets captured
6 packets received by filter
0 packets dropped by kernel
常見的協議關鍵字有ip,arp,icmp,tcp,udp等類型
(7)利用tcpdump抓包詳解tcp/ip連接和斷開過程的案例
1)正常的TCP連接的三個階段
- [x] :TCP三次握手
- [x] :數據傳送
- [x] :TCP四次斷開
2)TCP連接圖示
TCP連接的狀態機制如下圖所示
3)TCP的狀態標識
- [x] SYN:(同步序列編號,Synchronize Sequence Numbers)該標誌僅在三次握手建立TCP連接時有效。表示一個新的TCP連接請求
- [x] ACK:(確認編號,Acknowledgement Number)是對TCP請求的確認標誌,同時提示對端系統已經成功接收了所有的數據。
- [x] FIN:(結束標誌,FINish)用來結束一個TCP回話。但對應端口仍然處於開放狀態,準備接收後續數據。
4)使用tcpdump對tcp數據進行抓包
[root@Mr_chen www]# tcpdump tcp port 80 or dst 192.168.0.114 -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#抓包分析:三次握手過程
22:38:18.564320 ARP, Reply 192.168.0.233 is-at 00:0c:29:a8:ca:50, length 28
#發送了一個ARP響應包給目標MAC地址,告知對方本機的MAC地址
22:38:18.564418 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [S], seq 3675775834, win 14600, options [mss 1460,sackOK,TS val 4294710555 ecr 0,nop,wscale 6], length 0
#IP爲192.168.0.114(client)通過臨時端口52367向本機192.168.0.233(server)的80監聽端口發起連接,client的初始包序號爲3675775834,滑動窗口大小爲14600字節(即TCP接收緩衝區的大小,用於TCP擁塞控制),mss大小爲1460(即可接收的最大包長度),[S]=[SYN](發起連接標誌)
22:38:18.564434 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [S.], seq 2909831439, ack 3675775835, win 14480, options [mss 1460,sackOK,TS val 15157720 ecr 4294710555,nop,wscale 6], length 0
#Server的響應連接,同時帶上上一個包的ack信息(爲client端的初始包序號+1,即3675775835,也就是server端下次等待接收這個包序號的包,用於TCP字節流的順序控制。Server端的初始包序號爲2909831439,mss也是1460)
22:38:18.564541 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294710556 ecr 15157720], length 0
#Client端再次確認,tcp三次握手完成。“.”表示沒有任何標識
以下是數據傳輸過程:
22:38:18.564654 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [P.], seq 1:169, ack 1, win 229, options [nop,nop,TS val 4294710557 ecr 15157720], length 168
#Client端發請求包,包長度是168字節。[P]=[push](傳送數據標誌)
22:38:18.564658 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [.], ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 0 #Server端迴應Client端表示收到請求,並確認已經收到了之前的168字節
22:38:18.564707 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [P.], seq 1:237, ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 236 #Server回包,包長度236字節
22:38:18.564755 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [P.], seq 237:258, ack 169, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 21
22:38:18.564773 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 237, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0
22:38:18.564818 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 258, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0
以下是4次揮手過程:
22:38:18.564946 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [F.], seq 169, ack 258, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0
#Client端發送關閉連接請求,F=FIN(斷開連接標誌)
22:38:18.564956 IP 192.168.0.233.http > 192.168.0.114.52367: Flags [F.], seq 258, ack 170, win 243, options [nop,nop,TS val 15157720 ecr 4294710557], length 0
#Server端迴應並確認了Client端的斷開連接請求,並且也發送了FIN標誌關閉。(只有當服務器傳輸未完成時,此處纔會出現兩次揮手,如果Clinet發起斷開請求時,服務器已經傳輸數據完成,則此處服務端會直接回應關閉標誌FIN)
22:38:18.565022 IP 192.168.0.114.52367 > 192.168.0.233.http: Flags [.], ack 259, win 245, options [nop,nop,TS val 4294710557 ecr 15157720], length 0
#Clinet端響應ack,關閉連接的四次揮手完成
提示:
tcpdump是一個非常強大並且好用的命令,請同學們多花精力來掌握,當然,要想掌握好,還需要一定的網絡知識才行
本文出處:https://www.cnblogs.com/chensiqiqi/p/9163094.html