Linux 网络工具

星辰

2020-11-16

342

人

人评论

人举报

[TOC]

# Linux 网络工具

##  netstat和lsof工具使用
工具安装
```
yum install net-tools -y
yum install isof -y
```

帮助
```
[root@node6 ~]# netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s [-6tuw] } [delay]

-r, --route              display routing table
        -I, --interfaces=<Iface> display interface table for <Iface>
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

-v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

-l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB
        -Z, --context            display SELinux security context for sockets

<Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
    x25 (CCITT X.25)

```

### 参数讲解
* -t : 指明显示TCP端口
* -a : 显示所有socket(套接字)，包括正在监听的（LISTEN）
* -u : 显示UDP端口
* -l : 仅显示监听套接字(所谓套接字就是使应用程序能够读写与收发通讯协议(protocol)与资料的程序)
* -p : 显示进程标识符和程序名称，每一个套接字/端口都属于一个程序
* -n : 不进行DNS轮询，显示IP(可以加速操作)
* -i : 可以查看到发送接收的数据情况

**常用组合**
* netstat -ntlp 查看当前所有tcp端口
* netstat -ntulp |grep 80   //查看所有80端口使用情况
* netstat -an | grep 3306   //查看所有3306端口使用情况
* netstat  -lanp 查看一台服务器上面哪些服务及端口
* ps -ef |grep mysqld 查看一个服务有几个端口。比如要查看mysqld
* netstat -pnt |grep :3306 |wc 查看某一端口的连接客户端IP 比如3306端口
* netstat -anp |grep 3306 查看某一端口的连接客户端IP 比如3306端口

### netstat的替代工具 ss
ss 命令效率更高
优点：
* 访问量的大的机器，ss的显示速度更快
* 可以做一些统计
* 过滤条件比netstat更加丰富
* ss-s

```
ss -l 显示本地打开的所有端口
ss -pl 显示每个进程具体打开的socket
ss -t -a 显示所有tcp socket
ss -u -a 显示所有的UDP Socekt
ss -o state established '( dport = :smtp or sport = :smtp )' 显示所有已建立的SMTP连接
ss -o state established '( dport = :http or sport = :http )' 显示所有已建立的HTTP连接
ss -x src /tmp/.X11-unix/* 找出所有连接X服务器的进程
ss -s 列出当前socket详细信息:

# 查询远程处于连接状态的主机的ip地址，并且把它们查出来以后按最多到最小的顺序排序
如：查询连接我网站量最多的远程主机按倒序排序
[root@master1 ~]# ss -nt | sed -rn '/^ESTAB/s#.*[[:space:]]+([0-9.]+):[0-9]+.*#\1#p' | sort | uniq -c | sort -nr
    243 192.168.3.161
     20 127.0.0.1
      8 192.168.3.163
      8 172.25.0.2
      5 192.168.3.164
      4 192.168.3.173
      4 192.168.3.172
      4 192.168.3.171
      4 192.168.3.167
      4 192.168.3.166
      4 192.168.3.165
      4 192.168.3.162
      2 10.233.0.1
      1 192.168.3.40
      1 172.16.30.161
      1 10.233.0.3

```

### lsof
lsof的作用是列出当前系统打开文件(list open files)，不过通过-i参数也能查看端口的连接情况，-i后跟冒号端口可以查看指定端口信息，直接-i是系统当前所有打开的端口

```
[root@node5 home]# lsof --help
lsof: illegal option character: -
lsof: -e not followed by a file system path: "lp"
lsof 4.87
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
  -d s  select by FD set   +D D  dir D tree *SLOW?*   +|-e s  exempt s *RISKY*
  -i select IPv[46] files  -K list tasKs (threads)    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O no overhead *RISKY*   -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -Z Z  context [Z]
  -- end option scan     
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs 
  -F [f] select fields; -F? for help  
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and
      <fmt> is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.

```

**比较**
```
# netstat无权限控制，lsof有权限控制，只能看到本用户
# losf能看到pid和用户，可以找到哪个进程占用了这个端口
netstat -an|grep 8080
lsof -i:8080

[root@node5 home]# lsof -i:30221
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
kube-prox 23904 root  305u  IPv6 1415985520      0t0  TCP *:30221 (LISTEN)
[root@node5 home]# netstat -ntlp | grep 30221
tcp6       0      0 :::30221                :::*                    LISTEN      23904/kube-proxy
```

### 监控网络情况 netstat-i
```
Active UNIX domain sockets (w/o servers)
# 下面显示的是uninx套接字

# RX-OK 成功接收
# TX-OK 成功发送
# RX-DRP 抛弃的
# RX-OVR 负载
[root@node5 home]# netstat -i
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
cali0e2373a2e56  1500        0      0      0 0             0      0      0      0 BMRU

# 监控
watch -n1 netstat -i
监听指定网卡
watch netstat -I=ens33
或者
监听指定网卡
watch ifconfig -s ens33
```

**模拟流量攻击**
```
# -f 是指暴力ping，当目标主机性能不是很好时，很容易把目标主机的网卡资源耗尽，导致服务不可用
ping -s 65507 192.168.3.161 -f
# 上目标主机查看任务管理台网卡，可以看到流量疯长
```

## ip 命令推荐使用，替代ifconfig命令

### 帮助
```
[root@localhost ~]# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |
                   netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |
                   vrf }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -h[uman-readable] | -iec |
                    -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |
                    -4 | -6 | -I | -D | -B | -0 |
                    -l[oops] { maximum-addr-flush-attempts } | -br[ief] |
                    -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |
                    -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}
```

* ip link 查看网卡二层信息  数据链路层 ip l
```
[root@localhost ~]#  ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:b8:39:74 brd ff:ff:ff:ff:ff:ff
```

修改逻辑mac地址
```
vi /etc/sysconfig/network-scripts/ifcfg-ens33
# 添加最后一行
[root@localhost network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=485a5544-cfb3-4c98-9012-8649af8bd5fb
DEVICE=ens33
ONBOOT=yes
# 注意MACADDR 前2位不能出现1,前两位为1的是广播地址，不能给网卡使用
MACADDR=00:0c:29:b8:39:66
# 重启网卡
[root@localhost network-scripts]# service network restart
# 重启完后发现远程不了了，但是宿主机可以登录，其ip link查看是已经修改了mac地址
```

* ip addr 查看网络层 或ip a

包含了链路层和网络层的信息
```
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b8:39:74 brd ff:ff:ff:ff:ff:ff
    inet 172.16.30.130/23 brd 172.16.31.255 scope global noprefixroute dynamic ens33
       valid_lft 7132sec preferred_lft 7132sec
    inet6 fe80::1836:5736:577f:d916/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
```

我们可以通过 ip addr 管理网卡的ip地址，可以个一块网卡添加多个ip地址，相关命令如下
```
[root@noteshare ~]# ip addr 
add      change   del      flush    help     replace  show

# 给网卡添加ip
[root@localhost ~]# ip addr add 172.16.30.131 dev ens33
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b8:39:74 brd ff:ff:ff:ff:ff:ff
    inet 172.16.30.130/23 brd 172.16.31.255 scope global noprefixroute dynamic ens33
       valid_lft 7090sec preferred_lft 7090sec
    inet 172.16.30.131/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::1836:5736:577f:d916/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@localhost ~]# ping 172.16.30.131
PING 172.16.30.131 (172.16.30.131) 56(84) bytes of data.
64 bytes from 172.16.30.131: icmp_seq=1 ttl=64 time=0.076 ms
64 bytes from 172.16.30.131: icmp_seq=2 ttl=64 time=0.057 ms
^C
--- 172.16.30.131 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.057/0.066/0.076/0.012 ms
# 这种方式加进去的ip 用ifconfig看不到
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.30.130  netmask 255.255.254.0  broadcast 172.16.31.255
        inet6 fe80::1836:5736:577f:d916  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)
        RX packets 1473  bytes 105855 (103.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 122  bytes 17623 (17.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 336 (336.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 336 (336.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

* 通过ifconfig给网卡添加别名

```
[root@localhost ~]# ifconfig ens33:2 2.2.2.2/24
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.30.130  netmask 255.255.254.0  broadcast 172.16.31.255
        inet6 fe80::1836:5736:577f:d916  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)
        RX packets 2366  bytes 167350 (163.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 151  bytes 21661 (21.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.2.2.2  netmask 255.255.255.0  broadcast 2.2.2.255
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)

[root@localhost ~]# ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=0.079 ms
^C
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.079/0.079/0.079/0.000 ms

```

* 通过ip addr add 给网卡添加别名

```
[root@localhost ~]# ip a a 4.4.4.4/24 dev ens33 label ens33:4
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.30.130  netmask 255.255.254.0  broadcast 172.16.31.255
        inet6 fe80::1836:5736:577f:d916  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)
        RX packets 4060  bytes 302571 (295.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 335  bytes 47053 (45.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.2.2.2  netmask 255.255.255.0  broadcast 2.2.2.255
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)

ens33:4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 4.4.4.4  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 00:0c:29:b8:39:74  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 6  bytes 504 (504.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 504 (504.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```
> 我们可以通过以上方式给一个网卡添加多个地址，实际中也会存在这种情况，在一台机器上给出多个对外地址，分别对应不同的服务。在外看是多个ip，其实内部是一个服务器。

* scope link global host
	* global 全局的，不管从哪里进来都能访问
	* link 只有从指定链路进来的才能接收数据包，比如说一个电脑上绑定了ip1和ip2，一个请求想访问ip2，但是他是从ip1进来的，而ip1是link形式的，则访问不到ip2。
	* host 只能针对自己的电脑，也就是只有通过自己电脑发送过来的才行，从互联网发送过来的不接收。如127.0.0.1

* ip 命令的其他功能
	* 修改网卡名称 `先关闭网卡ip link set eth1 down && ip link set eht1 name haha && ip link set eth1 up`
	* 查路由  ip route

所有评论列表