ss和tcpdump
一、ss与netstat
ss全称是 Socket Statistics ,直译过来就是”端口数据“或”套接字统计“,ss与netstat显示的内容相似,但ss的优势在于可以显示更多更详细的有关tcp和连接状态的信息,当服务器的socket连接数量变得很大时,使用netstat命令或者cat /proc/net/tcp 命令,执行速度都会很慢。
ss命令利用到了tcp协议栈中tcp_diag。tcp_diag是一个用于分析统计的模块,可以获得Linux内核中相关资料,因此ss性能要比强一些。netstat使用在centos6多一些,而centos7中默认安装ss命令。
ss与netstat命令常用参数都是差不多的,比如 anpltu ,常用的这几个参数,作用和意义都是一样的,这里不做解释,还有一些参数可以看一下,有个印象。
-x, –unix 显示 unix domain sockets,与 -f 选项相同。
-n, –numeric 不解析服务的名称,如 “22” 端口不会显示成 “ssh”。
-r, –resolve 把 IP 解释为域名,把端口号解释为协议名称。
[root@k8s-master-01 ~]# netstat | head -5
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:43758 localhost:webcache ESTABLISHED
tcp 0 0 localhost:36670 localhost:webcache ESTABLISHED
tcp 0 0 k8s-master-01:49632 k8s-node-01:2379 ESTABLISHED
tcp 0 0 localhost:webcache localhost:46710 ESTABLISHED
tcp 0 0 k8s-master-01:55978 k8s-node-02:2379 ESTABLISHED
输入命令后,出现6列信息,根据我们的需要的不同,对每一列的关注度也不同。
第一列:使用的协议;
第四列:本地的地址:端口;
第五列:非本地地址;
第六列,状态。就回显效果上来看ss和netstat是一致的,所以这里用netstat举例。
根据差异进行对比参数还有各列含义:
[root@k8s-master-01 ~]# ss -tl | head -3
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:*
LISTEN 0 128 127.0.0.1:10251 *:*
LISTEN 0 128 173.26.1.75:sun-sr-https *:*
[root@k8s-master-01 ~]# ss -tnl | head -3
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:*
LISTEN 0 128 127.0.0.1:10251 *:*
LISTEN 0 128 173.26.1.75:6443 *:*
[root@k8s-master-01 ~]# ss -trl | head -3
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 localhost:10248 *:*
LISTEN 0 128 localhost:10251 *:*
LISTEN 0 128 k8s-master-01:sun-sr-https *:*
[root@k8s-master-01 ~]# ss -tlp | head -3
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:* users:(("kubelet",pid=22387,fd=26))
LISTEN 0 128 127.0.0.1:10251 *:* users:(("kube-scheduler",pid=32302,fd=6))
LISTEN 0 128 173.26.1.75:sun-sr-https *:* users:(("kube-apiserver",pid=10401,fd=7))
对于ss的使用先到这里,列出几种关于ss抓包的命令行,有需要的记得尝试。
# 查看tcp连接列出ip地址并排序
[root@k8s-master-01 ~]# netstat -an|grep "ESTABLISHED"|awk -F "[ :]+" '{print $6}'|sort|uniq -c|sort -rn -k1
138 173.26.1.75
118 127.0.0.1
76 173.26.1.77
76 173.26.1.76
2 10.244.2.3
2 10.0.0.1
1 173.26.0.61
1 10.244.2.2
# 查找请求数前20个IP(常用于查找攻来源)
$ netstat -ant |awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n20
$ netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20
[root@k8s-master-01 ~]# netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20
222 127.0.0.1
36 173.26.1.75
10 173.26.1.77
9 173.26.1.76
3 0.0.0.0
2 10.244.2.3
1 10.0.0.1
1
# 查找较多time_wait连接
[root@k8s-master-01 ~]# netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
54 127.0.0.1:8080
5 10.244.2.4:44135
1 173.26.1.75:33544
1 173.26.1.75:33542
1 173.26.1.75:33520
1 10.244.2.3:8000
# 找查较多的SYN连接
[root@k8s-master-01 ~]# netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more
# 查看所有80端口的连接数
[root@k8s-master-01 ~]# netstat -nat|grep -i "80"|wc -l
284
# 对连接的IP按连接数量进行排序
$ netstat -anp | egrep 'tcp|udp' | awk '{print $1" "$4}' | cut -d: -f1 | sort | uniq -c | sort -nr
$ netstat -ntu | awk '{print $1" "$4}' | cut -d: -f1 | sort | uniq -c | sort -nr
[root@k8s-master-01 ~]# netstat -anp | egrep 'tcp|udp' | awk '{print $1" "$4}' | cut -d: -f1 | sort | uniq -c | sort -nr
297 tcp 173.26.1.75
231 tcp 127.0.0.1
15 tcp6
12 tcp6 173.26.1.75
9 tcp 10.244.2.1
5 tcp 0.0.0.0
3 udp 0.0.0.0
2 udp6
2 tcp 10.0.0.1
[root@k8s-master-01 ~]# netstat -nat |awk '{print $NF}'|sort|uniq -c|sort -rn
426 ESTABLISHED
121 TIME_WAIT
29 LISTEN
1 State
1 established)
二、tcpdump
tcpdump是一个用于截取网络分组,并输出分组内容的工具。凭借强大的功能和灵活的截取策略,使其成为类UNIX系统下用于网络分析和问题排查的首选工具。
tcpdump 支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。
tcpdump只能查看流经本机的流量,这一点需要注意。
tcpdump命令行抓包格式:
# 常用参数:
-c: 指定要抓取的包数量。
-i: interface:指定tcpdump需要监听的接口。默认会抓取第一个网络接口
-n: 对地址以数字方式显式,否则显式为主机名,也就是说-n选项不做主机名解析。
-nn: 除了-n的作用外,还把端口显示为数值,否则显示端口服务名。
-P: 指定要抓取的包是流入还是流出的包。可以给定的值为"in"、"out"和"inout",默认为"inout"。
-v: 当分析和打印的时候,产生详细的输出。
-vv: 产生比-v更详细的输出。
-vvv: 产生比-vv更详细的输出。
expression表达式:
a、类型,type
host,net,port,portrange
b、目标,dir
src,dst,src or dst,src and dst
c、协议,proto
tcp,udp,icmp,如果没有给定协议类型,则匹配所有可能的类型。
表达式单元之间可以使用操作符and/ &&/ or/ || / not/ ! 进行连接,从而组成复杂的条件表达式。
常用端口和名字的对应关系可在linux系统中的/etc/service文件中找到。
另外,同样的修饰符可省略,如"tcp dst port ftp or ftp-data or domain"与"tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain"意义相同,都表示包的协议为tcp且目的端口为ftp或ftp-data或domain(端口53)。
使用括号"()"可以改变表达式的优先级,但需要注意的是括号会被shell解释,所以应该使用反斜线""转义为"()",在需要的时候,还需要包围在引号中。
tcpdump 的使用:
# 指定网络接口的数据包
[root@k8s-master-01 ~]# tcpdump -i eth0
# 监视指定主机的数据包
[root@k8s-master-01 ~]# tcpdump -i eth0 host k8s-node-01
# 打印主机与两节点之前通信的数据包
[root@k8s-master-01 ~]# tcpdump -i eth0 host k8s-node-01 or k8s-node-02
# 打印主机与node1的通信数据包,不要node2的数据包
[root@k8s-master-01 ~]# tcpdump -i eth0 host k8s-node-01 and not k8s-node-02
15:38:27.138260 IP k8s-node-01.2379 > k8s-master-01.49876: Flags [.], ack 1, win 299, options [nop,nop,TS val 1069473752 ecr 1069464125], length 0
15:38:27.183478 IP k8s-node-01.36860 > k8s-master-01.sun-sr-https: Flags [P.], seq 460:506, ack 4141, win 18418, options [nop,nop,TS val 1069473798 ecr 1069478984], length 46
15:38:27.186340 IP k8s-master-01.sun-sr-https > k8s-node-01.36860: Flags [P.], seq 4141:4207, ack 506, win 1432, options [nop,nop,TS val 1069479184 ecr 1069473798], length 66
15:38:27.186426 IP k8s-master-01.sun-sr-https > k8s-node-01.36860: Flags [P.], seq 4207:4447, ack 506, win 1432, options [nop,nop,TS val 1069479184 ecr 1069473798], length 240
15:38:27.186584 IP k8s-node-01.36860 > k8s-master-01.sun-sr-https: Flags [.], ack 4447, win 18418, options [nop,nop,TS val 1069473801 ecr 1069479184], length 0
243 packets captured
243 packets received by filter
0 packets dropped by kernel
# 通过对数据包的传输过程,可以看到传输的包有seq(squence numeber 序列号)还有ack(acknowledge number确认号),可以看出传输过程就是在发生着tcp三次握手阶段的,第二次握手和第三次握手。
# 截取来自node-01发送至本机的数据
[root@k8s-master-01 ~]# tcpdump -i eth0 src host k8s-node-01
15:58:18.919204 IP k8s-node-01.59572 > k8s-master-01.sun-sr-https: Flags [.], ack 973, win 1424, options [nop,nop,TS val 1070665533 ecr 1070670905], length 0
15:58:18.919406 IP k8s-node-01.49522 > k8s-master-01.sun-sr-https: Flags [.], ack 973, win 1393, options [nop,nop,TS val 1070665533 ecr 1070670904], length 0
15:58:18.919636 IP k8s-node-01.36860 > k8s-master-01.sun-sr-https: Flags [.], ack 7692, win 18418, options [nop,nop,TS val 1070665534 ecr 1070670904], length 0
159 packets captured
263 packets received by filter
0 packets dropped by kernel
[root@k8s-master-01 ~]# tcpdump -i eth0 dst host k8s-node-01
26:00:40.786796 IP k8s-master-01.sun-sr-https > k8s-node-01.36860: Flags [P.], seq 3311:3551, ack 323, win 1432, options [nop,nop,TS val 1070812784 ecr 1070807398], length 240
26:00:40.801974 IP k8s-master-01.49596 > k8s-node-01.2379: Flags [.], ack 1118073436, win 296, options [nop,nop,TS val 1070812800 ecr 1070792376], length 0
26:00:40.841526 IP k8s-master-01.49800 > k8s-node-01.2379: Flags [.], ack 1004213034, win 657, options [nop,nop,TS val 1070812839 ecr 1070792472], length 0
67 packets captured
84 packets received by filter
0 packets dropped by kernel
# 监视指定网络的数据包,如本机与173.26网段通信的数据包,"-c 3"表示只抓取3个包
[root@k8s-master-01 ~]# tcpdump -i eth0 -c3 host 173.26
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
26:03:28.726019 IP k8s-master-01.2380 > k8s-node-02.34286: Flags [P.], seq 980059585:980059692, ack 2363754347, win 278, options [nop,nop,TS val 1070980714 ecr 1070977959], length 107
26:03:28.726269 IP k8s-node-02.34286 > k8s-master-01.2380: Flags [.], ack 107, win 1424, options [nop,nop,TS val 1070978011 ecr 1070980714], length 0
26:03:28.726409 IP k8s-node-02.2380 > k8s-master-01.55433: Flags [P.], seq 1277875825:1277875927, ack 4035557266, win 278, options [nop,nop,TS val 1070978011 ecr 1070980662], length 102
3 packets captured
33 packets received by filter
0 packets dropped by kernel
# 抓取ping包
[root@k8s-master-01 ~]# tcpdump -c 5 -nn -i eth0 icmp and src 173.26.1.65
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
# 抓取到本机22端口包
[root@k8s-master-01 ~]# tcpdump -c 10 -nn -i eth0 tcp dst port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
# 解析包数据
[root@k8s-master-01 ~]# tcpdump -c 2 -q -XX -vvv -nn -i eth0 tcp dst port 21345
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
26:05:54.865520 IP (tos 0x0, ttl 63, id 43902, offset 0, flags [DF], proto TCP (6), length 40)
173.26.0.61.57618 > 173.26.1.75.21345: tcp 0
0x0000: 0050 5681 1018 085b 0ef4 cab4 0800 4500 .PV....[......E.
0x0010: 0028 ab7e 4000 3f06 36a9 ac10 003d ac10 .(.~@.?.6....=..
0x0020: 014b e112 5361 3bac 71fd 8eb0 e738 5010 .K..Sa;.q....8P.
0x0030: 01fc fc28 0000 0000 0000 0000 ...(........
26:05:54.918517 IP (tos 0x0, ttl 63, id 43903, offset 0, flags [DF], proto TCP (6), length 40)
173.26.0.61.57618 > 173.26.1.75.21345: tcp 0
0x0000: 0050 5681 1018 085b 0ef4 cab4 0800 4500 .PV....[......E.
0x0010: 0028 ab7f 4000 3f06 36a8 ac10 003d ac10 .(..@.?.6....=..
0x0020: 014b e112 5361 3bac 71fd 8eb0 e8fc 5010 .K..Sa;.q.....P.
0x0030: 01fa fa66 0000 0000 0000 0000 ...f........
2 packets captured
3 packets received by filter
0 packets dropped by kernel
命令行抓包:
# 用tcpdump嗅探80端口的访问看看谁最高
[root@k8s-master-01 ~]# tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk '{print $2}' |awk -F"." '{print $1"."$2"."$3"."$4}'|sort | uniq -c | sort -nr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
# 使用tcpdump监听tcp80端口来自192.268.0.1的所有流量。
[root@k8s-master-01 ~]# tcpdump -n tcp port 80 and src 172.16.1.76
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
# tcpdump查看网卡ping包
[root@k8s-master-01 ~]# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
关于三个命令,我写的并不多,但看这篇笔记的朋友可以先问问自己,是基础薄弱还是知识受限,是不够精深还是缺乏敏感,这个过程就像是nv人的内衣,暴露出来的部分并不是重点,掩盖的部分才是关键,希望大家也有所收获。
以上。