ss和dig
一、ss即socket state
查看系统中socket的状态的。也可以用netstat,ss好处是当我们打开的socket数量很多时,netstat就会变得慢了。ss的强大之处,大于可以设定过滤条件,我们可以根据socket的状态来进行过滤,也可通过端口与ip地址进行过滤。
ss比netstat快, netstat是遍历/proc下面每个PID目录,ss直接读/proc/net下面的统计信息。所以ss执行的时候消耗资源以及消耗的时间都比netstat少很多
常用选项
-h, --help 帮助 -V, --version 显示版本号 -t, --tcp 显示 TCP 协议的 sockets -u, --udp 显示 UDP 协议的 sockets -x, --unix 显示 unix domain sockets,与 -f 选项相同 -n, --numeric 不解析服务的名称,如 "22" 端口不会显示成 "ssh" -l, --listening 只显示处于监听状态的端口 -p, --processes 显示监听端口的进程(Ubuntu 上需要 sudo) -a, --all 对 TCP 协议来说,既包含监听的端口,也包含建立的连接 -r, --resolve 把 IP 解释为域名,把端口号解释为协议名称
ss 常用命令
- ss -l 显示本地打开的所有端口
- ss -pl 显示每个进程具体打开的socket
- ss -t -a 显示所有tcp socket
- ss -u -a 显示所有的UDP Socekt
- ss -o state established '( dport = :smtp or sport = :smtp )' 显示所有已建立的SMTP连接
- ss -o state established '( dport = :http or sport = :http )' 显示所有已建立的HTTP连接
- ss -x src /tmp/.X11-unix/* 找出所有连接X服务器的进程
- ss -lp src :80 查看80端口占用情况
- ss -nlp | grep 22
首先看看STATE-FILTER,STATE-FILTER可用的过滤条件有:
1.
所有的TCP状态,包含:established, syn-sent, syn-recv, fin-wait-1, fin-wait-2,
time-wait, closed, close-wait, last-ack, listen and closing.
2. all,包含所有的状态。
3. connected,除了listen与closed的所有其它状态。
4. synchronized,除了syn-sent的所有connected的状态。
5. bucket
6. big
再看看ADDRESS-FILTER,ADDRESS-FILTER用于过滤端口与地址。而且可以进行表达式组合。可用的子表达式有:
1. dst ADDRESS_PATTERN
2. src ADDRESS_PATTERN
3. dport RELOP PORT
4. sport RELOP PORT
5. autobound
其中ADDRESS_PATTERN为ip地址与端口匹配,ip:port,可以用*代替。RELOP为<= >=或==。
ss使用IP地址筛选
- ss src ADDRESS_PATTERN
- src:表示来源
- ADDRESS_PATTERN:表示地址规则
列出来至120.33.31.1,80端口的连接
ss src 120.33.31.1:http ss src 120.33.31.1:8
ss src 192.168.40.132:80
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60564 tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60557 tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60565
ss -lp src :80 (想看当前机器的80端口被谁占用了)
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=16662,fd=6),("nginx",pid=16661,fd=6),("nginx",pid=16660,fd=6),("nginx",pid=16659,fd=6))
tcp LISTEN 0 128 :::http :::* users:(("nginx",pid=16662,fd=7),("nginx",pid=16661,fd=7),("nginx",pid=16660,fd=7),("nginx",pid=16659,fd=7))
ss state connected | tail -n 5
u_str ESTAB 0 0 * 37632 * 37633 u_str ESTAB 0 0 /run/dbus/system_bus_socket 33940 * 33565 u_str ESTAB 0 0 * 49281 * 49282 tcp ESTAB 0 52 192.168.40.132:ssh 192.168.40.1:58372 v_str ESTAB 0 0 1232929879:1023 0:976
ss使用端口筛选
- ss dport OP PORT
- OP:是运算符
- PORT:表示端口
- dport:表示过滤目标端口、相反的有sport
OP运算符如下
<= or le : 小于等于 >= or ge : 大于等于 == or eq : 等于 != or ne : 不等于端口 < or lt : 小于这个端口 > or gt : 大于端口
OP实例
ss sport = :http 也可以是 ss sport = :80 ss dport = :http ss dport \> :1024 ss sport \> :1024 ss sport \< :32000 ss sport eq :22 ss dport != :22 ss state connected sport = :http ss \( sport = :http or sport = :https \) ss -o state fin-wait-1 \( sport = :http or sport = :https \) dst 192.168.1/24
ss -s (显示当前系统的socket占用总体宏观情况)
当已创建的socket数过多时,已经说明系统配置存在问题。
Total: 585 (kernel 1020) TCP: 9 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0 Transport Total IP IPv6 * 1020 - - RAW 1 0 1 UDP 5 3 2 TCP 9 5 4 INET 15 8 7 FRAG 0 0 0
ss -a -t (显示tcp的socket情况 , ss -a -u显示udp的socket情况 )
State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:sunrpc *:* LISTEN 0 128 *:http *:* LISTEN 0 128 *:ssh *:* LISTEN 0 100 127.0.0.1:smtp *:* ESTAB 0 52 192.168.40.132:ssh 192.168.40.1:58372 LISTEN 0 128 :::sunrpc :::* LISTEN 0 128 :::http :::* LISTEN 0 128 :::ssh :::* LISTEN 0 100 ::1:smtp :::*
ss -nlp (显示当前系统上所有打开的端口,以及使用该端口的进程名称)
ss -nlp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port nl UNCONN 768 0 0:1110 * nl UNCONN 0 0 0:0 * nl UNCONN 4352 0 4:1440 * nl UNCONN 768 0 4:0 * nl UNCONN 0 0 6:1110 * nl UNCONN 0 0 6:0 * nl UNCONN 0 0 7:1 *
ss -nlp | grep 22 (找出占用了某个端口的应用程序 )
ss -nlp | grep 22
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=938,fd=3))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=938,fd=4))
ip -s link ls ens33 (显示每个端口的统计信息)
# ip -s link ls ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:ce:16:d0 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
8682628 6506 0 0 0 0
TX: bytes packets errors dropped carrier collsns
99404 947 0 0 0 0
ss -tnl 查看主机监听的端口
#ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::80 :::* LISTEN 0 128 :::22 :::* LISTEN 0 128 :::23 :::* #ss -tl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:http *:* LISTEN 0 128 *:ssh *:* LISTEN 0 128 :::http :::* LISTEN 0 128 :::ssh :::* LISTEN 0 128 :::telnet :::*
查看监听端口的程序名称
ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:http *:* users:(("nginx",pid=1402,fd=6),("nginx",pid=1401,fd=6),("nginx",pid=1400,fd=6),("nginx",pid=1399,fd=6))
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=938,fd=3))
LISTEN 0 128 :::http :::* users:(("nginx",pid=1402,fd=7),("nginx",pid=1401,fd=7),("nginx",pid=1400,fd=7),("nginx",pid=1399,fd=7))
LISTEN 0 128 :::ssh :::* users:(("sshd",pid=938,fd=4))
LISTEN 0 128 :::telnet :::* users:(("systemd",pid=1,fd=40))
过滤某一程序 ss -tlp | grep xxx
ss -tlp | grep nginx
LISTEN 0 128 *:http *:* users:(("nginx",pid=1402,fd=6),("nginx",pid=1401,fd=6),("nginx",pid=1400,fd=6),("nginx",pid=1399,fd=6))
LISTEN 0 128 :::http :::* users:(("nginx",pid=1402,fd=7),("nginx",pid=1401,fd=7),("nginx",pid=1400,fd=7),("nginx",pid=1399,fd=7))
显示所有状态为 Established 的 HTTP 连接:
ss -4n state listening Netid Recv-Q Send-Q Local Address:Port Peer Address:Port tcp 0 128 *:80 *:* tcp 0 128 *:22 *:*
二、dig
Dig是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,MX记录等相关信息的工具。
NS记录:域名服务器记录,用来指定域名由哪台服务器来进行解析。可以使用 nslookup -qt=ns ezloo.com(一个具体的域名)来查看。
A记录:列出特定主机名的 IP 地址,即ip与域名的对应关系。可以通过 nslookup -qt=a www.ezloo.com 来查看A记录。
MX记录:邮件交换记录,有权重值
CANME记录:别名记录,它允许你将多个记录映射到同一台计算机上。
AAAA记录: (AAAA record)是用来将域名解析到IPv6地址的DNS记录。用户可以将一个域名解析到IPv6地址上,也可以将子域名解析到IPv6地址上。
# yum install bind-utils-9.11.4-16.P2.el7_8.3.x86_64 安装
# dig www.isc.org
;; QUESTION SECTION: ;www.isc.org. IN A ;; ANSWER SECTION: www.isc.org. 5 IN CNAME dualstack.osff2.map.fastly.net. dualstack.osff2.map.fastly.net. 5 IN A 151.101.230.217 ;; Query time: 20 msec ;; SERVER: 192.168.40.2#53(192.168.40.2) ;; WHEN: 日 8月 16 19:38:48 CST 2020 ;; MSG SIZE rcvd: 89
# dig yahoo.com A +noall +answer (过滤查找 雅虎:yahoo.com的A记录:(此处一定是域而不是主机)
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com A +noall +answer ;; global options: +cmd yahoo.com. 1509 IN A 74.6.143.26 yahoo.com. 1509 IN A 98.137.11.164 yahoo.com. 1509 IN A 74.6.231.20 yahoo.com. 1509 IN A 74.6.231.21 yahoo.com. 1509 IN A 98.137.11.163 yahoo.com. 1509 IN A 74.6.143.25 # nslookup -qt=a www.yahoo.com *** Invalid option: qt=a Server: 114.114.114.114 Address: 114.114.114.114#53 Non-authoritative answer: www.yahoo.com canonical name = new-fp-shed.wg1.b.yahoo.com. Name: new-fp-shed.wg1.b.yahoo.com Address: 180.222.102.202 Name: new-fp-shed.wg1.b.yahoo.com Address: 180.222.102.201 Name: new-fp-shed.wg1.b.yahoo.com Address: 2406:2000:ec:c58::3000 Name: new-fp-shed.wg1.b.yahoo.com Address: 2406:2000:ec:c58::3001
# dig yahoo.com MX +noall +answer 查找yahoo.com MX记录的列表:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com MX +noall +answer ;; global options: +cmd yahoo.com. 33 IN MX 1 mta7.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta5.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta6.am0.yahoodns.net.
# dig yahoo.com NS +noall +answer 查找yahoo.com的权威DNS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com NS +noall +answer ;; global options: +cmd yahoo.com. 70880 IN NS ns5.yahoo.com. yahoo.com. 70880 IN NS ns4.yahoo.com. yahoo.com. 70880 IN NS ns3.yahoo.com. yahoo.com. 70880 IN NS ns2.yahoo.com. yahoo.com. 70880 IN NS ns1.yahoo.com.
# dig www.isc.org AAAA +short
dualstack.osff2.map.fastly.net. 2a04:4e42:1a::729
# dig yahoo.com ANY +noall +answer 查询上面所有的记录:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com ANY +noall +answer ;; global options: +cmd yahoo.com. 33 IN AAAA 2001:4998:24:120d::1:0 yahoo.com. 33 IN AAAA 2001:4998:124:1507::f001 yahoo.com. 33 IN AAAA 2001:4998:124:1507::f000 yahoo.com. 33 IN AAAA 2001:4998:24:120d::1:1 yahoo.com. 33 IN AAAA 2001:4998:44:3507::8001 yahoo.com. 33 IN AAAA 2001:4998:44:3507::8000 yahoo.com. 33 IN TXT "facebook-domain-verification=gysqrcd69g0ej34f4jfn0huivkym1p" yahoo.com. 33 IN TXT "edb3bff2c0d64622a9b2250438277a59" yahoo.com. 33 IN TXT "v=spf1 redirect=_spf.mail.yahoo.com" yahoo.com. 33 IN MX 1 mta5.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta7.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta6.am0.yahoodns.net. yahoo.com. 33 IN A 74.6.143.26 yahoo.com. 33 IN A 74.6.231.21 yahoo.com. 33 IN A 98.137.11.163 yahoo.com. 33 IN A 74.6.231.20
# dig www.isc.org +short 当需要一个快速回答时,+short选项
204.152.184.88
# dig -x 74.6.143.26 +short -x 根据ip查域名
media-router-fp74.prod.media.vip.bf1.yahoo.com.
# dig yahoo.com +nssearch 从根服务器开始追踪一个域名的解析过程
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 202.165.97.53 in 85 ms. SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 98.138.11.157 in 223 ms. SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 68.142.255.16 in 252 ms. SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 68.180.131.16 in 254 ms. SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 27.123.42.42 in 364 ms.
下面是 dig 的一些比较常用的命令:
# dig 最基本的用法
dig @server qianlong.com
# 用 dig 查看 zone 数据传输
dig @server qianlong.com AXFR
dig @114.114.114.114 registry-1.docker.io ; <<>> DiG 9.10.6 <<>> @114.114.114.114 registry-1.docker.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22229 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;registry-1.docker.io. IN A ;; ANSWER SECTION: registry-1.docker.io. 124 IN A 34.205.13.154 registry-1.docker.io. 124 IN A 3.216.34.172 registry-1.docker.io. 124 IN A 44.205.64.79 ;; Query time: 17 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ;; WHEN: Thu May 25 22:48:27 CST 2023 ;; MSG SIZE rcvd: 97
# 用 dig 查看 zone 数据的增量传输
dig @server qianlong.com IXFR=N
# 用 dig 查看反向解析
dig -x 124.42.102.203 @server
# 查找一个域的授权 dns 服务器
dig qianlong.com +nssearch
# 从根服务器开始追踪一个域名的解析过程
dig qianlong.com +trace
# 查看你使用的是哪个 F root dns server
dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
# 查看 bind 的版本号
dig @bind_dns_server CHAOS TXT version.bind
https://www.imooc.com/article/26972 很详细的ss用法
https://www.cnblogs.com/machangwei-8/p/10353216.html
