一、ss即socket state
查看系统中socket的状态的。也可以用netstat,ss好处是当我们打开的socket数量很多时,netstat就会变得慢了。ss的强大之处,大于可以设定过滤条件,我们可以根据socket的状态来进行过滤,也可通过端口与ip地址进行过滤。
常用选项
-h, --help 帮助
-V, --version 显示版本号
-t, --tcp 显示 TCP 协议的 sockets
-u, --udp 显示 UDP 协议的 sockets
-x, --unix 显示 unix domain sockets,与 -f 选项相同
-n, --numeric 不解析服务的名称,如 "22" 端口不会显示成 "ssh"
-l, --listening 只显示处于监听状态的端口
-p, --processes 显示监听端口的进程(Ubuntu 上需要 sudo)
-a, --all 对 TCP 协议来说,既包含监听的端口,也包含建立的连接
-r, --resolve 把 IP 解释为域名,把端口号解释为协议名称
也就是我们在命令格式里面看到的STATE-FILTER与ADDRESS-FILTER。
首先看看STATE-FILTER,STATE-FILTER可用的过滤条件有:
1. 所有的TCP状态,包含:established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack, listen and closing.
2. all,包含所有的状态。
3. connected,除了listen与closed的所有其它状态。
4. synchronized,除了syn-sent的所有connected的状态。
5. bucket
6. big
再看看ADDRESS-FILTER,ADDRESS-FILTER用于过滤端口与地址。而且可以进行表达式组合。可用的子表达式有:
1. dst ADDRESS_PATTERN
2. src ADDRESS_PATTERN
3. dport RELOP PORT
4. sport RELOP PORT
5. autobound
其中ADDRESS_PATTERN为ip地址与端口匹配,ip:port,可以用*代替。RELOP为<= >=或==。
如:
# ss src 192.168.40.132:80
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60564
tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60557
tcp ESTAB 0 0 192.168.40.132:http 192.168.40.1:60565
# ss -lp src :80 (想看当前机器的80端口被谁占用了)
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=16662,fd=6),("nginx",pid=16661,fd=6),("nginx",pid=16660,fd=6),("nginx",pid=16659,fd=6))
tcp LISTEN 0 128 :::http :::* users:(("nginx",pid=16662,fd=7),("nginx",pid=16661,fd=7),("nginx",pid=16660,fd=7),("nginx",pid=16659,fd=7))
# ss state connected | tail -n 5
u_str ESTAB 0 0 * 37632 * 37633
u_str ESTAB 0 0 /run/dbus/system_bus_socket 33940 * 33565
u_str ESTAB 0 0 * 49281 * 49282
tcp ESTAB 0 52 192.168.40.132:ssh 192.168.40.1:58372
v_str ESTAB 0 0 1232929879:1023 0:976
# ss -s (显示当前系统的socket占用总体宏观情况)
当已创建的socket数过多时,已经说明系统配置存在问题。
Total: 585 (kernel 1020)
TCP: 9 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0
Transport Total IP IPv6
* 1020 - -
RAW 1 0 1
UDP 5 3 2
TCP 9 5 4
INET 15 8 7
FRAG 0 0 0
# ss -a -t (显示tcp的socket情况 , ss -a -u显示udp的socket情况 )
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:*
LISTEN 0 128 *:http *:*
LISTEN 0 128 *:ssh *:*
LISTEN 0 100 127.0.0.1:smtp *:*
ESTAB 0 52 192.168.40.132:ssh 192.168.40.1:58372
LISTEN 0 128 :::sunrpc :::*
LISTEN 0 128 :::http :::*
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 ::1:smtp :::*
# ss -nlp (显示当前系统上所有打开的端口,以及使用该端口的进程名称)
ss -nlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
nl UNCONN 768 0 0:1110 *
nl UNCONN 0 0 0:0 *
nl UNCONN 4352 0 4:1440 *
nl UNCONN 768 0 4:0 *
nl UNCONN 0 0 6:1110 *
nl UNCONN 0 0 6:0 *
nl UNCONN 0 0 7:1 *
# ss -nlp | grep 22 (找出占用了某个端口的应用程序 )
ss -nlp | grep 22
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=938,fd=3))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=938,fd=4))
# ip -s link ls ens33 (显示每个端口的统计信息)
# ip -s link ls ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:ce:16:d0 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
8682628 6506 0 0 0 0
TX: bytes packets errors dropped carrier collsns
99404 947 0 0 0 0
# ss -tnl 查看主机监听的端口
#ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 :::23 :::*
#ss -tl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:http *:*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 :::http :::*
LISTEN 0 128 :::ssh :::*
LISTEN 0 128 :::telnet :::*
查看监听端口的程序名称
ss -tlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:http *:* users:(("nginx",pid=1402,fd=6),("nginx",pid=1401,fd=6),("nginx",pid=1400,fd=6),("nginx",pid=1399,fd=6))
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=938,fd=3))
LISTEN 0 128 :::http :::* users:(("nginx",pid=1402,fd=7),("nginx",pid=1401,fd=7),("nginx",pid=1400,fd=7),("nginx",pid=1399,fd=7))
LISTEN 0 128 :::ssh :::* users:(("sshd",pid=938,fd=4))
LISTEN 0 128 :::telnet :::* users:(("systemd",pid=1,fd=40))
过滤某一程序 ss -tlp | grep xxx
ss -tlp | grep nginx
LISTEN 0 128 *:http *:* users:(("nginx",pid=1402,fd=6),("nginx",pid=1401,fd=6),("nginx",pid=1400,fd=6),("nginx",pid=1399,fd=6))
LISTEN 0 128 :::http :::* users:(("nginx",pid=1402,fd=7),("nginx",pid=1401,fd=7),("nginx",pid=1400,fd=7),("nginx",pid=1399,fd=7))
显示所有状态为 Established 的 HTTP 连接:
ss -4n state listening
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp 0 128 *:80 *:*
tcp 0 128 *:22 *:*
二、dig
Dig是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,MX记录等相关信息的工具。
NS记录:域名服务器记录,用来指定域名由哪台服务器来进行解析。可以使用 nslookup -qt=ns ezloo.com(一个具体的域名)来查看。
A记录:列出特定主机名的 IP 地址,即ip与域名的对应关系。可以通过 nslookup -qt=a www.ezloo.com 来查看A记录。
MX记录:邮件交换记录,有权重值
CANME记录:别名记录,它允许你将多个记录映射到同一台计算机上。
AAAA记录: (AAAA record)是用来将域名解析到IPv6地址的DNS记录。用户可以将一个域名解析到IPv6地址上,也可以将子域名解析到IPv6地址上。
# yum install bind-utils-9.11.4-16.P2.el7_8.3.x86_64 安装
# dig www.isc.org
;; QUESTION SECTION:
;www.isc.org. IN A
;; ANSWER SECTION:
www.isc.org. 5 IN CNAME dualstack.osff2.map.fastly.net.
dualstack.osff2.map.fastly.net. 5 IN A 151.101.230.217
;; Query time: 20 msec
;; SERVER: 192.168.40.2#53(192.168.40.2)
;; WHEN: 日 8月 16 19:38:48 CST 2020
;; MSG SIZE rcvd: 89
# dig yahoo.com A +noall +answer (过滤查找 雅虎:yahoo.com的A记录:(此处一定是域而不是主机)
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com A +noall +answer
;; global options: +cmd
yahoo.com. 1509 IN A 74.6.143.26
yahoo.com. 1509 IN A 98.137.11.164
yahoo.com. 1509 IN A 74.6.231.20
yahoo.com. 1509 IN A 74.6.231.21
yahoo.com. 1509 IN A 98.137.11.163
yahoo.com. 1509 IN A 74.6.143.25
# nslookup -qt=a www.yahoo.com
*** Invalid option: qt=a
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.yahoo.com canonical name = new-fp-shed.wg1.b.yahoo.com.
Name: new-fp-shed.wg1.b.yahoo.com
Address: 180.222.102.202
Name: new-fp-shed.wg1.b.yahoo.com
Address: 180.222.102.201
Name: new-fp-shed.wg1.b.yahoo.com
Address: 2406:2000:ec:c58::3000
Name: new-fp-shed.wg1.b.yahoo.com
Address: 2406:2000:ec:c58::3001
# dig yahoo.com MX +noall +answer 查找yahoo.com MX记录的列表:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com MX +noall +answer
;; global options: +cmd
yahoo.com. 33 IN MX 1 mta7.am0.yahoodns.net.
yahoo.com. 33 IN MX 1 mta5.am0.yahoodns.net.
yahoo.com. 33 IN MX 1 mta6.am0.yahoodns.net.
# dig yahoo.com NS +noall +answer 查找yahoo.com的权威DNS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com NS +noall +answer
;; global options: +cmd
yahoo.com. 70880 IN NS ns5.yahoo.com.
yahoo.com. 70880 IN NS ns4.yahoo.com.
yahoo.com. 70880 IN NS ns3.yahoo.com.
yahoo.com. 70880 IN NS ns2.yahoo.com.
yahoo.com. 70880 IN NS ns1.yahoo.com.
# dig www.isc.org AAAA +short
dualstack.osff2.map.fastly.net.
2a04:4e42:1a::729
# dig yahoo.com ANY +noall +answer 查询上面所有的记录:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> yahoo.com ANY +noall +answer
;; global options: +cmd
yahoo.com. 33 IN AAAA 2001:4998:24:120d::1:0
yahoo.com. 33 IN AAAA 2001:4998:124:1507::f001
yahoo.com. 33 IN AAAA 2001:4998:124:1507::f000
yahoo.com. 33 IN AAAA 2001:4998:24:120d::1:1
yahoo.com. 33 IN AAAA 2001:4998:44:3507::8001
yahoo.com. 33 IN AAAA 2001:4998:44:3507::8000
yahoo.com. 33 IN TXT "facebook-domain-verification=gysqrcd69g0ej34f4jfn0huivkym1p"
yahoo.com. 33 IN TXT "edb3bff2c0d64622a9b2250438277a59"
yahoo.com. 33 IN TXT "v=spf1 redirect=_spf.mail.yahoo.com"
yahoo.com. 33 IN MX 1 mta5.am0.yahoodns.net.
yahoo.com. 33 IN MX 1 mta7.am0.yahoodns.net.
yahoo.com. 33 IN MX 1 mta6.am0.yahoodns.net.
yahoo.com. 33 IN A 74.6.143.26
yahoo.com. 33 IN A 74.6.231.21
yahoo.com. 33 IN A 98.137.11.163
yahoo.com. 33 IN A 74.6.231.20
# dig www.isc.org +short 当需要一个快速回答时,+short选项
204.152.184.88
# dig -x 74.6.143.26 +short -x 根据ip查域名
media-router-fp74.prod.media.vip.bf1.yahoo.com.
# dig yahoo.com +nssearch 从根服务器开始追踪一个域名的解析过程
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 202.165.97.53 in 85 ms.
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 98.138.11.157 in 223 ms.
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 68.142.255.16 in 252 ms.
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 68.180.131.16 in 254 ms.
SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2020081505 3600 300 1814400 600 from server 27.123.42.42 in 364 ms.
下面是 dig 的一些比较常用的命令: # dig 最基本的用法
dig @server qianlong.com
# 用 dig 查看 zone 数据传输
dig @server qianlong.com AXFR
# 用 dig 查看 zone 数据的增量传输
dig @server qianlong.com IXFR=N
# 用 dig 查看反向解析
dig -x 124.42.102.203 @server
# 查找一个域的授权 dns 服务器
dig qianlong.com +nssearch
# 从根服务器开始追踪一个域名的解析过程
dig qianlong.com +trace
# 查看你使用的是哪个 F root dns server
dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
# 查看 bind 的版本号
dig @bind_dns_server CHAOS TXT version.bind
https://www.imooc.com/article/26972 很详细的ss用法
https://www.cnblogs.com/machangwei-8/p/10353216.html