网络问题排查-服务端口

服务端口排查命令详解

nmap

示例

1. 检查IP 1-10000范围内所开端口情况

]# nmap 192.168.74.130
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 16:56 CST
Nmap scan report for 192.168.74.130
Host is up (0.000022s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 5.64 seconds

2. -vv详细输出

]# nmap -vv 192.168.74.130
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 16:58 CST
Initiating Parallel DNS resolution of 1 host. at 16:58
Completed Parallel DNS resolution of 1 host. at 16:59, 13.00s elapsed
Initiating SYN Stealth Scan at 16:59
Scanning 192.168.74.130 [1000 ports]
Discovered open port 22/tcp on 192.168.74.130
Completed SYN Stealth Scan at 16:59, 1.58s elapsed (1000 total ports)
Nmap scan report for 192.168.74.130
Host is up (0.000030s latency).
Scanned at 2020-05-06 16:59:06 CST for 2s
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
           Raw packets sent: 1061 (46.684KB) | Rcvd: 2123 (89.168KB)

3. 扫描20000-30000范围内的端口情况，不能大于65535

]# nmap -p20000-30000 192.168.74.130 
...
PORT      STATE SERVICE
20022/tcp open  unknown
...

4. 扫描指定端口情况

]# nmap -p22,25,8080 192.168.74.130
...
PORT   STATE  SERVICE
22/tcp open   ssh
25/tcp closed smtp
80/tcp closed http
...

5. 类似ping方式扫描

]# nmap -sP ip = ping ip 

6. 扫描一个网段下的ip

]# nmap -sP ip/24 

7. 路由跟踪 后面可以是域名或IP

]# nmap -traceroute www.baidu.com 
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 17:09 CST
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.023s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 997 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https
6667/tcp closed irc

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   48.24 ms 192.168.74.2
2   43.83 ms 61.135.169.125

Nmap done: 1 IP address (1 host up) scanned in 18.57 seconds

8. 包含了1-1000端口ping扫描，操作系统扫描，脚本扫描，路由跟踪，服务探测

]# nmap -A ip 

ss

1. ss -tnlp #以数字格式显示tcp正在监听的连接
2. ss -o state fin-wait-1 '(sport=:http or sport=:https)'
3. ss src ip[:port]
4. ss dst ip[:port]

使用方法

ss [options] [filter]
      -t：tcp
      -u：udp
      -a：all
      -l：listen
      -p：process
      -s：列出当前socket详细信息
      -o state fin-wait-1 '(sport=:http or sport=:https)'
            established
            syn-sent
            syn-recv
            fin-wait-1
            fin-wait-2
            time-wait
            closed
            close-wait
            last-ack
            listen
            closing
            all：all of the above state
            connected：all the states except for listen and closed
            synchronized：all the connected states except for syn-sent
            bucket：show states, which are maintained as minisockets i,e time-wait and syn-recv
            big：opposite to bucket state

示例

1. 显示tcp所有连接

]# ss -atn

2. 显示状态为established的tcp连接

]# ss -t state established
Recv-Q Send-Q Local Address:Port                 Peer Address:Port                
0      0      192.168.74.130:ssh                  192.168.74.1:50978

3. 匹配本地地址和端口

]# ss src 192.168.74.130
Netid State      Recv-Q Send-Q        Local Address:Port                         Peer Address:Port
tcp   ESTAB      0      0            192.168.74.130:ssh                          192.168.74.1:50978

netstat

使用方法类似ss，但是速度较慢。ss比netstat快的主要原因是，netstat是遍历/proc下面每个PID目录，ss直接读/proc/net下面的统计信息。所以ss执行的时候消耗资源以及消耗的时间都比netstat少很多。
当服务器的socket连接数量非常大时（如上万个），无论是使用netstat命令还是直接cat /proc/net/tcp执行速度都会很慢，相比之下ss可以节省很多时间。ss快的秘诀在于，它利用了TCP协议栈中tcp_diag，这是一个用于分析统计的模块，可以获得Linux内核中的第一手信息。如果系统中没有tcp_diag，ss也可以正常运行，只是效率会变得稍微慢但仍然比netstat要快

telnet

1. 远程连接主机
2. 测试远程主机端口

示例：

1. 测试远程主机80端口

]# telnet 192.168.153.130 80