前言
前份工作在雲端產業當網路技術客服,記錄一下當時會用到的一些指令,避免自己忘記。
TCPdump
sudo tcpdump -i eth0 -n dst host x.x.x.x -w output.pcap
tcpdump -nnvvXSr my_capture.pcap
Capturing packets with A particular TCP Flag
| URG | ACK | PSH | RST | SYN | FIN |
|---|---|---|---|---|---|
| 32 | 16 | 8 | 4 | 2 | 1 |
只抓 SYN 與 SYN-ACK: sudo tcpdump -i any port 80 and "tcp[tcpflags] == 0x12 or tcp[tcpflags] == 0x2”
拆包: tcpdump -r old_file -w new_files -C 10
看 HTTP 沒回應: http.request.method == "GET" && !http.response_in
參考資料:https://www.howtouselinux.com/post/tcpdump-capture-packets-with-tcp-flags
參考資料:https://www.jinnsblog.com/2020/09/linux-tcpdump-network-traffic-tutorial.html
Netstat
查看網路狀態。
-s顯示數據-i顯示 interface 資訊
查看本機正在 listen 的程式:
netstat -ntupl
查看 route
netstat -nr -f inet
ss
調查 socket 資訊
-tTCP 資訊-ssummary-b顯示 BPF filter 相關(timeout 等)-a顯示所有資訊-4-6IPv4、IPv6
ss -at
ss -t4
dublin-traceroute
解決傳統 trace route 遇到 LB 會無窮輪迴問題
Tracetcp
- Windows 下更好的 traceroute
Tracepath
檢查路徑上最大 MTU,使用高位 UDP port。
tracepath 172.31.38.209
1?: [LOCALHOST] pmtu 9001
1: ip-172-31-38-209.ap-northeast-1.compute.internal 0.599ms reached
1: ip-172-31-38-209.ap-northeast-1.compute.internal 0.316ms reached
Resume: pmtu 9001 hops 1 back 1
Ethtool
-i查詢 Network Interface 驅動-sNIC 數據
[ec2-user@ip-172-31-45-13 ~]$ ethtool -i eth0
driver: ena
version: 2.5.0g
firmware-version:
expansion-rom-version:
bus-info: 0000:00:05.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes
========================================
pi@pija:~ $ ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Link partner advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Link partner advertised pause frame use: Symmetric
Link partner advertised auto-negotiation: Yes
Link partner advertised FEC modes: Not reported
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Cannot get wake-on-lan settings: Operation not permitted
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
Nmap
傳統掃網段利器。
nmap -F x.x.x.x 快速掃描
nmap -Ss -A x.x.x.x 詳細掃描
Rustscan
快速掃網段。
直接使用
rustscan -a x.x.x.x
透過 Docker
alias rustscan="docker run -it --rm --name rustscan rustscan/rustscan:1.10.0"
$ rustscan x.x.x.x
Whois
查詢域名資訊(擁有者、到期日等等)
whois jackkuo.org
Dig
-t指定查詢 type+trace從 root 開始查+short簡短輸出-4用 IPv4 查詢+tcp用 TCP(有時候回傳資料太大,會撞到 UDP 單個資料包上限)
dig +trace jackkuo.org txt
Nslookup
nslookup jackkuo.org
Ping
-4IPv4-a發出聲音
ping -4a 1.1.1.1
Traceroute
- 可使用 UDP, ICMP, TCP probe。
- 顯示 “* * *” 代表該 hop 沒有回應 probe。
- 在 Windows 中只支援 ICMP probe,可改用 tracetcp 代替
ping -s 1472 -M do x.x.x.x檢測 MTU
MTR
查詢各 hop 的延遲、掉包率。
如果顯示 “???” 代表該 hop 沒有回應 probe。
- 使用 TCP
mtr -nzrwTP <TCP port> -c 60 <IP/domain>
- 使用 UDP
mtr -nzrwuP <UDP port> -c 60 <IP/domain>
Hping3
可自定義 TCP 封包,方便測試防火牆。
Nping
可自定義 TCP/UDP 封包。
Telnet
測試 TCP 連接。
搭配 time 可以知道 timeout 時間:
time telnet [www.google.com](http://www.google.com) 80
Iperf
Server:
sudo iperf -s [-p 5001]
Client:
iperf -c 172.31.30.41 --parallel 40 -i 1 -t 2
NC
檢測 port 有沒有開
nc -zv x.x.x.x port
監聽
-llisten-k多條連線
nc -kl
cURL
while true; do curl -w "%{remote_ip} time_namelookup: %{time_namelookup} tcp: %{time_connect} ssl:%{time_appconnect} start_transfer:%{time_starttransfer} total:%{time_total}\n" -sk -o /dev/null http://www.amazon.com; done
curl http://www.example.com --resolve www.example.com:80:127.0.0.1 --resolve
SSLKEYLOGFILE=/tmp/key.log curl https://www.amazon.com -o /dev/null
curl -w "@/Users/chunkuo//curl-breakdown.conf"
curl -w "\n DNS lookup : %{time_namelookup}\n Connect to server (TCP) : %{time_connect}\n Connect to server (HTTP/S) : %{time_appconnect}\n Time from start until transfer began: %{time_pretransfer}\n Time for redirection (if any) : %{time_redirect}\n Total time before transfer started : %{time_starttransfer}\n \n Total time : %{time_total}\n Size of download (bytes) : %{size_download}\n Average d/l speed (bytes/s) : %{speed_download}\n"
curl-breakdown.conf
\n
DNS lookup : %{time_namelookup}\n
Connect to server (TCP) : %{time_connect}\n
Connect to server (HTTP/S) : %{time_appconnect}\n
Time from start until transfer began: %{time_pretransfer}\n
Time for redirection (if any) : %{time_redirect}\n
Total time before transfer started : %{time_starttransfer}\n
\n
Total time : %{time_total}\n
Size of download (bytes) : %{size_download}\n
Average d/l speed (bytes/s) : %{speed_download}\n
只看 http status code
curl -sko /dev/null -w "%{http_code}"
lsof
sudo lsof -i:80
sudo lsof -i -P -n
openssl
openssl s_client -crlf xxx.com:443
DOMAIN="api.binance.com"; echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443
openssl s_client -connect google.com:443 -reconnect 2>&1 | grep "New\|Reused"
DNS
hostnamectl- DNS caching server
- NSCD (Name Service Cache Daemon)
- dnsmasq
- unbound
- lwresd
- RHEL DNS 設定檔
/etc/hosts指定 domain name 對應之 IP address/etc/resolv.conf設定 name server 位址/etc/nsswitch.conf設定解析優先權- 如
hosts: files dns代表先找 /etc/hosts 再找 /etc/resovl.conf
- 如
/etc/sysconfig/network系統網路資訊
Paping
Cross-platform TCP port testing, emulating the functionality of ping (port ping).
$ paping localhost -p 22
paping v1.5.5 - Copyright (c) 2011 Mike Lovell
Connecting to localhost on TCP 22:
Connected to 127.0.0.1: time=0.07ms protocol=TCP port=22
Connected to 127.0.0.1: time=0.08ms protocol=TCP port=22
^C
Connection statistics:
Attempted = 4, Connected = 4, Failed = 0 (0.00%)
Approximate connection times:
Minimum = 0.07ms, Maximum = 0.08ms, Average = 0.07ms
Web hook + Email 測試網站
IP info
SSL Key Logfile
export SSLKEYLOGFILE=/tmp/keys.txt
Suricata
允許特定域名的 HTTP, HTTPS,只有符合的 HOST、SNI 可以繼續下個階段的傳輸,其餘的會 drop 使得 log 中有紀錄。
pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".com"; endswith; msg:"Allowed HTTP domain"; sid:1; rev:1;)
pass tls $HOME_NET any <> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".trip.com"; endswith; msg:"Allowing trip.com HTTPS requests"; sid:2; rev:1;)
pass tcp $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; sid:3; rev:1;)
pass tcp $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; sid:4; rev:1;)
pass ip 27.0.0.0/16 any <> any any (msg:"pass all traffic from/to 27.0.0.0/16"; sid:5;)
drop http $HOME_NET any <> $EXTERNAL_NET ANY (http.host; content:!"a"; msg:"Deny HTTP domain"; sid:7; rev:1;)
drop tls $HOME_NET any <> $EXTERNAL_NET ANY (tls.sni; dotprefix; content:!"a"; msg:"Deny trip.com HTTPS requests"; sid:8; rev:1;)
SAR
查看網卡流量
$ sar -n DEV 1
02:59:00 AM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
02:59:00 AM eth0 5.45 9.09 0.34 1.74 0.00 0.00 0.00
02:59:00 AM lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
02:59:00 AM docker0 0.00 0.00 0.00 0.00 0.00 0.00 0.00
02:59:00 AM eth1 0.00 0.00 0.00 0.00 0.00 0.00 0.00
輸出項說明:
IFACE 網絡設備名
rxerr/s 每秒接收的壞包總數
txerr/s 傳輸包時每秒發生錯誤的總數
coll/s 傳輸包時每秒發生衝突(collision)的總數
rxdrop/s 接收包時,由於缺乏緩存,每秒丟棄(drop)包的數量
txdrop/s 傳輸包時,由於缺乏緩存,每秒丟棄(drop)包的數量
txcarr/s 傳輸包時,每秒發生的傳輸錯誤(carrier-error)的數量
rxfram/s 接收包時,每秒發生幀校驗錯誤(frame alignment error)的數量
rxfifo/s 接收包時,每秒發生隊列(FIFO)一出錯誤的數量
txfifo/s 傳輸包時,每秒發生隊列(FIFO)一出錯誤的數量
Linux Networking Stack Tuning
驗憑證
openssl x509 -in ca.crt -noout -text
openssl x509 -noout -pubkey -in DUMMY_CERT_TEST.crt
openssl pkey -pubout -in DUMMY_CERT_TEST.key
openssl verify -CAfile ca.crt DUMMY_CERT_TEST.crt
看應用卡在哪階段
strace -T -tt -o output.log curl https://google.com
iptables
iptables -S
iptables -t filter -nvL --line-numbers
iptables -t raw -nvL --line-numbers
iptables -t security -nvL --line-numbers
iptables -t mangle -nvL --line-numbers
iptables -t nat -nvL --line-numbers
ip6tables -t filter -nvL --line-numbers
comments powered by Disqus