服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何列出所有请求到udp套接字?
Intereting Posts
VSFTPDconfiguration 虚拟化Linux + Windows Server 为新服务器设置NS iptables规则来阻止到Xen容器的传入/传出stream量 Win XP上缺less“允许本地login”策略 HTTP / 2返回奇怪的符号 什么是实施ITIL的最佳工具? 当RAID控制器停止工作时,在RAID1上是否有数据丢失的风险? 在Outlook联系人公司范围内显示Business 2或Notes字段? CDN网站 – 基于国家/地理位置的服务器切换 处理电子邮件反弹 在jenkins中执行RSYNC命令 用于站点冗余的VMware vSphere群集devise 中央密码存储工具,多个用户可以使用权限级别进行访问 当快照图像“挂起”时,是否安全地重新loginEC2实例?

如何列出所有请求到udp套接字?

我正在运行一些使用udp与大量客户端进行通信的服务器守护进程。 如何查找和列出与服务器交谈的所有活动udp “连接” ,以估计连接到服务器守护程序的活动客户端的数量? 除了使用tshark或tcpdump嗅探数据包并查看进入服务器守护进程的udp数据包的源ip,以及是的,我知道UDP是无连接和无状态的协议,我想不出一个简单的方法来做到这一点。

UDP是一个无状态的协议 – 所以,没有国家。

要查看正在侦听的UDP: 

 netstat -lnpu

在Linux上,假设已经安装了iproute2,你可以运行ss命令来拉取udp套接字,如下所示: 

 ss -u

或者所有的udp套接字,与相关的过程: 

 [root@kerberos ks]# ss -u -pa State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7)) UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13)) UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3)) UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6)) UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6)) UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9)) UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23)) UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22)) UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21)) UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16)) UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7)) UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7)) UNCONN 0 0 *:32769 *:* UNCONN 0 0 *:nfs *:* UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1)) UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14)) UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8)) UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7)) UNCONN 0 0 *:37802 *:* users:(("squid",2124,9)) UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7)) UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6)) UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5)) UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8)) UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9)) UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26)) UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30)) UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29)) UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28)) UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27)) UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25)) UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19)) UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18)) UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17)) UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9)) UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10)) UNCONN 0 0 :::32769 :::* UNCONN 0 0 :::nfs :::* UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2)) UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7)) UNCONN 0 0 :::59603 :::* users:(("squid",2124,8)) [root@kerberos ks]# ss -upa State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7)) UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13)) UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3)) UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6)) UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6)) UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9)) UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23)) UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22)) UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21)) UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16)) UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7)) UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7)) UNCONN 0 0 *:32769 *:* UNCONN 0 0 *:nfs *:* UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1)) UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14)) UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8)) UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7)) UNCONN 0 0 *:37802 *:* users:(("squid",2124,9)) UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7)) UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6)) UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5)) UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8)) UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9)) UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26)) UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30)) UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29)) UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28)) UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27)) UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25)) UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19)) UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18)) UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17)) UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9)) UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10)) UNCONN 0 0 :::32769 :::* UNCONN 0 0 :::nfs :::* UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2)) UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10)) UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8)) UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7)) UNCONN 0 0 :::59603 :::* users:(("squid",2124,8))

以下是您可以使用ss的其他示例,包括获取每个进程的连接。

http://www.cyberciti.biz/files/ss.html

您可以使用iptableslogging每个UDP连接: 

 iptables -A INPUT -p udp -j LOG --log-prefix "udp connection: "

也许你可能想限制它到一些端口。 在这里检查文档 ,最好是man iptables

正如其他人所说,UDP是无连接的,因此状态不会在标准位置被跟踪。

你可以使用的一种方法是设置一些简单的使用--state选项的netfilter规则。 这将强制netfilter跟踪与UDP相关的状态。 一旦你设置规则,那么你可以使用像conntrack工具来查看netfilter状态表。 在这里例如是我的系统是什么样的。 你可以看到有一些系统经常与udp / 1194(OpenVPN)通信。 

 root@enterprise:# conntrack -L -p udp udp 17 173 src=192.168.32.1 dst=192.168.32.10 sport=41179 dport=1194 packets=2072 bytes=188058 src=192.168.32.10 dst=192.168.32.1 sport=1194 dport=41179 packets=2081 bytes=201185 [ASSURED] mark=0 secmark=0 use=1 udp 17 175 src=192.168.32.26 dst=192.168.32.10 sport=57440 dport=1194 packets=806767 bytes=154637738 src=192.168.32.10 dst=192.168.32.26 sport=1194 dport=57440 packets=1265893 bytes=1588040830 [ASSURED] mark=0 secmark=0 use=1

你的netfilter规则可以像这样简单。 

 /sbin/iptables -t filter -A INPUT -m state --state NEW\,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A FORWARD -m state --state NEW\,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A OUTPUT -m state --state NEW\,ESTABLISHED -j ACCEPT

受这个答案的启发,我发现下面的ss语法适用于我: 

 ss -u state CLOSE

…因为“监听”UDP套接字就像“closures”的TCP套接字。