对于普通tcp udp,都有连接监听端口之类,但是对于icmp他没有这种概念,不同的ICMP报文只是以type来区分,比如ping就是icmp type7 这个如何查看?
今天刚好有客户在问发包的问题,虽然可以用wireshark tcpdump抓到机器有没有发包,但是谁在发?这才是需要解决的。通过了一通查询。发现系统的命令式可以显示的。
# netstat -4aeenp | grep -E 'Inode|raw'
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 1000 5882846 31818/ping
可以使用netstat -4aeenp | grep -E 'Inode|raw' 来查询,可以看到,使用的raw socket 本地远端IP都没显示,但state 显示7 用户 PID以及程序名都显示了。
参考:
icmp(7) - Linux manual page虽然这里面说的INODE是0的socket,但实际测试有inode号了,不再是0。
# lsof -p 31818
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
lsof: WARNING: can't stat() fuse file system /run/user/1000/doc
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ping 31818 actionchen cwd DIR 0,4 0 5708305 /proc/31661/net
ping 31818 actionchen rtd DIR 259,5 4096 2 /
ping 31818 actionchen txt REG 259,5 65200 24904194 /usr/bin/ping
ping 31818 actionchen mem REG 259,5 6174592 24908827 /usr/lib/locale/locale-archive
ping 31818 actionchen mem REG 259,5 137424 25298970 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.26.1
ping 31818 actionchen mem REG 259,5 1193016 25298974 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.4
ping 31818 actionchen mem REG 259,5 1574952 25302401 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
ping 31818 actionchen mem REG 259,5 1824496 25299359 /usr/lib/x86_64-linux-gnu/libc-2.28.so
ping 31818 actionchen mem REG 259,5 1579448 25300351 /usr/lib/x86_64-linux-gnu/libm-2.28.so
ping 31818 actionchen mem REG 259,5 93000 25301771 /usr/lib/x86_64-linux-gnu/libresolv-2.28.so
ping 31818 actionchen mem REG 259,5 236952 25298962 /usr/lib/x86_64-linux-gnu/libnettle.so.6.5
ping 31818 actionchen mem REG 259,5 124848 25301607 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.4
ping 31818 actionchen mem REG 259,5 26864 25300888 /usr/lib/x86_64-linux-gnu/libcap.so.2.25
ping 31818 actionchen mem REG 259,5 26402 25310914 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
ping 31818 actionchen mem REG 259,5 165640 25299193 /usr/lib/x86_64-linux-gnu/ld-2.28.so
ping 31818 actionchen 0u CHR 136,1 0t0 4 /dev/pts/1
ping 31818 actionchen 1u CHR 136,1 0t0 4 /dev/pts/1
ping 31818 actionchen 2u CHR 136,1 0t0 4 /dev/pts/1
ping 31818 actionchen 3u raw 0t0 5882846 00000000:0001->00000000:0000 st=07
ping 31818 actionchen 4u raw6 0t0 5882848 00000000000000000000000000000000:003A->00000000000000000000000000000000:0000 st=07
ping 31818 actionchen 20u a_inode 0,13 0 9681 [eventpoll]
ping 31818 actionchen 22r FIFO 0,12 0t0 64222 pipe
ping 31818 actionchen 24w FIFO 0,12 0t0 64222 pipe
其实通过lsof正向去查找ping命令对应进程的文件句柄也可以看到,再倒数第五行,也显示了他的inode是5882846的一个socket文件