向东博客 专注WEB应用 构架之美 --- 构架之美，在于尽态极妍 | 应用之美，在于药到病除|赢在IT，Playin' with IT,Focus on Killer Application,Marketing Meets Technology.

netstat -lntp   #常用命令参数及解释如下：主要是看IP和TCP，以及程序的PID。
-l, --listening            display listening server sockets
-n, --numeric              don't resolve names
-t, tcp
-p, --program
   Show the PID and name of the program to which each socket belongs.


一）netstat常用查看端口参数之查看所有tcp/udp端口：
netstat -atlunp|grep 80
-a, --all    Show  both  listening  and  non-listening (for TCP this means established connections) sockets.    With the --interfaces option, show interfaces that are not marked -t, tcp -l, --listening            display listening server sockets -u, udp -n, --numeric              don't resolve names -p, --program    Show the PID and name of the program to which each socket belongs.

二）netstat常用查看端口参数之单独查看tcp/udp端口命令：
netstat -uln
-u, udp -l, --listening            display listening server sockets -n, --numeric              don't resolve names
Proto Recv-Q Send-Q Local Address               Foreign Address             State
udp        0      0 0.0.0.0:111                 0.0.0.0:*
udp        0      0 0.0.0.0:808                 0.0.0.0:*
udp        0      0 127.0.0.1:837               0.0.0.0:*
udp        0      0 0.0.0.0:17617               0.0.0.0:*
udp        0      0 0.0.0.0:2392                0.0.0.0:*



假如没有n，直接用netstat -tl，显示的是一些端口的程序名，如下：
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 *:5646                      *:*                         LISTEN
tcp        0      0 *:sunrpc                    *:*                         LISTEN
tcp        0      0 *:7824                      *:*                         LISTEN
tcp        0      0 *:webcache                  *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0      0 *:5881                      *:*                         LISTEN

三）netstat常用查看端口参数之单独查看tcp端口命令：
netstat -tln
-t, tcp -l, --listening            display listening server sockets -n, --numeric              don't resolve names
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:34945               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:32740               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:15770             0.0.0.0:*                   LISTEN

四）netstat本身也是通过读取系统中的/proc/net/tcp(6)文件来实现对当前网络状态的监控输出的
netstat本身也是通过读取系统中的/proc/net/tcp(6)文件来实现对当前网络状态的监控输出的。我们只要依样画葫芦对此文件进行 解析（主要是合并ipv4和ipv6的内容，然后从16进制转换成字符串形式的ip，端口），然后再比对一下，只要发现此socket的远程ip和端口和 php中的$_SERVER['REMOTE_ADDR']，$_SERVER['REMOTE_PORT']相匹配即可。具体实现如下：
<?php function find_socket(){ // Get tcp connection status from /proc $net = file_get_contents("/proc/net/tcp"); $net .= file_get_contents("/proc/net/tcp6");// Find fd from /proc $dir = dir("/proc/self/fd"); while (false !== ($e = $dir->read())) { // Find socket inode in /proc/self/fd. if (is_link("/proc/self/fd/".$e) && $e != "." && $e != ".."){ if(preg_match("/socket:[(d+)]/", @readlink("/proc/self/fd/".$e), $m1)){ // Match every socket inode in /proc/net/tcp & /proc/net/tcp6. // If it matchs this connection remote ip/remote port, bingo! We got it! if(preg_match("/.*${m1[1]}/", $net, $m2)){ preg_match_all("/(w{8}):(w{4})/", $m2[0], $m3); // decode ips $sipstring = $m3[1][0][6].$m3[1][0][7].$m3[1][0][4].$m3[1][0][5].$m3[1][0][2].$m3[1][0][3].$m3[1][0][0].$m3[1][0][1]; sscanf($sipstring, "%x", $siplong); $ripstring = $m3[1][1][6].$m3[1][1][7].$m3[1][1][4].$m3[1][1][5].$m3[1][1][2].$m3[1][1][3].$m3[1][1][0].$m3[1][1][1]; sscanf($ripstring, "%x", $riplong); $sip = long2ip($siplong); $rip = long2ip($riplong); // decode ports sscanf($m3[2][0], "%x", $sport); sscanf($m3[2][1], "%x", $rport); if ($rip == $_SERVER['REMOTE_ADDR'] && $rport == $_SERVER['REMOTE_PORT']){ $dir->close(); return $e; // That is our socket fd. } } } } } $dir->close(); return false; } ?>
摘录：http://www.4shell.org/archives/2064.html
参考：http://www.80sec.com/security-issue-on-linux-fd-inheritance.html

作者：jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美，在于尽态极妍 | 应用之美，在于药到病除
地址：http://jackxiang.com/post/9821/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明！