我目前正在抓取netstat -n -A inetLinux 和netstat -n -f inetMac OSX 上的输出,以使用以下(Python 默认)正则表达式获取机器连接到的远程 IP 地址和端口的集合:
'(?:[0-9]+\.){3}[0-9]+[.:][0-9]+\s+((?:[0-9]+\.){3}[0-9]+)[.:]([0-9]+)'
这给了我组 1 中的远程 IP 和组 2 中的远程端口。
但是,这似乎不可移植或可维护(并且仅限于 IPv4 地址)。
获取活动远程 IP 列表是否有更好的选择?
嗯,总有 SNMP... 完整的 TCP 连接表位于.1.3.6.1.2.1.6.19(也称为 .iso.org.dod.internet.mgmt.mib-2.tcp.tcpConnectionTable),完整的 UDP 表位于 .1.3.6.1.2.1.7.7(也称为.iso.org.dod.internet.mgmt.mib-2.udp.udpEndpointTable)。
这是我本地 Linux 机器的示例:
$ snmpbulkwalk -v2c -c xxxx -m ALL 83.137.17.100 .iso.org.dod.internet.mgmt.mib-2.tcp.tcpConnectionTable
TCP-MIB::tcpConnectionState.ipv4."83.137.17.100".44463.ipv4."91.189.89.90".80 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv4."83.137.17.100".44470.ipv4."91.189.89.90".80 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51612 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51622 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51623 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51624 = INTEGER: finWait2(7)
TCP-MIB::tcpConnectionState.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:f7:0a:da".59728 = INTEGER: timeWait(11)
TCP-MIB::tcpConnectionState.ipv6."20:01:40:38:00:00:00:16:00:00:00:00:00:00:00:16".22.ipv6."2a:00:86:40:00:01:00:00:54:f4:06:96:6c:48:aa:a9".49644 = INTEGER: established(5)
TCP-MIB::tcpConnectionProcess.ipv4."83.137.17.100".44463.ipv4."91.189.89.90".80 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv4."83.137.17.100".44470.ipv4."91.189.89.90".80 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51612 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51622 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51623 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:55:f2:7b".51624 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:89:11:64".80.ipv6."00:00:00:00:00:00:00:00:00:00:ff:ff:53:f7:0a:da".59728 = Gauge32: 0
TCP-MIB::tcpConnectionProcess.ipv6."20:01:40:38:00:00:00:16:00:00:00:00:00:00:00:16".22.ipv6."2a:00:86:40:00:01:00:00:54:f4:06:96:6c:48:aa:a9".49644 = Gauge32: 0
Net-SNMP 工具使输出更具可读性。以数字形式,第一行输出为:
1.3.6.1.2.1.6.19.1.7.1.4.83.137.17.100.44463.1.4.91.189.89.90.80 = INTEGER: 11
或者在完全展开的文本中:
.iso.org.dod.internet.mgmt.mib-2.tcp.tcpConnectionTable.tcpConnectionEntry.tcpConnectionState.ipv4."83.137.17.100".44463.ipv4."91.189.89.90".80
我不确定这是否比你现在做的更容易,但这是一种标准化的方式......
如果您不害怕 C 和 U*X 内部结构,您可以对 netstat 进行逆向工程。
看看这里https://unix.stackexchange.com/questions/21503/source-code-of-netstat