我可以轻松找出套接字是否属于用户空间 - 我只需扫描 /proc/ 以查看哪个 PID 拥有 [套接字]。但是,如果 TCP 套接字在内核空间中打开,则 /proc/ 中没有条目(因为内核没有 PID)。我认为,仅仅因为在 /proc 中找不到套接字就假设它是由内核启动的,这种假设是不安全的。我想到了 /proc/net/tcp 末尾未记录的 7 列。也许其中一个可以提示套接字的来源?我无法解密内核的源代码来弄清楚这 7 个字段代表什么。
有人能帮我一下吗?
答案1
尝试netstat
添加其他参数:
sudo netstat -wtpeav
这sudo
是为了确保您以 root 身份运行它,否则它不会显示所有内容。
选项包括:
-w, --raw
Show raw sockets.
-t, --tcp
Show TCP protocol sockets.
-p, --program
Show the PID and name of the program to which each socket
belongs.
-e, --extend
Display additional information. Use this option twice for
maximum detail.
-a, --all
Show both listening and non-listening sockets. With the
--interfaces option, show interfaces that are not up
--verbose , -v
Tell the user what is going on by being verbose. Especially
print some useful informa‐ tion about unconfigured address
families.
此外,末尾的列/proc/net/tcp
记录在内核源代码树中文档/网络/proc_net_tcp.txt. 结束字段为:
1000 0 54165785 4 cd1e6040 25 4 27 3 -1
| | | | | | | | | |--> slow start size threshold,
| | | | | | | | | or -1 if the threshold
| | | | | | | | | is >= 0xFFFF
| | | | | | | | |----> sending congestion window
| | | | | | | |-------> (ack.quick<<1)|ack.pingpong
| | | | | | |---------> Predicted tick of soft clock
| | | | | | (delayed ACK control data)
| | | | | |------------> retransmit timeout
| | | | |------------------> location of socket in memory
| | | |-----------------------> socket reference count
| | |-----------------------------> inode
| |----------------------------------> unanswered 0-window probes
|---------------------------------------------> uid