欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  科技

Linux日志中出现大量dhclient mesage浅析

程序员文章站 2022-04-12 11:33:46
最近检查发现一台Linux服务器,发现其日志里面有大量下面信息,其中部分信息做了脱敏处理。其中一个地址A(192.168.AAA.AAA) 为DNS服务器地址,地址B(192.168.BBB.BBB)为动态获取的IP地址。 #脱敏后信息如下所示: Jul 24 15:14:18 xxxxxx dhc... ......

最近检查发现一台linux服务器,发现其日志里面有大量下面信息,其中部分信息做了脱敏处理。其中一个地址a(192.168.aaa.aaa) 为dns服务器地址,地址b(192.168.bbb.bbb)为动态获取的ip地址。

 

 

#脱敏后信息如下所示:

 

jul 24 15:14:18 xxxxxx dhclient: dhcprequest on eth0 to 192.168.aaa.aaa port 67 (xid=0x1ff3cda3)

jul 24 15:14:18 xxxxxx dhclient: dhcpack from 192.168.aaa.aaa (xid=0x1ff3cda3)

jul 24 15:14:18 xxxxxx dhclient: bound to 192.168.bbb.bbb -- renewal in 863 seconds.

jul 24 15:28:41 xxxxxx dhclient: dhcprequest on eth0 to 192.168.aaa.aaa port 67 (xid=0x1ff3cda3)

jul 24 15:28:41 xxxxxx dhclient: dhcpack from 192.168.aaa.aaa (xid=0x1ff3cda3)

jul 24 15:28:41 xxxxxx dhclient: bound to 192.168.bbb.bbb -- renewal in 681 seconds.

jul 24 15:40:02 xxxxxx dhclient: dhcprequest on eth0 to 192.168.aaa.aaa port 67 (xid=0x1ff3cda3)

jul 24 15:40:02 xxxxxx dhclient: dhcpack from 192.168.aaa.aaa (xid=0x1ff3cda3)

jul 24 15:40:02 xxxxxx dhclient: bound to 192.168.bbb.bbb -- renewal in 763 seconds.

 

那么dhcprequest、dhcpack是什么东西呢? 初步判断很有可能是服务器动态申请ip(dhcp)的相关性。然后搜索了相关资料验证一下:

 

dhcprequest简介:

 

dhcp请求(request) 当客户pc收到一个ip租约提供时,它必须告诉所有其他的dhcp服务器它已经接受了一个租约提供。因此,该客户会发送一个dhcprequest消息,其中包含提供租约的服务器的ip。当其他dhcp服务器收到了该消息后,它们会收回所有可能已提供给该客户的租约。然后它们把曾经给该客户保留的那个地址重新放回到可用地址池中,这样,它们就可以为其他计算机分配这个地址。任意数量的dhcp服务器都可以响应同一个ip租约请求,但是每一个客户网卡只能接受一个租约提供。

 

dhcpack简介:

当dhcp服务器收到来自客户的request消息后,它就开始了配置过程的最后阶段。这个响应阶段包括发送一个dhcpack包给客户。这个包包含租期和客户可能请求的其他所有配置信息。这时候,tcp/ip配置过程就完成了。

 

但是这台服务器不是设置的静态ip吗? 怎么会有dhcp的相关日志呢? 首先检查确认地址a(192.168.aaa.aaa)为一个dns服务器地址。如下所示:

 

[root@xxxx log]# more /etc/resolv.conf
; generated by /sbin/dhclient-script
search eel1.esquel.com
nameserver 192.168.aaa.aaa
nameserver 192.168.xxx.xxx

 

然后查看该服务器的ip地址。如下所示:

 

[root@xxxxx log]# ifconfig
eth0      link encap:ethernet  hwaddr 00:0c:29:af:0f:87 
          inet addr:192.168.bbb.bbb  bcast:192.168.xxx.xxx  mask:255.255.255.0
          up broadcast running multicast  mtu:1500  metric:1
          rx packets:1113647339 errors:0 dropped:0 overruns:0 frame:0
          tx packets:5394185429 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          rx bytes:232836326224 (216.8 gib)  tx bytes:7577117537336 (6.8 tib)

lo        link encap:local loopback 
          inet addr:127.0.0.1  mask:255.0.0.0
          up loopback running  mtu:16436  metric:1
          rx packets:943142413 errors:0 dropped:0 overruns:0 frame:0
          tx packets:943142413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          rx bytes:37841765933 (35.2 gib)  tx bytes:37841765933 (35.2 gib)

 

检查发现这个网络绑定了两个ip地址。如下所示所示(其中192.168.ccc.ccc为静态ip地址),最让人惊奇的是ifconfig中显示的是动态ip地址,而不是ifcfg-eth0设置的静态ip地址

 

[root@xxxxx log]# ip addr show eth0
2: eth0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:af:0f:87 brd ff:ff:ff:ff:ff:ff
    inet 192.168.bbb.bbb/24 brd 192.168.152.255 scope global eth0
    inet 192.168.ccc.cc/24 brd 192.168.152.255 scope global secondary eth0
 
[root@xxx network-scripts]# more ifcfg-eth0 
# intel corporation 82545em gigabit ethernet controller (copper)
device=eth0
bootproto=none
onboot=yes
hwaddr=00:0c:29:af:0f:87
netmask=255.255.255.0
ipaddr=192.168.ccc.ccc
gateway=192.168.xxx.xxx
type=ethernet
userctl=no
ipv6init=no
peerdns=yes

 

个人猜测是因为local的系统管理员,不知出于什么原因给网卡多绑定了一个地址,下面在测试服务器,做了一个简单的测试。如果网络设置动态获取ip地址,基本上就会有这类信息出现,

 

jul 20 13:01:49 db-server dhclient: bound to 10.20.57.24 -- renewal in 12333 seconds.
 
jul 20 16:27:22 db-server dhclient: dhcprequest on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
 
jul 20 16:27:22 db-server dhclient: dhcpack from 192.168.27.210 (xid=0x293091fd)
 
jul 20 16:27:22 db-server dhclient: bound to 10.20.57.24 -- renewal in 11811 seconds.
 
jul 20 19:44:12 db-server dhclient: dhcprequest on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
 
jul 20 19:44:13 db-server dhclient: dhcpack from 192.168.27.210 (xid=0x293091fd)
 
jul 20 19:44:13 db-server dhclient: bound to 10.20.57.24 -- renewal in 13245 seconds.
 
jul 20 23:24:58 db-server dhclient: dhcprequest on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
 
jul 20 23:24:58 db-server dhclient: dhcpack from 192.168.27.210 (xid=0x293091fd)
 
jul 20 23:24:58 db-server dhclient: bound to 10.20.57.24 -- renewal in 13115 seconds.
 
jul 21 03:03:32 db-server dhclient: dhcprequest on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
 
jul 21 03:03:33 db-server dhclient: dhcpack from 192.168.27.210 (xid=0x293091fd)
 
jul 21 03:03:33 db-server dhclient: bound to 10.20.57.24 -- renewal in 13533 seconds.

 

测试过程中也发现,如果第一个地址是静态ip地址,第二个(secondary)地址为动态地址,在message里面也没有出现上面的dhcprequest 、dhcpack日志信息。但是如果网卡的第一个地址为动态地址就会在message中出现dhcp相关日志。

 

[root@db-server network-scripts]# ifconfig eth0
eth0      link encap:ethernet  hwaddr b0:83:fe:55:32:e5  
          inet addr:10.20.57.24  bcast:10.255.255.255  mask:255.0.0.0
          up broadcast running multicast  mtu:1500  metric:1
          rx packets:230 errors:0 dropped:0 overruns:0 frame:0
          tx packets:162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:22435 (21.9 kib)  tx bytes:20666 (20.1 kib)
          interrupt:233 base address:0x4000 
[root@db-server network-scripts]# more /etc/resolv.conf
; generated by /sbin/dhclient-script
search gfg1.esquel.com
nameserver 192.168.xxx.xxx
nameserver 192.168.xxx.xxx
[root@db-server network-sc
 
[root@db-server network-scripts]# ifconfig eth0:1 10.20.57.26 netmask 255.0.0.0
 
[root@db-server network-scripts]# ip addr show eth0
2: eth0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether b0:83:fe:55:32:e5 brd ff:ff:ff:ff:ff:ff
    inet 10.20.57.24/8 brd 10.255.255.255 scope global eth0
    inet 10.20.57.26/8 brd 10.255.255.255 scope global secondary eth0:1

 

 

 

参考资料:

 

https://zh.wikipedia.org/zh-hans/%e5%8a%a8%e6%80%81%e4%b8%bb%e6%9c%ba%e8%ae%be%e7%bd%ae%e5%8d%8f%e8%ae%ae