Ngrep:致力于支持绝大部分的GNU的共同特性,将他们应用于网络层。它是一个抓包工具,允许指定各种规则或16进制表达式来匹配数据包的有效载荷。目前它可以识别到 IPv4/6, TCP, UDP, ICMPv4/6, IGMP和整个以太网的PPP,SLIP,FDDI,令牌环和空接口,并支持与常见抓包工具同样的方式BPF过滤逻辑,如:tcpdump 和 snoop 。 —-by Jordan Ritter
如何使用?原文阅读:点击这里
例:基本数据包的捕获
$ ngrep -d any port 25 $ ngrep -d any 'error' port syslog $ ngrep -wi -d any 'user|pass' port 21
例:调试HTTP交互
$ ngrep port 80 $ ngrep -W byline port 80
例:处理PCAP转储文件,寻找.dump格式的包
$ ngrep -O /tmp/dns.dump -d any -T port domain $ ngrep -w 'm' -I /tmp/dns.dump $ ngrep -tD ns3 -I /tmp/dns.dump $ ngrep -I /tmp/dns.dump port 80
监听所有无法通过22端口的流量(即SSH):
$ ngrep not port 22 | strings 8
监听来自某个主机的流量:
$ ngrep host 192.168.0.103
捕获并显示从eth0接口呼入/呼出的HTTP(TCP/80) GET方法或POST方法参数的网络流量
$ ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
捕获并显示从eth0接口呼入/呼出的HTTP(TCP/80)含有”User-Agent”字符串的网络流量
$ ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
捕获并显示从eth0接口呼入/呼出的DNS(UDP/53)查询和响应的网络流量
$ ngrep -l -q -d eth0 -i "" udp and port 53
显示用SELECT语句查询你的MySQL服务器的语句和结果
$ ngrep -d eth0 -i 'select' port 3306
显示用SELECT语句查询你的MySQL服务器的语句和结果,并且查询会返回以下结果:
$ mysql -B -e 'select * from foo;' sandbox
id name age 1 Bob 23 2 Alice 20
通过ngrep查看网络流量:
$ ngrep -d lo -wi "" port 3306
interface: lo (127.0.0.0/255.0.0.0) filter: (ip or ip6) and ( port 3306 ) match: ((^\W)|(\W$)|(\W\W)) #### T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] [... 5.5.43-0ubuntu0.14.04.1.....!!!#+N'v...................?wZ=bUblw5=t.mysql_native_password. ## T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] [...........!.......................sandusr...e....=_.P`..W...mQ.sandbox.mysql_native_password. ## T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] ........... # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] !....select @@version_comment limit 1 # T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] .....'....def....@@version_comment..!.........................(Ubuntu)......... # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] .....select * from foo # T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP] .....'....def.sandbox.foo.foo.id.id.?.......B...+....def.sandbox.foo.foo.name.name.!...........)....def.sandbox.foo.foo.age.age.?.................."......1.Bob.23.....2.Alice.20.......". # T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP] ..... ###
监听所有发生报错“error“字样的syslog系统日志的网络流量(注:‘ngrep’知道如何将服务端口名称转换成端口号。例如,可以在/etc/services 中找到):
$ ngrep -d any "error" port syslog
监听特殊的数据流
# Start `ngrep`: $ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80' # Then send a header request to a specific URL: $ curl -I xtof.ch
interface: wlan0 (192.168.1.0/255.255.255.0) filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 ) match: ^(GET|POST|HEAD) ### T 2015/06/11 12:05:09.321783 192.168.1.15:34116 -> 67.207.152.20:80 [AP] HEAD / HTTP/1.1..User-Agent: curl/7.35.0..Host: xtof.ch..Accept: */*.... ###
或者,用新的命令行终止系统响应:
$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80' -W byline
interface: wlan0 (192.168.1.0/255.255.255.0) filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 ) match: ^(GET|POST|HEAD) ### T 2015/06/11 12:11:07.697041 192.168.1.15:34153 -> 67.207.152.20:80 [AP] HEAD / HTTP/1.1. User-Agent: curl/7.35.0. Host: xtof.ch. Accept: */*. . ###