轻量级的数据包匹配和显示工具-Ngrep
2012-11-19 14:19:18 
阿炯
ngrep是grep(在文本中搜索字符串的工具)的网络版,其力求更多的grep特征,用于搜寻指定的数据包。正由于安装ngrep需用到libpcap库,所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包,理解bpf的过滤机制。其官方介绍如下:ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anomalous network communications such as those between worms, viruses and/or zombies, and to store, read and reprocess pcap dump files while looking for specific data patterns. On the other hand, it can be used to do the more mundane plaintext credential collection as with HTTP Basic Authentication, FTP or POP3 authentication, and so forth. Like all useful tools, it can be used for good and bad.
对于分析流经网卡的数据包,一般情况下就用ngrep来处理了。Ngrep可以让你像类似grep处理文件的方式来处理网络封包。
使用方法
usage: ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter>
-h is help/usage
-V is version information
-q is be quiet (don't print packet reception hash marks)静默模式,如果没有此开关,未匹配的数据包都以“#”显示
-e is show empty packets 显示空数据包
-i is ignore case 忽略大小写
-v is invert match 反转匹配
-R is don't do privilege revocation logic
-x is print in alternate hexdump format 以16进制格式显示
-X is interpret match expression as hexadecimal 以16进制格式匹配
-w is word-regex (expression must match as a word) 整字匹配
-p is don't go into promiscuous mode 不使用混杂模式
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched在每个匹配的包之前显示时间戳
-T is print delta timestamp every time a packet is matched显示上一个匹配的数据包之间的时间间隔
-M is don't do multi-line match (do single-line match instead)仅进行单行匹配
-I is read packet stream from pcap format file pcap_dump 从文件中读取数据进行匹配
-O is dump matched packets in pcap format to pcap_dump 将匹配的数据保存到文件
-n is look at only num packets 仅捕获指定数目的数据包进行查看
-A is dump num packets after a match匹配到数据包后Dump随后的指定数目的数据包
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none) 设置显示格式byline将解析包中的换行符
-c is force the column width to the specified size 强制显示列的宽度
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file 使用文件中定义的bpf(Berkeley Packet Filter)
-N is show sub protocol number 显示由IANA定义的子协议号
-d is use specified device (index) instead of the pcap default 使用哪个网卡,可以用-L选项查询
-L is show the winpcap device list index 查询网卡接口
针对Web流量,你几乎总是想要加上-W byline选项,这会保留换行符,而-q选项可以抑制某些非匹配数据包而产生的输出。下面是一个抓取所有包含有GET或POST请求数据包的例子: # ngrep -q -W byline "^(GET|POST) .*"
你也可以传入附加的报文过滤选项,比如限制匹配的报文只针对某个特定的主机,IP或端口。这里我们把所有流经Google的流量做一个过滤,只针对80端口且报文中包含“search”。
# ngrep –q –W byline “search” host www.google.com and port 80
可以用ngrep来匹配特定的数据包:
$ngrep '' udp /*匹配udp包*/
$ngrep '' icmp/*匹配icmp包*/
$ngrep '' port 53 /*显示所有的dns请求*/
$ngrep '../'/*监听远程主机的'../'请求*/
$ngrep -d rl0 port 80/*服务器端http数据*/
$ngrep -d rl0 'error' port syslog/**/
$ngrep -wi -d rl0 'user|pass' port 21/*关注端口21上的user和pass*/
下面是一些常用的参数:
ngrep -v '' port 23
显示除telnet的数据包,-v意为反转。
ngrep -d eth0 ''
在redhat上显示所有的数据包,-d 指定硬件接口。
ngrep下载地址:http://ngrep.sourceforge.net/
libpcap下载地址:http://www.tcpdump.org/