Linux 抓包工具ngrep详解

最新推荐文章于 2024-06-13 23:24:35 发布

karchar

最新推荐文章于 2024-06-13 23:24:35 发布

阅读量6.6k

点赞数 1

分类专栏：工具 linux 文章标签： linux 通信抓包

本文链接：https://blog.csdn.net/karchar/article/details/52648487

版权

工具同时被 2 个专栏收录

9 篇文章 0 订阅

订阅专栏

linux

6 篇文章 0 订阅

订阅专栏

1.需求

需要在服务端抓取两客户端(117.136.x.x和202.104.x.x)与服务端（10.35.x.x）之间交互的的数据包来清楚整个交互流程。通信协议既有http也有websocket。

2.ngrep 解决方法

$ ngrep -q -d eth0 -W byline  host 10.135.x.x and \(117.136.x.x or 202.104.x.x\)  and port 80 or port 8089  or port 11211 or port 3478

3.结果展示

#客户端发请求给服务端 通过http 协议
T 202.104.x.x:57171 -> 10.135.x.x:80 [AP]
POST /join/123 HTTP/1.1.
origin: https://appr.tc.
Content-Type: text/plain; charset=utf-8.
Content-Length: 0.
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; M3s Build/LMY47I).
Host: 123.207.x.x
.
Connection: Keep-Alive.
Accept-Encoding: gzip.
----------------------------------------------------------
#服务端返回给客户端数据
T 10.135.x.x:80 -> 202.104.x.x:57171 [AP]
HTTP/1.1 200 OK.
Server: nginx/1.11.4.
Date: Thu, 22 Sep 2016 13:02:47 GMT.
Content-Type: text/html; charset=utf-8.
Content-Length: 955.
Connection: keep-alive.
Cache-Control: no-cache.
.
{"params": {"is_initiator": "true", "room_link": "http://127.0.0.1:8080/r/123", "ice_server_transports": ""
....
}
----------------------------------------------------------
#客户端和服务端通过websocket的交互
T 202.104.x.x:40872 -> 10.135.x.x:8089 [AP]
GET /ws HTTP/1.1.
Host: 123.207.x.x.
Upgrade: WebSocket.
Connection: Upgrade.
Sec-WebSocket-Key: iTSZU6BzEryaMzTJa/TYhg==.
Origin: https://www.google.com.
Sec-WebSocket-Version: 13.
.
----------------------------------------------------------
T 10.135.x.x:8089 -> 202.104.x.x:40872 [AP]
HTTP/1.1 101 Switching Protocols.
Upgrade: websocket.
Connection: Upgrade.
Sec-WebSocket-Accept: y9YTmUd9ujuhcHz1dCIjl3gyevY=.
.
----------------------------------------------------------
T 202.104.x.x:40872 -> 10.135.x.x:8089 [AP]
..!$..Z..vE..9SA.rRP.i...iNK.rE..9...9...wHA.oH@.!...*...-...
----------------------------------------------------------
#websocket 不是明文传输所以这里只能看见二进制数据

websocket 的数据因为不是明文所以不如http那么直观，推荐websocket在线测试可以清楚的看见每个流程。

4.ngrep 详解

安装ngrep需用到libpcap库，所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包，理解bpf的过滤机制。

这里翻译一部分的man ngrep的内容

NAME
   ngrep - network grep

SYNOPSIS
   ngrep  <-hNXViwqpevxlDtTRM>  <-IO  pcap_dump > < -n num > < -d dev > < -A num > < -s snaplen > < -S limitlen > < -W normal|byline|single|none > < -c cols > < -P char > < -F file > < match expression > < bpf filter >

OPTIONS
   -h     Display help/usage information.(不解释啦)

   #显示由IANA定义的子协议号
   -N     Show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols).

   #将满足匹配规则的行按16进制输出。
   -X     Treat the match expression as a hexadecimal string.  See the explanation of match expression below.

   #过滤掉满足给定规则（正则匹配）的行。
   -i     Ignore case for the regex expression.

   #整字匹配
   -w     Match the regex expression as a word.

   #只输出输出协议的header 和 body。
   -q     Be quiet; don’t output any information other than packet headers and their payloads (if relevant).

   #显示空包
   -e     Show empty packets.  Normally empty packets are discarded because they have no payload to search.  If specified, empty packets will be shown,
          regardless of the specified regex expression.

   #反转匹配
   -v     Invert the match; only display packets that don’t match.

   #以16进制格式和string显示
   -x     Dump packet contents as hexadecimal as well as ASCII.

   #指定网卡
   -d dev By default ngrep will select a default interface to listen on.  Use this option to force ngrep to listen on interface dev.

   #设置显示格式byline将解析包中的换行符
   -W is set the dump format (normal, byline, single, none) 

 匹配表达式感觉就是指定 源主机 目标主机 端口啥的
 match expression
          A  match  expression is either an extended regular expression, or if the -X option is specified, a string signifying a hexadecimal value.  An extended regular expression follows the rules as implemented by the GNU regex library.  Hexadecimal expressions can optionally be preceded by ‘0x’.  E.g., ‘DEADBEEF’, ‘0xDEADBEEF’.


Allowable primitives are
   dst host host
          True if the IP destination field of the packet is host, which may be either an address or a name.

   src host host
          True if the IP source field of the packet is host.

   host host
          True if either the IP source or destination of the packet is host.  Any of the above host expressions can be prepended with the keywords, ip,arp, or rarp as in:ip host host which is equivalent to:

....还有 port net 同 host 一样。

5.最后

思考：像ngrep,tcpdump这种工具到底是咋实现的呢？后面清楚了再补充，，，。

TODO：tcpdump 和 ngrep 的比较。

karchar

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
1
评论
Linux 抓包工具ngrep详解

1.需求需要在服务端抓取两客户端(117.136.x.x和202.104.x.x)与服务端（10.35.x.x）之间交互的的数据包来清楚整个交互流程。通信协议既有http也有websocket。2.ngrep 解决方法$ ngrep -q -d eth0 -W byline host 10.135.x.x and $117.136.x.x or 202.104.x.x$ and port 8
复制链接

扫一扫