ngrep - Analizzatur tal-Pakketti tan-Netwerk għal Linux

Ngrep (network grep) huwa analizzatur tal-pakketti tan-netwerk sempliċi iżda b'saħħtu. Hija għodda simili għall-grep applikata għas-saff tan-netwerk - taqbel mat-traffiku li jgħaddi minn interface tan-netwerk. Jippermettilek tispeċifika espressjoni regolari jew eżadeċimali estiża biex taqbel ma' payloads tad-dejta (l-informazzjoni attwali jew il-messaġġ fid-dejta trażmessa, iżda mhux metadejta ġġenerata awtomatikament) ta' pakketti.

Din l-għodda taħdem ma 'diversi tipi ta' protokolli, inklużi IPv4/6, TCP, UDP, ICMPv4/6, IGMP kif ukoll Raw fuq numru ta 'interfaces. Jopera bl-istess mod bħall-għodda tcpdump li jxomm il-pakkett.

Il-pakkett ngrep huwa disponibbli biex jiġi installat mir-repożitorji tas-sistema default fid-distribuzzjonijiet mainstream tal-Linux bl-użu ta 'għodda ta' ġestjoni tal-pakketti kif muri.

$ sudo apt install ngrep
$ sudo yum install ngrep
$ sudo dnf install ngrep

Wara li tinstalla ngrep, tista 'tibda tanalizza t-traffiku fuq in-netwerk Linux tiegħek billi tuża l-eżempji li ġejjin.

1. Il-kmand li ġej jgħinek tqabbel it-talbiet ping kollha fuq l-interface ta 'ħidma default. Ikollok bżonn tiftaħ terminal ieħor u tipprova tagħmel ping magna oħra remota. Il-marka -q tgħid lil ngrep biex jaħdem bil-kwiet, biex ma joħroġ ebda informazzjoni għajr l-intestaturi tal-pakketti u t-tagħbija tagħhom.

$ sudo ngrep -q '.' 'icmp'

interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .

I 192.168.0.104 -> 192.168.0.103 8:0
  ]...~oG[....j....................... !"#$%&'()*+,-./01234567                                                                                                             

I 192.168.0.103 -> 192.168.0.104 0:0
  ]...~oG[....j....................... !"#$%&'()*+,-./01234567                                                                                                             

I 192.168.0.104 -> 192.168.0.103 8:0
  ]....oG[............................ !"#$%&'()*+,-./01234567                                                                                                             

I 192.168.0.103 -> 192.168.0.104 0:0
  ]....oG[............................ !"#$%&'()*+,-./01234567  

Tista 'tagħfas Ctrl + C biex ittemmha.

2. Biex tqabbel biss it-traffiku li jmur lejn sit ta’ destinazzjoni partikolari, pereżempju ‘google.com’, ħaddem il-kmand li ġej, imbagħad ipprova jaċċessah minn browser.

$ sudo ngrep -q '.' 'host google.com'

interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .

T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
  ..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>[email                                                                        

T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
  .............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;[email 

3. Jekk qed tisserfja l-web, imbagħad mexxi l-kmand li ġej biex tissorvelja liema fajls qed jitlob il-browser tiegħek:.

$ sudo ngrep -q '^GET .* HTTP/1.[01]'

interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: ^GET .* HTTP/1.[01]

T 192.168.0.104:43040 -> 172.217.160.174:80 [AP]
  GET / HTTP/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; 
  GNU C 4.8.5; text)..Accept: */*..Accept-Language: en,*;q=0.1..Accept-
  Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,
  ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I
  SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,
  windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-
  kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive.... 

4. Biex tara l-attività kollha li taqsam is-sors jew il-port tad-destinazzjoni 25 (SMTP), mexxi l-kmand li ġej.

$ sudo ngrep port 25

5. Biex timmonitorja kwalunkwe traffiku syslog ibbażat fuq in-netwerk għall-okkorrenza tal-kelma \żball, uża l-kmand li ġej.

 
$ sudo ngrep -d any 'error' port 514

Importanti, din l-għodda tista 'tikkonverti l-ismijiet tal-portijiet tas-servizz maħżuna f'\/etc/services (fuq sistemi simili għal Unix bħal Linux) f'numri tal-port. Dan il-kmand huwa ekwivalenti għall-kmand ta' hawn fuq.

$ sudo ngrep -d any 'error' port syslog

6. Tista 'wkoll tħaddem ngrep kontra server HTTP (port 80), se jaqbel mat-talbiet kollha lill-host tad-destinazzjoni kif muri.

$ sudo ngrep port 80

interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42167 -> 64.90.164.74:80 [AP]
  GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i
  686) Opera 7.21  [en]..Host: www.darkridge.com..Accept: text/html, applicat
  ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi
  f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *
  ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ
  MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:
  Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....
##

Kif tistgħu taraw fl-output ta 'hawn fuq it-trasmissjoni kollha tal-headers HTTP huma murija fid-dettall gory tagħhom. Huwa diffiċli li wieħed parse, għalhekk ejja naraw x'jiġri meta tapplika l-modalità byline -W.

$ sudo ngrep -W byline port 80

interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42177 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...
Host: www.darkridge.com.
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ...
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.
Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.
Cookie2: $Version=1.
Cache-Control: no-cache.
Connection: Keep-Alive, TE.
TE: deflate, gzip, chunked, identity, trailers.

7. Biex tipprintja timestamp fil-forma ta' SSSS/XX/JJ HH:MM:SS.UUUUUU kull darba li pakkett jitqabbel, uża l-bandiera -t.

$ sudo ngrep -t -W byline port 80

interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
####
T 2018/07/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP]
GET / HTTP/1.1.
Host: google.com.
User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text).
Accept: */*.
Accept-Language: en,*;q=0.1.
Accept-Encoding: gzip, deflate, bzip2.
Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8.
Connection: keep-alive.

8. Biex tevita li tpoġġi l-interface li tkun qed tiġi mmonitorjata f'mod promisku (fejn tinterċetta u jaqra kull pakkett tan-netwerk li jasal kollu), żid il-marka -p.

$ sudo ngrep -p -W byline port 80

9. Għażla oħra importanti hija -N li hija utli f'każ li tkun qed tosserva protokolli mhux maħduma jew mhux magħrufa. Jgħid lil ngrep biex juri n-numru tas-sottoprotokoll flimkien ma 'identifikatur ta' karattru wieħed.

$ sudo ngrep -N -W byline

Għal aktar informazzjoni, ara l-paġna man ngrep.

$ man ngrep

Repożitorju ta' ngrep Github: https://github.com/jpr5/ngrep

Dak kollox! Ngrep (network grep) huwa analizzatur tal-pakketti tan-netwerk li jifhem il-loġika tal-filtru BPF bl-istess mod tcpdump. Nixtiequ nkunu nafu l-ħsibijiet tiegħek dwar ngrep fit-taqsima tal-kummenti.