ngrep - Analizzatur tal-Pakketti tan-Netwerk għal Linux
Ngrep (network grep) huwa analizzatur tal-pakketti tan-netwerk sempliċi iżda b'saħħtu. Hija għodda simili għall-grep applikata għas-saff tan-netwerk - taqbel mat-traffiku li jgħaddi minn interface tan-netwerk. Jippermettilek tispeċifika espressjoni regolari jew eżadeċimali estiża biex taqbel ma' payloads tad-dejta (l-informazzjoni attwali jew il-messaġġ fid-dejta trażmessa, iżda mhux metadejta ġġenerata awtomatikament) ta' pakketti.
Din l-għodda taħdem ma 'diversi tipi ta' protokolli, inklużi IPv4/6, TCP, UDP, ICMPv4/6, IGMP kif ukoll Raw fuq numru ta 'interfaces. Jopera bl-istess mod bħall-għodda tcpdump li jxomm il-pakkett.
Il-pakkett ngrep huwa disponibbli biex jiġi installat mir-repożitorji tas-sistema default fid-distribuzzjonijiet mainstream tal-Linux bl-użu ta 'għodda ta' ġestjoni tal-pakketti kif muri.
$ sudo apt install ngrep $ sudo yum install ngrep $ sudo dnf install ngrep
Wara li tinstalla ngrep, tista 'tibda tanalizza t-traffiku fuq in-netwerk Linux tiegħek billi tuża l-eżempji li ġejjin.
1. Il-kmand li ġej jgħinek tqabbel it-talbiet ping kollha fuq l-interface ta 'ħidma default. Ikollok bżonn tiftaħ terminal ieħor u tipprova tagħmel ping magna oħra remota. Il-marka -q
tgħid lil ngrep biex jaħdem bil-kwiet, biex ma joħroġ ebda informazzjoni għajr l-intestaturi tal-pakketti u t-tagħbija tagħhom.
$ sudo ngrep -q '.' 'icmp' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6))) match: . I 192.168.0.104 -> 192.168.0.103 8:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.104 -> 192.168.0.103 8:0 ]....oG[............................ !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]....oG[............................ !"#$%&'()*+,-./01234567
Tista 'tagħfas Ctrl + C
biex ittemmha.
2. Biex tqabbel biss it-traffiku li jmur lejn sit ta’ destinazzjoni partikolari, pereżempju ‘google.com’, ħaddem il-kmand li ġej, imbagħad ipprova jaċċessah minn browser.
$ sudo ngrep -q '.' 'host google.com' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6))) match: . T 172.217.160.174:443 -> 192.168.0.103:54008 [AP] ..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>[email T 172.217.160.174:443 -> 192.168.0.103:54008 [AP] .............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;[email
3. Jekk qed tisserfja l-web, imbagħad mexxi l-kmand li ġej biex tissorvelja liema fajls qed jitlob il-browser tiegħek:.
$ sudo ngrep -q '^GET .* HTTP/1.[01]' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ((ip || ip6) || (vlan && (ip || ip6))) match: ^GET .* HTTP/1.[01] T 192.168.0.104:43040 -> 172.217.160.174:80 [AP] GET / HTTP/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text)..Accept: */*..Accept-Language: en,*;q=0.1..Accept- Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4, ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256, windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x- kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive....
4. Biex tara l-attività kollha li taqsam is-sors jew il-port tad-destinazzjoni 25 (SMTP), mexxi l-kmand li ġej.
$ sudo ngrep port 25
5. Biex timmonitorja kwalunkwe traffiku syslog ibbażat fuq in-netwerk għall-okkorrenza tal-kelma \żball, uża l-kmand li ġej.
$ sudo ngrep -d any 'error' port 514
Importanti, din l-għodda tista 'tikkonverti l-ismijiet tal-portijiet tas-servizz maħżuna f'\/etc/services (fuq sistemi simili għal Unix bħal Linux) f'numri tal-port. Dan il-kmand huwa ekwivalenti għall-kmand ta' hawn fuq.
$ sudo ngrep -d any 'error' port syslog
6. Tista 'wkoll tħaddem ngrep kontra server HTTP (port 80), se jaqbel mat-talbiet kollha lill-host tad-destinazzjoni kif muri.
$ sudo ngrep port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42167 -> 64.90.164.74:80 [AP] GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, * ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers.... ##
Kif tistgħu taraw fl-output ta 'hawn fuq it-trasmissjoni kollha tal-headers HTTP huma murija fid-dettall gory tagħhom. Huwa diffiċli li wieħed parse, għalhekk ejja naraw x'jiġri meta tapplika l-modalità byline -W
.
$ sudo ngrep -W byline port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42177 -> 64.90.164.74:80 [AP] GET / HTTP/1.1. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ... Host: www.darkridge.com. Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ... Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e. Cookie2: $Version=1. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers.
7. Biex tipprintja timestamp fil-forma ta' SSSS/XX/JJ HH:MM:SS.UUUUUU kull darba li pakkett jitqabbel, uża l-bandiera -t.
$ sudo ngrep -t -W byline port 80 interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6))) #### T 2018/07/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP] GET / HTTP/1.1. Host: google.com. User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text). Accept: */*. Accept-Language: en,*;q=0.1. Accept-Encoding: gzip, deflate, bzip2. Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8. Connection: keep-alive.
8. Biex tevita li tpoġġi l-interface li tkun qed tiġi mmonitorjata f'mod promisku (fejn tinterċetta u jaqra kull pakkett tan-netwerk li jasal kollu), żid il-marka -p
.
$ sudo ngrep -p -W byline port 80
9. Għażla oħra importanti hija -N
li hija utli f'każ li tkun qed tosserva protokolli mhux maħduma jew mhux magħrufa. Jgħid lil ngrep biex juri n-numru tas-sottoprotokoll flimkien ma 'identifikatur ta' karattru wieħed.
$ sudo ngrep -N -W byline
Għal aktar informazzjoni, ara l-paġna man ngrep.
$ man ngrep
Repożitorju ta' ngrep Github: https://github.com/jpr5/ngrep
Dak kollox! Ngrep (network grep) huwa analizzatur tal-pakketti tan-netwerk li jifhem il-loġika tal-filtru BPF bl-istess mod tcpdump. Nixtiequ nkunu nafu l-ħsibijiet tiegħek dwar ngrep fit-taqsima tal-kummenti.