Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
93.4. ngrep - Network layer grep tool
上一页 第 93 章 Sniffer 下一页
知乎专栏

93.4. ngrep - Network layer grep tool

ngrep - network grep

安装

yum install -y ngrep

帮助信息

		
# ngrep -help
usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
         specify twice for delta from first match
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default

93.4.1. 匹配关键字

-q is be quiet (don't print packet reception hash marks)

# ngrep -q GET -d eth1 port 80
# ngrep -q POST -d eth1 port 80
# ngrep -q /news/111.html -d eth1 port 80
# ngrep -q User-Agent -d eth1 port 80
# ngrep -q Safari -d eth1 port 80
			

# ngrep -q HELO -d enp2s0 port 25mp
interface: enp2s0 (173.254.223.0/255.255.255.192)
filter: ( port 25 ) and (ip or ip6)
match: HELO

T 47.90.44.87:39023 -> 173.254.223.53:25 [AP]
  HELO localhost..                                                                                                                                                                                                                       

T 47.90.44.87:39024 -> 173.254.223.53:25 [AP]
  HELO localhost..                                                                                                                                                                                                                       

T 47.90.44.87:39025 -> 173.254.223.53:25 [AP]
  HELO localhost..

93.4.2. 指定网络接口

-d is use specified device instead of the pcap default

# ngrep -d eth0
# ngrep -d enp2s0

93.4.3. SIP 抓包

			
[root@netkiller ~]# ngrep -d any -qt -W byline . port 5060 | grep  'sip:6000@sip.aigcsst.cn' -B 4 -A 9

U 2025/04/06 00:44:56.929467 112.97.211.57:33689 -> 192.168.0.71:5060 #7648
REGISTER sip:sip.aigcsst.cn SIP/2.0.
v: SIP/2.0/UDP 172.16.0.10:5060;branch=z9hG4bK-d7afde6a.
f: BG7NYT <sip:6000@sip.aigcsst.cn>;tag=caa95e5e7bbd3850o0.
t: BG7NYT <sip:6000@sip.aigcsst.cn>.
i: 149a4a56-4d447c9e@172.16.0.10.
CSeq: 44812 REGISTER.
Max-Forwards: 70.
Authorization: Digest username="6000",realm="sip.aigcsst.cn",nonce="Z/FfNGfxXggslcTmDFiODs1eASlSzxGl",uri="sip:sip.aigcsst.cn",algorithm=MD5,response="65963da9fec4ee95ad103a459a14fc9a".
m: BG7NYT <sip:6000@172.16.0.10:5060>;expires=3600.
User-Agent: Linksys/PAP2T-5.1.6(LS).
l: 0.
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER.
k: x-sipura, replaces.
--

U 2025/04/06 00:44:56.932533 192.168.0.71:5060 -> 112.97.211.57:33689 #7649
SIP/2.0 200 OK.
v: SIP/2.0/UDP 172.16.0.10:5060;branch=z9hG4bK-d7afde6a;rport=33689;received=112.97.211.57.
f: BG7NYT <sip:6000@sip.aigcsst.cn>;tag=caa95e5e7bbd3850o0.
t: BG7NYT <sip:6000@sip.aigcsst.cn>;tag=19db6516a6b774c682ff0634f6a75b73.9d6b9329.
i: 149a4a56-4d447c9e@172.16.0.10.
CSeq: 44812 REGISTER.
Contact: <sip:6000@172.16.0.10:5060>;expires=3600;received="sip:112.97.211.57:33689".
Server: kamailio (6.0.1 (x86_64/linux)).
Content-Length: 0.
.


U 2025/04/06 00:44:57.686890 192.168.0.71:5060 -> 112.97.211.57:33689 #7650
--

U 2025/04/06 00:45:11.841369 112.97.211.57:33689 -> 192.168.0.71:5060 #7658
NOTIFY sip:sip.aigcsst.cn SIP/2.0.
v: SIP/2.0/UDP 172.16.0.10:5060;branch=z9hG4bK-5a73dd90.
f: BG7NYT <sip:6000@sip.aigcsst.cn>;tag=caa95e5e7bbd3850o0.
t: <sip:sip.aigcsst.cn>.
i: a9c72d16-16def8f8@172.16.0.10.
CSeq: 1 NOTIFY.
Max-Forwards: 70.
o: keep-alive.
User-Agent: Linksys/PAP2T-5.1.6(LS).
l: 0.
.


U 2025/04/06 00:45:11.841559 192.168.0.71:5060 -> 112.97.211.57:33689 #7659
SIP/2.0 407 Proxy Authentication Required.
v: SIP/2.0/UDP 172.16.0.10:5060;branch=z9hG4bK-5a73dd90;rport=33689;received=112.97.211.57.
f: BG7NYT <sip:6000@sip.aigcsst.cn>;tag=caa95e5e7bbd3850o0.
t: <sip:sip.aigcsst.cn>;tag=19db6516a6b774c682ff0634f6a75b73.852b8afb.
i: a9c72d16-16def8f8@172.16.0.10.
CSeq: 1 NOTIFY.
Proxy-Authenticate: Digest realm="sip.aigcsst.cn", nonce="Z/FfQ2fxXhf24xMVhdUVZ3A0nz7MVhSw", algorithm=MD5.
Server: kamailio (6.0.1 (x86_64/linux)).
Content-Length: 0.
.
上一页 上一级 下一页
93.3. cdpr - Cisco Discovery Protocol Reporter 起始页 93.5. Unicornscan,Zenmap,nast