Linux 抓包工具ngrep详解




2.ngrep 解决方法

$ ngrep -q -d eth0 -W byline  host 10.135.x.x and \(117.136.x.x or 202.104.x.x\)  and port 80 or port 8089  or port 11211 or port 3478


#客户端发请求给服务端 通过http 协议
T 202.104.x.x:57171 -> 10.135.x.x:80 [AP]
POST /join/123 HTTP/1.1.
origin: https://appr.tc.
Content-Type: text/plain; charset=utf-8.
Content-Length: 0.
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; M3s Build/LMY47I).
Host: 123.207.x.x
Connection: Keep-Alive.
Accept-Encoding: gzip.
T 10.135.x.x:80 -> 202.104.x.x:57171 [AP]
HTTP/1.1 200 OK.
Server: nginx/1.11.4.
Date: Thu, 22 Sep 2016 13:02:47 GMT.
Content-Type: text/html; charset=utf-8.
Content-Length: 955.
Connection: keep-alive.
Cache-Control: no-cache.
{"params": {"is_initiator": "true", "room_link": "", "ice_server_transports": ""
T 202.104.x.x:40872 -> 10.135.x.x:8089 [AP]
GET /ws HTTP/1.1.
Host: 123.207.x.x.
Upgrade: WebSocket.
Connection: Upgrade.
Sec-WebSocket-Key: iTSZU6BzEryaMzTJa/TYhg==.
Origin: https://www.google.com.
Sec-WebSocket-Version: 13.
T 10.135.x.x:8089 -> 202.104.x.x:40872 [AP]
HTTP/1.1 101 Switching Protocols.
Upgrade: websocket.
Connection: Upgrade.
Sec-WebSocket-Accept: y9YTmUd9ujuhcHz1dCIjl3gyevY=.
T 202.104.x.x:40872 -> 10.135.x.x:8089 [AP]
#websocket 不是明文传输所以这里只能看见二进制数据

websocket 的数据因为不是明文所以不如http那么直观,推荐websocket在线测试可以清楚的看见每个流程。

4.ngrep 详解

安装ngrep需用到libpcap库, 所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包,理解bpf的过滤机制。

这里翻译一部分的man ngrep的内容

   ngrep - network grep

   ngrep  <-hNXViwqpevxlDtTRM>  <-IO  pcap_dump > < -n num > < -d dev > < -A num > < -s snaplen > < -S limitlen > < -W normal|byline|single|none > < -c cols > < -P char > < -F file > < match expression > < bpf filter >

   -h     Display help/usage information.(不解释啦)

   -N     Show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols).

   -X     Treat the match expression as a hexadecimal string.  See the explanation of match expression below.

   -i     Ignore case for the regex expression.

   -w     Match the regex expression as a word.

   #只输出输出协议的header 和 body。
   -q     Be quiet; don’t output any information other than packet headers and their payloads (if relevant).

   -e     Show empty packets.  Normally empty packets are discarded because they have no payload to search.  If specified, empty packets will be shown,
          regardless of the specified regex expression.

   -v     Invert the match; only display packets that don’t match.

   -x     Dump packet contents as hexadecimal as well as ASCII.

   -d dev By default ngrep will select a default interface to listen on.  Use this option to force ngrep to listen on interface dev.

   -W is set the dump format (normal, byline, single, none) 

 匹配表达式感觉就是指定 源主机 目标主机 端口啥的
 match expression
          A  match  expression is either an extended regular expression, or if the -X option is specified, a string signifying a hexadecimal value.  An extended regular expression follows the rules as implemented by the GNU regex library.  Hexadecimal expressions can optionally be preceded by ‘0x’.  E.g., ‘DEADBEEF’, ‘0xDEADBEEF’.

Allowable primitives are
   dst host host
          True if the IP destination field of the packet is host, which may be either an address or a name.

   src host host
          True if the IP source field of the packet is host.

   host host
          True if either the IP source or destination of the packet is host.  Any of the above host expressions can be prepended with the keywords, ip,arp, or rarp as in:ip host host which is equivalent to:

....还有 port net 同 host 一样。



TODO:tcpdump 和 ngrep 的比较。
