Shulou(Shulou.com)06/01 Report--

This article is about how to use the ngrep command in Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

The Linux common command ngrep command is the network version of the grep command, which strives for more grep features to search for specified data packets.

Convenient packet matching and display tool for ngrep

Additional note: because the libpcap library is needed to install ngrep, a large number of operating systems and network protocols are supported. Ability to identify TCP, UDP and ICMP packets, and understand the filtering mechanism of bpf.

Install the ngrep command from the download address: http://ngrep.sourceforge.net/ Magi libpcap download address: http://www.tcpdump.org/. First install libpcap completely with yum install libpcap. Note that sometimes incomplete installation with the libpcap installation package will affect the use of ngrep.

If yum cannot be installed, install libpcap with the following steps:

The installation of wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz tar-zxf libpcap-1.3.0.tar.gz cd libpcap-1.3.0. / configure make & & make installngrep is the configure/make/make install trilogy.

Note: when you encounter please wipe out all unused pcap installations in configure, add the following options:

. / configure-- with-pcap-includes=/usr/local/include/pcap type ngrep after installation to verify that the installation is successful.

Syntax ngrep option-e # Show empty packet-I # ignore case-v # reverse match-R # don't do privilege revocation logic-x # display in hexadecimal format-X # match in hexadecimal format-w # whole word match-p # do not use promiscuous mode-l # make stdout line buffered-D # replay pcap_dumps with their recorded time intervals-t # in each match Display timestamp before matching packets-T # shows the time interval between the last matching packets-M # matches only on a single line-I # reads data from a file for matching-O # saves matching data to a file-n # captures only a specified number of packets for viewing-A # the specified number of subsequent dump after matching to a packet Set the display format according to package-s # set the bpf caplen-S # set the limitlen on matched packets-W # byline will parse the newline character in the package-c # force the width of the column-P # set the non-printable display char to what is specified-F # use the bpf (Berkeley Packet Filter)-N # defined in the file to show which network card is used by the sub-protocol number-d # defined by IANA You can use the-L option to query-L # query the instance of the network card interface to capture the request and response,-W byline of the cloudian:18080 port to parse the newline characters in the package, otherwise all the data in the packet will be contiguous and poor readability. -d lo is to monitor the local network card:

Ngrep-W byline-d lo port 18080 captures the request and response of the amazon:80 port. -d eth0 is used to monitor external network cards:

Ngrep-W byline-d eth0 port 80 can capture all packages with-d any:

Ngrep'[a-zA-Z]'- t-W byline-d any tcp port 18080 captures the string .flv, for example, to view the download address of the .flv file in the Web Flash video:

Ngrep-d3-N-Q\ .flv interface:\ Device\ TNT_40_1_ {670F6B50-0A13-4BAB-9D9E-994A833F5BA9} (10.132.0.0amp 2 55.255.192.0) match:\ .flv opens a video page:

T (6) 10.132.34.23 GET 24860-> 61.142.208.154 GET 80 [AP] GET / f59.c31.56.com/flvdownload/12/19/ggyg7741@56.com_56flv_zhajm_119556973 97.flv HTTP/1.1..accept: * / *. Referer: http://www.56.com/flashApp/v_player_ site.swf..x-flash-version: 9. De flate..User-Agent: Mozilla/4.0 (compatible MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30).. host: f59.r.56.com..Connection: Keep-Alive..Cookie: whistoryview=23423759-23635627-23423344-23171935-23058374-23081156-23207350-22395727; geoip=.; wl_all_s=y....OK. The address has been found. It's http://f59.c31.56.com/flvdownload/12/19/ggyg7741@56.com_56flv_zhajm_11955697397.flv.

With the addition of the-W byline parameter, the newline character in the package is parsed:

T (6) 2007-11-25 15 AP 56 AP 12.192619 10.132.34.23 Fraser 26365-> 59.151.21.101 Ride 80 [AP] Rod / aa.flv HTTP/1.1. Accept: * / *. Accept-Language: zh-cn. UA-CPU: x86. Accept-Encoding: gzip, deflate. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.5072 7; .NET CLR 3.0.04506.30). Host: www.google.cn. Connection: Keep-Alive. Cookie: PREF=id=a0b2932c336477e9:TB=4:NW=1:TM=1187877372:LM=1187956074:S=Y1Fzndp rT3vFo7ac; SID=DQAAAHcAAABJCEXeOVLHu2rIfb5BfKP3GG9PbhJDEkXsLTV8y0f_lvSd2Y46Q0FPt 83CnEs9rxA1xBDM9mLR8-ckWeScyOQA8PyYnX5u5OjFvjfRbDg_FDZfwxhRzqS9KPZv26pjnsUxs0FDM 1xpJ5AgDn38pXtlCdkksJ0MurcbiIWoA61oHWmg; NID=7=AvJxn5B6YOLLxoYz4LLzhIbNsQUQiulRS6U JGxdBniQBmXm99y7L-NBNORN82N3unmZSGHFPfePVHnLK2MjYjglyXZhU9x7ETXNBnY3NurNijHDhJ7K yi7E53UBOcv4V. Thank you for reading! This is the end of the article on "how to use ngrep commands in Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.