Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the usage of the string search command ngrep in the Linux system". In the daily operation, I believe that many people have doubts about the usage of the string search command ngrep in the Linux system. The editor has consulted all kinds of materials and sorted out a simple and easy-to-use operation method. I hope it will be helpful to answer the doubts about the usage of the string search command ngrep in the Linux system. Next, please follow the editor to study!

Install ngrep

Download address

The code is as follows:

Git clone git://git.code.sf.net/p/ngrep/code ngrep-code

Enter the directory

The code is as follows:

Cd ngrep-code

. / configure-- with-pcap-includes=/usr/local/include/pcap

Make

Make install

Option

-h is help/usage

-V is version information

-q is be quiet (don't print packet reception hash marks) silent mode, without this switch, unmatched packets are displayed as "#"

-e is show empty packets displays empty packets

-i is ignore case ignores case

-v is invert match inversion matching

-R is don't do privilege revocation logic

-x is print in alternate hexdump format is displayed in hexadecimal format

-X is interpret match expression as hexadecimal matches in hexadecimal format

-w is word-regex (expression must match as a word) whole word matching

-p is don't go into promiscuous mode does not use promiscuous mode

-l is make stdout line buffered

-D is replay pcap_dumps with their recorded time intervals

-t is print timestamp every time a packet is matched displays a timestamp before each matching packet

-T is print delta timestamp every time a packet is matched displays the time interval between the last matching packet

-M is don't do multi-line match (do single-line match instead) only performs single-line matching

-I is read packet stream from pcap format file pcap_dump reads data from the file for matching

-O is dump matched packets in pcap format to pcap_dump saves the matching data to a file

-n is look at only num packets only captures a specified number of packets for viewing

-the specified number of packets followed by the Dump after the An is dump num packets after a match matches to the packet

-s is set the bpf caplen

-S is set the limitlen on matched packets

-W is set the dump format (normal, byline, single, none) sets the display format byline parses the newline characters in the package

-c is force the column width to the specified size forces the width of the column

-P is set the non-printable display char to what is specified

-F is read the bpf filter from the specified file uses the bpf (Berkeley Packet Filter) defined in the file

-N is show sub protocol number displays the sub-protocol number defined by IANA

-d is use specified device (index) instead of the pcap default

Application examples:

Capture all post requests (after adding a-W byline parameter, the newline character in the package will be parsed):

The code is as follows:

Ranger@ranger:~$ sudo ngrep-Q-W byline "(POST). *"

Interface: eth0 (192.168.122.0 Universe 255.255.254.0)

Match: (POST). *

T 192.168.122.74range 46048-> 140.207.228.58 range 80 [A]

POST / Hotel/OTA_HotelSearch.asmx?wsdl HTTP/1.1.

Content-Type: text/xml; charset=UTF-8.

SOAPAction: http://ctrip.com/Request.

Accept-Encoding: gzip, deflate.

Content-Length: 1330.

Accept: * / *.

Accept-Language: zh-cn.

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).

UA-CPU: x86.

Accept-Encoding: gzip, deflate.

Connection: close.

Host: openapi.ctrip.com.

.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.