ngrep 是grep(在文本中搜索字符串的工具)的网络版,他力求更多的grep特征,用于搜寻指定的数据包。正由于安装ngrep需用到libpcap库, 所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包,理解bpf的过滤机制。

语法

 
1
2
3
ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
                        <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
                        <-P char> <-F file> <match expression> <bpf filter>

选项

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-h     is help/usage
-V    is version information
-q    is be quiet (don't print packet reception hash marks)静默模式,如果没有此开关,未匹配的数据包都以“#”显示
-e    is show empty packets 显示空数据包
-i     is ignore case 忽略大小写
-v    is invert match 反转匹配
-R   is don't do privilege revocation logic
-x    is print in alternate hexdump format 以16进制格式显示
-X   is interpret match expression as hexadecimal 以16进制格式匹配
-w   is word-regex (expression must match as a word) 整字匹配
-p   is don't go into promiscuous mode 不使用混杂模式
-l     is make stdout line buffered
-D   is replay pcap_dumps with their recorded time intervals
-t     is print timestamp every time a packet is matched在每个匹配的包之前显示时间戳
-T    is print delta timestamp every time a packet is matched显示上一个匹配的数据包之间的时间间隔
-M   is don't do multi-line match (do single-line match instead)仅进行单行匹配
-I     is read packet stream from pcap format file pcap_dump 从文件中读取数据进行匹配
-O   is dump matched packets in pcap format to pcap_dump 将匹配的数据保存到文件
-n    is look at only num packets 仅捕获指定数目的数据包进行查看
-A   is dump num packets after a match匹配到数据包后Dump随后的指定数目的数据包
-s    is set the bpf caplen
-S   is set the limitlen on matched packets
-W  is set the dump format (normal, byline, single, none) 设置显示格式byline将解析包中的换行符
-c    is force the column width to the specified size 强制显示列的宽度
-P   is set the non-printable display char to what is specified
-F   is read the bpf filter from the specified file 使用文件中定义的bpf(Berkeley Packet Filter)
-N   is show sub protocol number 显示由IANA定义的子协议号
-d   is use specified device (index) instead of the pcap default

Allowable primitives are:
dst host host
True if the IP destination field of the packet is host, which may be either an address or a name.

src host host
True if the IP source field of the packet is host.

host host
True if either the IP source or destination of the packet is host. Any of the above host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:

ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).

ether src ehost
True if the ethernet source address is ehost.

ether host ehost
True if either the ethernet source or destination address is ehost.

gateway host
True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)

dst net net
True if the IP destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).

src net net
True if the IP source address of the packet has a network number of net.

net net
True if either the IP source or destination address of the packet has a network number of net.

net net mask mask
True if the IP address matches net with the specific netmask. May be qualified with src or dst.

net net/len
True if the IP address matches net a netmask len bits wide. May be qualified with src or dst.

dst port port
True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or
ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traf-
fic, and port domain will print both tcp/domain and udp/domain traffic).
src port port
True if the packet has a source port value of port.

port port
True if either the source or destination port of the packet is port. Any of the above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.

less length
True if the packet has a length less than or equal to length. This is equivalent to:
len <= length.

greater length
True if the packet has a length greater than or equal to length. This is equivalent to:
len >= length.

ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names tcp,
udp or icmp. Note that the identifiers tcp and udp are also keywords and must be escaped via backslash (\), which is \\ in the
C-shell.

ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks
up the local subnet mask.

ip multicast
True if the packet is an IP multicast packet.

ip Abbreviation for:
ether proto ip

tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.

实例

抓本机eth0 与192.168.1.9的通信信息,并且以行来打印出来

 
1
#ngrep -d eth0 -W byline host 192.168.1.9

抓本机与192.168.1.8的通信端口为80(本机)的信息

 
1
# ngrep -W byline host 192.168.1.8 and port 80

抓本机与192.168.1.8和192.168.1.9的通信,并且本地端口为80

 
1
#ngrep -W byline host 192.168.1.8 or host 192.168.1.9 port 80

抓udp包

 
1
#ngrep host 192.168.1.8 udp

统计请求头长度

 
1
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 | awk -v RS="#+" -v FS="\n" '{ print length() }'

查询一下大于 1K 的请求头

 
1
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 |  awk -v RS="#+" -v FS="\n" 'length() > 1000'

ngrep命令用法的更多相关文章

  1. systemctl命令用法详解

    systemctl命令用法详解系统环境:Fedora 16binpath:/bin/systemctlpackage:systemd-units systemctl enable httpd.serv ...

  2. cpio命令用法

    [转自]流浪妖精のSKY    http://www.cnitblog.com/flutist1225/articles/18974.html cpio命令用法 cpio命令     利用cpio 可 ...

  3. shutdown命令用法

    首先我们先创建一个txt文件,添加shutdown -r -f -t 0 ,文件点击另存为,选择所有类型,保存格式为“重启.bat”文件. 说明:shutdown命令用法: /r         关闭 ...

  4. linux中comm命令用法

    linux系统中comm命令用法详解 linux系统下的comm命令是一个非常实用的文件对比命令. comm命令功能:   选择或拒绝两个已排序的文件的公共的行. comm命令语法:comm [-12 ...

  5. Ubuntu kill命令用法详解

    转自:Ubuntu kill命令用法详解 1. kill   作用:根据进程号杀死进程   用法: kill [信号代码] 进程ID   root@fcola:/# ps -ef | grep sen ...

  6. install 命令用法详解

    install 命令用法详解 http://man.linuxde.net/install install命令的作用是安装或升级软件或备份数据,它的使用权限是所有用户.install命令和cp命令类似 ...

  7. which、whereis、locate、find 命令用法

    which.whereis.locate.find 命令用法   大部分转自http://312788172.iteye.com/blog/730280,有修改 我们经常在linux要查找某个文件,但 ...

  8. sed命令用法详解

    sed命令用法 sed是一种流编辑器,它是文本处理中非常有用的工具,能够完美的配合正则表达式使用,功能不同凡响.处理时,把当前处理的行存储在临时缓冲区中,称为『模式空间』(pattern space) ...

  9. linux的strace命令用法

    strace命令用法 调用:strace [ -dffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] …[ -ofile ] [ -ppid ] … [ -sstrsize ...

随机推荐

  1. js便签笔记(6)——jQuery中的ready()事件为何需要那么多代码?

    前言: ready()事件的应用,是大家再熟悉不过的了,学jQuery的第一步,最最常见的代码: jQuery(document).ready(function () { }); jQuery(fun ...

  2. SSM整合(2): spring 与 mybatis 整合

    在进行完spring与springmvc整合之后, 继续 spring与mybatis的整合. 既然是操作数据库, 那必然不能缺少了连接属性 一. db.properties jdbc.driver= ...

  3. Nhibernate + MySQL 类型映射

    用SQLyog工具创建表 然后用自动映射工具NHibernate Mapping Generator对表做自动映射,得到 这个是可视化界面,后面有对应的代码. using System; using ...

  4. 每天一个linux命令(目录)

    转:http://www.cnblogs.com/peida/archive/2012/12/05/2803591.html 开始详细系统的学习linux常用命令,坚持每天一个命令,所以这个系列为每天 ...

  5. Python制作回合制手游外挂简单教程(上)

    引入: 每次玩回合制游戏的时候,反反复复的日常任务让人不胜其烦 玩问道的时候,我们希望能够自动刷道,玩梦幻希望能自动做师门.捉鬼等等 说明: 该外挂只能模拟鼠标键盘操作,并不能修改游戏数据 我这里使用 ...

  6. laravel 数据验证

    laravel 数据验证 在保存数据之前进行数据验证 类需要继承 Controller 然后用  $this->validate( $request , ['title' => 'requ ...

  7. zuul超时及重试配置

    配置实例 ##timeout config hystrix: command: default: execution: timeout: enabled: true isolation: thread ...

  8. MVC应用程序播放FLV视频,部分视图可多地方重复引用

    网页上播放Falsh之外,还有一种格式就是FLV的视频,也是最常见的.Insus.NET再想在MVC应用程序实现这功能. 实现这个功能,需要从网上下载一个叫vcastr22.swf.如果在网上找不到, ...

  9. javascript学习之路之元素获取和设置属性

    收拾心情,学习学习js!总结下自己的学习所得! 现有的有三种方法可以获取元素的节点,分别是通过元素ID,通过标签名和类名来获取的 1.GetElmentById:将返回一个与那个有给定ID属性的值的元 ...

  10. Hibernate里面如何使用DetachedCriteriaCriteria 实现多条件分页查询

    WEB层: // 获取分页的请求参数 String start = request.getParameter("start"); String page = request.get ...