ngrep 是grep(在文本中搜索字符串的工具)的网络版,他力求更多的grep特征,用于搜寻指定的数据包。正由于安装ngrep需用到libpcap库, 所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包,理解bpf的过滤机制。

语法

 
1
2
3
ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
                        <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
                        <-P char> <-F file> <match expression> <bpf filter>

选项

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-h     is help/usage
-V    is version information
-q    is be quiet (don't print packet reception hash marks)静默模式,如果没有此开关,未匹配的数据包都以“#”显示
-e    is show empty packets 显示空数据包
-i     is ignore case 忽略大小写
-v    is invert match 反转匹配
-R   is don't do privilege revocation logic
-x    is print in alternate hexdump format 以16进制格式显示
-X   is interpret match expression as hexadecimal 以16进制格式匹配
-w   is word-regex (expression must match as a word) 整字匹配
-p   is don't go into promiscuous mode 不使用混杂模式
-l     is make stdout line buffered
-D   is replay pcap_dumps with their recorded time intervals
-t     is print timestamp every time a packet is matched在每个匹配的包之前显示时间戳
-T    is print delta timestamp every time a packet is matched显示上一个匹配的数据包之间的时间间隔
-M   is don't do multi-line match (do single-line match instead)仅进行单行匹配
-I     is read packet stream from pcap format file pcap_dump 从文件中读取数据进行匹配
-O   is dump matched packets in pcap format to pcap_dump 将匹配的数据保存到文件
-n    is look at only num packets 仅捕获指定数目的数据包进行查看
-A   is dump num packets after a match匹配到数据包后Dump随后的指定数目的数据包
-s    is set the bpf caplen
-S   is set the limitlen on matched packets
-W  is set the dump format (normal, byline, single, none) 设置显示格式byline将解析包中的换行符
-c    is force the column width to the specified size 强制显示列的宽度
-P   is set the non-printable display char to what is specified
-F   is read the bpf filter from the specified file 使用文件中定义的bpf(Berkeley Packet Filter)
-N   is show sub protocol number 显示由IANA定义的子协议号
-d   is use specified device (index) instead of the pcap default

Allowable primitives are:
dst host host
True if the IP destination field of the packet is host, which may be either an address or a name.

src host host
True if the IP source field of the packet is host.

host host
True if either the IP source or destination of the packet is host. Any of the above host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:

ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).

ether src ehost
True if the ethernet source address is ehost.

ether host ehost
True if either the ethernet source or destination address is ehost.

gateway host
True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)

dst net net
True if the IP destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).

src net net
True if the IP source address of the packet has a network number of net.

net net
True if either the IP source or destination address of the packet has a network number of net.

net net mask mask
True if the IP address matches net with the specific netmask. May be qualified with src or dst.

net net/len
True if the IP address matches net a netmask len bits wide. May be qualified with src or dst.

dst port port
True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or
ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traf-
fic, and port domain will print both tcp/domain and udp/domain traffic).
src port port
True if the packet has a source port value of port.

port port
True if either the source or destination port of the packet is port. Any of the above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.

less length
True if the packet has a length less than or equal to length. This is equivalent to:
len <= length.

greater length
True if the packet has a length greater than or equal to length. This is equivalent to:
len >= length.

ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names tcp,
udp or icmp. Note that the identifiers tcp and udp are also keywords and must be escaped via backslash (\), which is \\ in the
C-shell.

ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks
up the local subnet mask.

ip multicast
True if the packet is an IP multicast packet.

ip Abbreviation for:
ether proto ip

tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.

实例

抓本机eth0 与192.168.1.9的通信信息,并且以行来打印出来

 
1
#ngrep -d eth0 -W byline host 192.168.1.9

抓本机与192.168.1.8的通信端口为80(本机)的信息

 
1
# ngrep -W byline host 192.168.1.8 and port 80

抓本机与192.168.1.8和192.168.1.9的通信,并且本地端口为80

 
1
#ngrep -W byline host 192.168.1.8 or host 192.168.1.9 port 80

抓udp包

 
1
#ngrep host 192.168.1.8 udp

统计请求头长度

 
1
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 | awk -v RS="#+" -v FS="\n" '{ print length() }'

查询一下大于 1K 的请求头

 
1
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 |  awk -v RS="#+" -v FS="\n" 'length() > 1000'

ngrep命令用法的更多相关文章

  1. systemctl命令用法详解

    systemctl命令用法详解系统环境:Fedora 16binpath:/bin/systemctlpackage:systemd-units systemctl enable httpd.serv ...

  2. cpio命令用法

    [转自]流浪妖精のSKY    http://www.cnitblog.com/flutist1225/articles/18974.html cpio命令用法 cpio命令     利用cpio 可 ...

  3. shutdown命令用法

    首先我们先创建一个txt文件,添加shutdown -r -f -t 0 ,文件点击另存为,选择所有类型,保存格式为“重启.bat”文件. 说明:shutdown命令用法: /r         关闭 ...

  4. linux中comm命令用法

    linux系统中comm命令用法详解 linux系统下的comm命令是一个非常实用的文件对比命令. comm命令功能:   选择或拒绝两个已排序的文件的公共的行. comm命令语法:comm [-12 ...

  5. Ubuntu kill命令用法详解

    转自:Ubuntu kill命令用法详解 1. kill   作用:根据进程号杀死进程   用法: kill [信号代码] 进程ID   root@fcola:/# ps -ef | grep sen ...

  6. install 命令用法详解

    install 命令用法详解 http://man.linuxde.net/install install命令的作用是安装或升级软件或备份数据,它的使用权限是所有用户.install命令和cp命令类似 ...

  7. which、whereis、locate、find 命令用法

    which.whereis.locate.find 命令用法   大部分转自http://312788172.iteye.com/blog/730280,有修改 我们经常在linux要查找某个文件,但 ...

  8. sed命令用法详解

    sed命令用法 sed是一种流编辑器,它是文本处理中非常有用的工具,能够完美的配合正则表达式使用,功能不同凡响.处理时,把当前处理的行存储在临时缓冲区中,称为『模式空间』(pattern space) ...

  9. linux的strace命令用法

    strace命令用法 调用:strace [ -dffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] …[ -ofile ] [ -ppid ] … [ -sstrsize ...

随机推荐

  1. js拦截全局ajax请求

    你是否有过下面的需求:需要给所有ajax请求添加统一签名.需要统计某个接口被请求的次数.需要限制http请求的方法必须为get或post.需要分析别人网络协议等等,那么如何做?想想,如果能够拦截所有a ...

  2. Linux 技巧:让进程在后台可靠运行的几种方法(转)

    我们经常会碰到这样的问题,用 telnet/ssh 登录了远程的 Linux 服务器,运行了一些耗时较长的任务, 结果却由于网络的不稳定导致任务中途失败.如何让命令提交后不受本地关闭终端窗口/网络断开 ...

  3. 编写无Java脚本的JSP页面

    在上一章中总结了Web开发中应用MVC架构模式,将Servlet 用做控制器,JSP作为视图,JavaBean作为模型,实现业务流程控制,页面逻辑和业务逻辑的分离.然而,使用前面的技术实现MVC,并不 ...

  4. Javascript权威指南阅读笔记--第3章类型、值和变量(1)

    之前一直有个想法,好好读完JS权威指南,便于自己对于JS有个较为全面的了解.毕竟本人非计算机专业出生,虽然做着相关行业的工作,但总觉得对于基础的掌握并没有相关专业学者扎实,正好因为辞职待业等原因,还是 ...

  5. webpack4 自学笔记二(typescript的配置)

    全部的代码及笔记都可以在我的github上查看, 唤醒star: https://github.com/Jasonwang911/webpackStudyInit/tree/master/typesc ...

  6. git使用总结(包含git commit message 和 changelog 工具的介绍)

    [git的配置] 1.配置用户名和邮箱: 分为全局配置和局部配置 --system 系统配置  --global 全局配置    --local 局部配置 Git读取时:优先从local>glo ...

  7. multimap多重映照容器(常用的方法总结)

    multimap和map的不同之处在于前者允许重复键值的元素出现. /*关于C++STL中mulitmap的学习,与map不同的是,multimap允许插入重复键值的元素*/ #include < ...

  8. 使用Spring JPA中Page、Pageable接口和Sort类完成分页排序

    显示时,有三个参数,前两个必填,第几页,一页多少个size,第三个参数默认可以不填. 但是发现这个方法已经过时了,通过查看它的源码发现,新方法为静态方法PageRequest of(page,size ...

  9. Cannot find module 'socket.io'

    That's all. Then I try to use socket.io with this line: var io = require('socket.io').listen(app); A ...

  10. [日常] Go语言圣经--结构体,JSON习题

    Go语言圣经-结构体 1.结构体是一种聚合的数据类型,是由零个或多个任意类型的值聚合成的实体 2.通常一行对应一个结构体成员,成员的名字在前类型在后,不过如果相邻的成员类型如果相同的话可以被合并到一行 ...