ngrep 是grep(在文本中搜索字符串的工具)的網絡版,他力求更多的grep特征,用於搜尋指定的數據包。正由於安裝ngrep需用到libpcap庫, 所以支持大量的操作系統和網絡協議。能識別TCP、UDP和ICMP包,理解bpf的過濾機制。
ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file> <match expression> <bpf filter>
-h is help/usage -V is version information -q is be quiet (don't print packet reception hash marks)靜默模式,如果沒有此開關,未匹配的數據包都以“#”顯示 -e is show empty packets 顯示空數據包 -i is ignore case 忽略大小寫 -v is invert match 反轉匹配 -R is don't do privilege revocation logic -x is print in alternate hexdump format 以16進制格式顯示 -X is interpret match expression as hexadecimal 以16進制格式匹配 -w is word-regex (expression must match as a word) 整字匹配 -p is don't go into promiscuous mode 不使用混雜模式 -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched在每個匹配的包之前顯示時間戳 -T is print delta timestamp every time a packet is matched顯示上一個匹配的數據包之間的時間間隔 -M is don't do multi-line match (do single-line match instead)僅進行單行匹配 -I is read packet stream from pcap format file pcap_dump 從文件中讀取數據進行匹配 -O is dump matched packets in pcap format to pcap_dump 將匹配的數據保存到文件 -n is look at only num packets 僅捕獲指定數目的數據包進行查看 -A is dump num packets after a match匹配到數據包後Dump隨後的指定數目的數據包 -s is set the bpf caplen -S is set the limitlen on matched packets -W is set the dump format (normal, byline, single, none) 設置顯示格式byline將解析包中的換行符 -c is force the column width to the specified size 強制顯示列的寬度 -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file 使用文件中定義的bpf(Berkeley Packet Filter) -N is show sub protocol number 顯示由IANA定義的子協議號 -d is use specified device (index) instead of the pcap default
Allowable primitives are:
dst host host
True if the IP destination field of the packet is host, which may be either an address or a name.
src host host
True if the IP source field of the packet is host.
host host
True if either the IP source or destination of the packet is host. Any of the above host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or destination address is ehost.
gateway host
True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or numbers for host / ehost.)
dst net net
True if the IP destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).
src net net
True if the IP source address of the packet has a network number of net.
net net
True if either the IP source or destination address of the packet has a network number of net.
net net mask mask
True if the IP address matches net with the specific netmask. May be qualified with src or dst.
net net/len
True if the IP address matches net a netmask len bits wide. May be qualified with src or dst.
dst port port
True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or
ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traf-
fic, and port domain will print both tcp/domain and udp/domain traffic).
src port port
True if the packet has a source port value of port.
port port
True if either the source or destination port of the packet is port. Any of the above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source port is port.
less length
True if the packet has a length less than or equal to length. This is equivalent to:
len <= length.
greater length
True if the packet has a length greater than or equal to length. This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names tcp,
udp or icmp. Note that the identifiers tcp and udp are also keywords and must be escaped via backslash (\), which is \\ in the
C-shell.
ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks
up the local subnet mask.
ip multicast
True if the packet is an IP multicast packet.
ip Abbreviation for:
ether proto ip
tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.
抓本機eth0 與192.168.1.9的通信信息,並且以行來打印出來
#ngrep -d eth0 -W byline host 192.168.1.9
抓本機與192.168.1.8的通信端口為80(本機)的信息
# ngrep -W byline host 192.168.1.8 and port 80
抓本機與192.168.1.8和192.168.1.9的通信,並且本地端口為80
#ngrep -W byline host 192.168.1.8 or host 192.168.1.9 port 80
抓udp包
#ngrep host 192.168.1.8 udp
統計請求頭長度
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 | awk -v RS="#+" -v FS="\n" '{ print length() }'
查詢一下大於 1K 的請求頭
# ngrep -W byline 'GET /' 'tcp and dst port 80' -d eth1 | awk -v RS="#+" -v FS="\n" 'length() > 1000'原文:http://www.ttlsa.com/linux-command/ngrep-command-usage/
