详解Linux系统中字符串搜索命令ngrep的用法

OStack程序员社区-中国程序员成长平台 › 门户 › 系统›Linux

原作者: [db:作者] 来自: [db:来源] 收藏邀请

ngrep 是grep的网络版，他力求更多的grep特征，用于搜寻指定的数据包。由于安装ngrep需用到ibpcap库，所以支持大量的操作系统和网络协议，能识别TCP、UDP和ICMP包。

安装ngrep
下载地址

复制代码

代码如下:

git clone git://git.code.sf.net/p/ngrep/code ngrep-code

进入目录

复制代码

代码如下:

cd ngrep-code
./configure --with-pcap-includes=/usr/local/include/pcap
make
make install

选项

-h     is help/usage
-V    is version information
-q    is be quiet (don't print packet reception hash marks)静默模式，如果没有此开关，未匹配的数据包都以“#”显示
-e    is show empty packets 显示空数据包
-i     is ignore case 忽略大小写
-v    is invert match 反转匹配
-R   is don't do privilege revocation logic
-x    is print in alternate hexdump format 以16进制格式显示
-X   is interpret match expression as hexadecimal 以16进制格式匹配
-w   is word-regex (expression must match as a word) 整字匹配
-p   is don't go into promiscuous mode 不使用混杂模式
-l     is make stdout line buffered
-D   is replay pcap_dumps with their recorded time intervals
-t     is print timestamp every time a packet is matched在每个匹配的包之前显示时间戳
-T    is print delta timestamp every time a packet is matched显示上一个匹配的数据包之间的时间间隔
-M   is don't do multi-line match (do single-line match instead)仅进行单行匹配
-I     is read packet stream from pcap format file pcap_dump 从文件中读取数据进行匹配
-O   is dump matched packets in pcap format to pcap_dump 将匹配的数据保存到文件
-n    is look at only num packets 仅捕获指定数目的数据包进行查看
-A   is dump num packets after a match匹配到数据包后Dump随后的指定数目的数据包
-s    is set the bpf caplen
-S   is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none) 设置显示格式byline将解析包中的换行符
-c    is force the column width to the specified size 强制显示列的宽度
-P   is set the non-printable display char to what is specified
-F   is read the bpf filter from the specified file 使用文件中定义的bpf(Berkeley Packet Filter)
-N   is show sub protocol number 显示由IANA定义的子协议号
-d   is use specified device (index) instead of the pcap default

应用举例：

捕获所有post请求(加个-W byline 参数后,将解析包中的换行符)：

复制代码

代码如下:

ranger@ranger:~$ sudo ngrep -q -W byline "(POST).*"
interface: eth0 (192.168.122.0/255.255.254.0)
match: (POST).*

T 192.168.122.74:46048 -> 140.207.228.58:80 [A]
POST /Hotel/OTA_HotelSearch.asmx?wsdl HTTP/1.1.
Content-Type: text/xml; charset=UTF-8.
SOAPAction: http://ctrip.com/Request.
Accept-Encoding: gzip, deflate.
Content-Length: 1330.
Accept: */*.
Accept-Language: zh-cn.
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).
UA-CPU: x86.
Accept-Encoding: gzip, deflate.
Connection: close.
Host: openapi.ctrip.com.
.
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <Request xmlns="http://ctrip.com/"> <requestXML><Request>
<Header AllianceID="***" SID="***" TimeStamp="1393554304685" RequestType="OTA_HotelSearch" Signature="B166CDF5422A6DA5BA81A08036E938E7"/>
<HotelRequest>
<RequestBody xmlns:ns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ns:OTA_HotelSearchRQ Version="1.0" PrimaryLangID="zh"
xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelSearchRQ.xsd"