root@glz:~# ngrep -h usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter> -h is help/usage #打印帮助 -V is version information #显示版本 -q is be quiet (don't print packet reception hash marks) #只输出匹配的数据包 -e is show empty packets #空包也显示 -i is ignore case #不区分大小写匹配 -v is invert match #反向匹配,即只显示不匹配的数据包 -R is don't do privilege revocation logic # -x is printin alternate hexdump format #用十六进制输出,和-W不能同时指定 -X is interpret match expression as hexadecimal #用十六进制表示正则表达式 -w is word-regex (expression must match as a word) -p is don't go into promiscuous mode #不使用混杂模式 -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched #在输出数据包之前,先输出当前时间 -T is print delta timestamp every time a packet is matched #是否输出数据包的间隔时间 -M is don't do multi-line match (do single-line match instead) #单行匹配 -I is read packet stream from pcap format file pcap_dump -O is dump matched packets in pcap format to pcap_dump -n is look at only num packets -A is dump num packets after a match #在匹配之后再暑促num个数据包 -s is set the bpf caplen -S is set the limitlen on matched packets #在匹配时只搜索前面若干个字符 -W is set the dump format (normal, byline, single, none) #输出方式,byline比较有用,分行显示 -c is force the column width to the specified size -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file -N is show sub protocol number -d is use specified device instead of the pcap default #使用哪一个网卡,可以用ifconfig查看当前有哪些 -K is kill matching TCP connections
下面是一些抓包命令
1 2 3
ngrep -x -q -d lo port 3306 #抓取本机127.0.0.1上3306端口的数据包 ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80 #抓取本机的HTTP GET和POST请求包 ngrep -l -q -d eth0 "" udp and port 53 #抓取UDP包
0
0
0
0
0
0
Preview: