ngrep - Kichanganuzi cha Pakiti ya Mtandao kwa Linux
Ngrep (network grep) ni kichanganuzi rahisi cha pakiti cha mtandao lakini chenye nguvu. Ni zana inayofanana na grep inayotumika kwenye safu ya mtandao - inalingana na trafiki inayopita kwenye kiolesura cha mtandao. Inakuruhusu kubainisha usemi uliopanuliwa wa kawaida au heksadesimali ili kuendana na mizigo ya data (maelezo halisi au ujumbe katika data inayotumwa, lakini si metadata inayozalishwa kiotomatiki) ya pakiti.
Zana hii hufanya kazi na aina mbalimbali za itifaki, ikiwa ni pamoja na IPv4/6, TCP, UDP, ICMPv4/6, IGMP na pia Raw kwenye idadi ya violesura. Inafanya kazi kwa mtindo sawa na zana ya kunusa pakiti ya tcpdump.
Kifurushi ngrep kinapatikana kusakinishwa kutoka kwa hazina za mfumo chaguo-msingi katika usambazaji wa Linux kuu kwa kutumia zana ya usimamizi wa kifurushi kama inavyoonyeshwa.
$ sudo apt install ngrep $ sudo yum install ngrep $ sudo dnf install ngrep
Baada ya kusakinisha ngrep, unaweza kuanza kuchambua trafiki kwenye mtandao wako wa Linux kwa kutumia mifano ifuatayo.
1. Amri ifuatayo itakusaidia kupatanisha maombi yote ya ping kwenye kiolesura cha chaguo-msingi cha kufanya kazi. Unahitaji kufungua terminal nyingine na ujaribu kubandika mashine nyingine ya mbali. Alama ya -q inaiambia ngrep kufanya kazi kwa utulivu, ili kutotoa taarifa yoyote isipokuwa vichwa vya pakiti na mizigo yao.
$ sudo ngrep -q '.' 'icmp' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6))) match: . I 192.168.0.104 -> 192.168.0.103 8:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.104 -> 192.168.0.103 8:0 ]....oG[............................ !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]....oG[............................ !"#$%&'()*+,-./01234567
Unaweza kubofya Ctrl + C ili kuizima.
2. Ili kulinganisha trafiki pekee inayoenda kwenye tovuti mahususi lengwa, kwa mfano ‘google.com’, endesha amri ifuatayo, kisha ujaribu kuipata kutoka kwa kivinjari.
$ sudo ngrep -q '.' 'host google.com'
interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>[email
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
.............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;[email
3. Ikiwa unavinjari wavuti, basi endesha amri ifuatayo ili kufuatilia faili ambazo kivinjari chako kinaomba:.
$ sudo ngrep -q '^GET .* HTTP/1.[01]' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ((ip || ip6) || (vlan && (ip || ip6))) match: ^GET .* HTTP/1.[01] T 192.168.0.104:43040 -> 172.217.160.174:80 [AP] GET / HTTP/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text)..Accept: */*..Accept-Language: en,*;q=0.1..Accept- Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4, ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256, windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x- kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive....
4. Kuona shughuli zote za kuvuka chanzo au mlango lengwa wa 25 (SMTP), endesha amri ifuatayo.
$ sudo ngrep port 25
5. Kufuatilia trafiki yoyote ya syslog ya mtandao kwa kutokea kwa neno \kosa, tumia amri ifuatayo.
$ sudo ngrep -d any 'error' port 514
Muhimu, zana hii inaweza kubadilisha majina ya mlango wa huduma yaliyohifadhiwa katika \/etc/services (kwenye mifumo inayofanana na Unix kama vile Linux) hadi nambari za mlango. Amri hii ni sawa na amri iliyo hapo juu.
$ sudo ngrep -d any 'error' port syslog
6. Unaweza pia kuendesha ngrep dhidi ya seva ya HTTP (port 80), italingana na maombi yote kwa seva pangishi lengwa kama inavyoonyeshwa.
$ sudo ngrep port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42167 -> 64.90.164.74:80 [AP] GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, * ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers.... ##
Kama unavyoona katika pato la hapo juu upitishaji wa vichwa vya HTTP huonyeshwa kwa undani wao mbaya. Ingawa ni vigumu kuchanganua, kwa hivyo, hebu tuangalie kitakachotokea unapotumia -W modi ya mstari.
$ sudo ngrep -W byline port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42177 -> 64.90.164.74:80 [AP] GET / HTTP/1.1. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ... Host: www.darkridge.com. Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ... Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e. Cookie2: $Version=1. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers.
7. Ili kuchapisha muhuri wa muda katika umbo la YYYY/MM/DD HH:MM:SS.UUUUUUU kila wakati pakiti inapolinganishwa, tumia -t bendera.
$ sudo ngrep -t -W byline port 80 interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6))) #### T 2018/07/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP] GET / HTTP/1.1. Host: google.com. User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text). Accept: */*. Accept-Language: en,*;q=0.1. Accept-Encoding: gzip, deflate, bzip2. Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8. Connection: keep-alive.
8. Ili kuepuka kuweka kiolesura kifuatiliwe katika hali ya uasherati (ambapo kinakatiza na kusoma kila pakiti ya mtandao inayofika kwa ukamilifu), ongeza alama ya -p.
$ sudo ngrep -p -W byline port 80
9. Chaguo jingine muhimu ni -N ambalo ni muhimu ikiwa unazingatia itifaki mbichi au zisizojulikana. Inaambia ngrep kuonyesha nambari ya itifaki ndogo pamoja na kitambulisho cha herufi moja.
$ sudo ngrep -N -W byline
Kwa habari zaidi, angalia ukurasa wa mtu wa ngrep.
$ man ngrep
ngrep Github hazina: https://github.com/jpr5/ngrep
Ni hayo tu! Ngrep (network grep) ni kichanganuzi cha pakiti za mtandao ambacho kinaelewa mantiki ya kichujio cha BPF kwa mtindo sawa wa tcpdump. Tungependa kujua maoni yako kuhusu ngrep kwenye sehemu ya maoni.