ngrep - Analyzer fakitin hanyar sadarwa don Linux
Ngrep (grep cibiyar sadarwa) mai sauƙi ne amma mai ƙarfi mai nazarin fakitin cibiyar sadarwa. Kayan aiki ne mai kama da grep wanda aka yi amfani da shi zuwa layin cibiyar sadarwa - yana daidaita zirga-zirgar zirga-zirgar ababen hawa ta hanyar sadarwa. Yana ba ku damar ƙididdige tsawaita na yau da kullun ko magana hexadecimal don dacewa da lodin bayanai (ainihin bayani ko saƙo a cikin bayanan da aka watsa, amma ba metadata da aka ƙirƙira ta atomatik) na fakiti ba.
Wannan kayan aiki yana aiki tare da nau'ikan ka'idoji daban-daban, gami da IPv4/6, TCP, UDP, ICMPv4/6, IGMP da Raw akan adadin musaya. Yana aiki daidai da kayan aikin fakiti na tcpdump.
Kunshin ngrep yana samuwa don shigarwa daga tsoffin ma'ajin tsarin a cikin babban rabon Linux ta amfani da kayan aikin sarrafa fakiti kamar yadda aka nuna.
$ sudo apt install ngrep $ sudo yum install ngrep $ sudo dnf install ngrep
Bayan shigar da ngrep, zaku iya fara nazarin zirga-zirga akan hanyar sadarwar ku ta Linux ta amfani da misalai masu zuwa.
1. Umurnin da ke biyowa zai taimake ka ka daidaita duk buƙatun ping akan tsoho mai aiki. Kuna buƙatar buɗe wani tashar kuma gwada ping wani injin nesa. Tutar -q tana gaya wa ngrep ya yi aiki a hankali, don kar ya fitar da wani bayani ban da fakiti da kayan aikinsu.
$ sudo ngrep -q '.' 'icmp' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6))) match: . I 192.168.0.104 -> 192.168.0.103 8:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]...~oG[....j....................... !"#$%&'()*+,-./01234567 I 192.168.0.104 -> 192.168.0.103 8:0 ]....oG[............................ !"#$%&'()*+,-./01234567 I 192.168.0.103 -> 192.168.0.104 0:0 ]....oG[............................ !"#$%&'()*+,-./01234567
Kuna iya danna Ctrl + C don ƙarewa.
2. Don daidaita zirga-zirgar ababen hawa zuwa wani rukunin yanar gizo kawai, misali 'google.com', gudanar da umarni mai zuwa, sannan yi ƙoƙarin samun dama ga shi daga mashigar bincike.
$ sudo ngrep -q '.' 'host google.com'
interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>[email
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
.............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;[email
3. Idan kana lilo a yanar gizo, to sai ka gudanar da umarni mai zuwa don saka idanu akan fayilolin da burauzar ka ke nema:.
$ sudo ngrep -q '^GET .* HTTP/1.[01]' interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ((ip || ip6) || (vlan && (ip || ip6))) match: ^GET .* HTTP/1.[01] T 192.168.0.104:43040 -> 172.217.160.174:80 [AP] GET / HTTP/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text)..Accept: */*..Accept-Language: en,*;q=0.1..Accept- Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4, ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256, windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x- kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive....
4. Don ganin duk hanyar wucewar aiki ko tashar tashar 25 (SMTP), gudanar da umarni mai zuwa.
$ sudo ngrep port 25
5. Don saka idanu akan kowane zirga-zirgar syslog na tushen hanyar sadarwa don faruwar kalmar kuskure, yi amfani da umarni mai zuwa.
$ sudo ngrep -d any 'error' port 514
Mahimmanci, wannan kayan aiki na iya canza sunayen tashar sabis da aka adana a cikin \/etc/services (akan tsarin Unix kamar Linux) zuwa lambobin tashar jiragen ruwa. Wannan umarnin yayi daidai da umarnin da ke sama.
$ sudo ngrep -d any 'error' port syslog
6. Hakanan zaka iya gudanar da ngrep akan uwar garken HTTP (tashar jiragen ruwa 80), zai dace da duk buƙatun zuwa wurin masaukin kamar yadda aka nuna.
$ sudo ngrep port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42167 -> 64.90.164.74:80 [AP] GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, * ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers.... ##
Kamar yadda kuke gani a cikin fitarwa na sama duk watsa labaran HTTP ana nuna su cikin cikakkun bayanai. Yana da wuya a tantance ko da yake, don haka bari mu kalli abin da zai faru idan kun yi amfani da -W yanayin layi.
$ sudo ngrep -W byline port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42177 -> 64.90.164.74:80 [AP] GET / HTTP/1.1. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ... Host: www.darkridge.com. Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ... Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e. Cookie2: $Version=1. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers.
7. Domin buga tambarin lokaci a cikin nau'in YYYY/MM/DD HH:MM:SS.UUUUUU duk lokacin da fakiti ya daidaita, yi amfani da tutar -t.
$ sudo ngrep -t -W byline port 80 interface: enp0s3 (192.168.0.0/255.255.255.0) filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6))) #### T 2018/07/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP] GET / HTTP/1.1. Host: google.com. User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text). Accept: */*. Accept-Language: en,*;q=0.1. Accept-Encoding: gzip, deflate, bzip2. Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8. Connection: keep-alive.
8. Don guje wa sanya idanu a cikin yanayin lalata (inda ya shiga tare da karanta kowane fakitin cibiyar sadarwa da ya zo gaba daya), ƙara alamar -p.
$ sudo ngrep -p -W byline port 80
9. Wani zaɓi mai mahimmanci shine -N wanda ke da amfani idan kuna lura da ƙa'idodin da ba a sani ba. Yana gaya wa ngrep don nuna lambar ƙaramar yarjejeniya tare da mai gano haruffa ɗaya.
$ sudo ngrep -N -W byline
Don ƙarin bayani, duba shafin man ngrep.
$ man ngrep
ngrep Github wurin ajiya: https://github.com/jpr5/ngrep
Shi ke nan! Ngrep (grep cibiyar sadarwa) shine mai nazarin fakitin cibiyar sadarwa wanda ke fahimtar dabarun tace BPF a cikin tcpdump na salon iri ɗaya. Muna son sanin ra'ayoyin ku game da ngrep a cikin sashin sharhi.