• Home
• Egitimler
• Hakkımda
• Iletisim
• NetSec Listesi
• Photos
• To_blog
• Yazılarım

« OpenBSD Firewall Specification v0.4.1 | Home | Degisim tamamlandi… »

Ag trafiginde string arama

By Huzeyfe ONAL | May 2, 2007

Ngrep: akan trafikte ya da tcpdump, Wireshark gibi araclarla kaydedilmis network trafigi icerisinde belirli bir karakter dizisini aratmak icin kullanilan UNIX aracidir.

Basitce hangi arabirimi hangi protokolleri ve bulmak istediginiz karekter dizisini parametre olarak veriyorsunuz ve o stringin gectigi paketleri ekrana basiyor. Ozellikle ag trafigi uzerinde forensic analiz icin oldukca ise yarar bir arac.

# ngrep -d rl0 root tcp port 21
interface: rl0 (10.1.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 21 )
match: root
######
T 10.1.1.6:52247 -> 10.1.1.10:21 [AP]
USER root..
#
T 10.1.1.10:21 -> 10.1.1.6:52247 [AP]
530 User root access denied…

gibi.

# ngrep -h
usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file>
-h is help/usage
-V is version information
-q is be quiet (don’t print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don’t do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don’t go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-M is don’t do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device instead of the pcap default

Topics: Network Tools |

Anket Köşesi

Archives

• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• November 2006
• October 2006
• August 2006
• May 2006
• January 2006
• October 2005

Friends

• Afsin TASKIRAN
• Algın EROZAN
• Burak DAYIOGLU
• Enis KARAARSLAN
• Ferruh MAVİTUNA
• gmane.comp.security.netsec
• Halil OZTURKCİ
• Muhammed TAHİROGLU
• Ozgur RUZGAR

Life(over)IP Network

• Guvenlik listeleri
• Netsec Listesi
• EnderUNIX STD
• Olympos.org
• ULAK-CSIRT
• Web Guvenligi
• Bilgi Guvenligi
• Eski Blogum
• CSIRT Blog