Ag trafiginde string arama

Ngrep: akan trafikte ya da tcpdump, Wireshark gibi araclarla kaydedilmis network trafigi icerisinde belirli bir karakter dizisini aratmak icin kullanilan UNIX aracidir.

Basitce hangi arabirimi hangi protokolleri ve bulmak istediginiz karekter dizisini parametre olarak veriyorsunuz ve o stringin gectigi paketleri ekrana basiyor. Ozellikle ag trafigi uzerinde forensic analiz icin oldukca ise yarar bir arac.


# ngrep -d rl0 root tcp port 21
interface: rl0 (10.1.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 21 )
match: root
######
T 10.1.1.6:52247 -> 10.1.1.10:21 [AP]
USER root..
#
T 10.1.1.10:21 -> 10.1.1.6:52247 [AP]
530 User root access denied…

gibi.
ngrep.PNG
# ngrep -h
usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file>
-h is help/usage
-V is version information
-q is be quiet (don’t print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don’t do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don’t go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-M is don’t do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device instead of the pcap default

This entry was posted in Network Tools. Bookmark the permalink.

1 Response to Ag trafiginde string arama

  1. Pingback: Ngrep ile Ag Trafigi Analizi | Complexity is the Enemy of Security…

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 4 =