ngrep
パケットに含まれるテキストデータの内容を基にキャプチャしたい
場合などに利用出来るngrepについて。

ngrepのインストール

[root@colinux ~]# yum install ngrep
fedora 100% |=========================| 2.1 kB 00:00
updates 100% |=========================| 2.3 kB 00:00
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
–> Running transaction check
—> Package ngrep.i386 0:1.45-1.fc7 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
ngrep i386 1.45-1.fc7 fedora 28 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 28 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): ngrep-1.45-1.fc7.i 100% |=========================| 28 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ngrep ######################### [1/1]

Installed: ngrep.i386 0:1.45-1.fc7
Complete!

ngrep

パスが通ってないようなので、必要であればパスを通しておく。

[root@colinux ~]# ngrep
bash: ngrep: command not found
[root@colinux ~]#

[root@colinux etc]# whereis ngrep
ngrep: /usr/sbin/ngrep /usr/share/man/man8/ngrep.8.gz
[root@colinux etc]#

[root@colinux etc]# vi /etc/profile.d/sbin.sh
if ! echo ${PATH} | /bin/grep -q /usr/sbin ; then
        PATH=/usr/sbin:${PATH}
fi

[root@colinux etc]# chmod 644 /etc/profile.d/sbin.sh

パスが通ったのでヘルプを見てコマンド確認。
ngrep help

先ずは、以下のコマンドでMYSQLのPORT:3306へのアクセスを確認してみる。
ngrep -W byline -q port 3306
ngrep session check

暗号化されていなければ、実行されたSQLの詳細やデータなどが良く分かる。
show tables details

tcpdumpなどでも分かるが、こちらはDefaultでGrepなので使いやすいかもしれません。

TAR BALLの場合
ダウンロード

[aws_user@192.168.11.36 tmp]$ wget 'http://sourceforge.jp/frs/g_redir.php?m=jaist&f=%2Fngrep%2Fngrep%2F1.45%2Fngrep-1.45.tar.bz2'
[aws_user@192.168.11.36 tmp]$ ls -l
total 13992
-rw-rw-r-- 1 aws_user aws_user 10363484 Nov  1 09:03 clustrix-common-v4.0-526.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user  3402668 Nov  1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user      234 Aug  8 18:55 fizzbuzz.c
-rwxrwxr-x 1 aws_user aws_user     5229 Aug  8 18:55 fizzbuzz.out
-rwxr-xr-x 1 aws_user aws_user      214 Aug  8 18:29 fizzbuzz.pl
-rw-rw-r-- 1 aws_user aws_user    18645 Aug 17 11:55 index.html
-rw-rw-r-- 1 aws_user aws_user    19142 Nov 12 15:23 index.html.1
-rw-rw-r-- 1 aws_user aws_user   463361 Nov 28  2006 ngrep-1.45.tar.bz2
-rw-rw-r-- 1 aws_user aws_user     3354 Nov  1 09:08 README.txt
drwxrwxr-x 2 aws_user aws_user     4096 Aug 10 08:25 wget
[aws_user@192.168.11.36 tmp]$ tar xvf ngrep-1.45.tar.bz2
ngrep-1.45/
ngrep-1.45/win32/
ngrep-1.45/win32/ngrep.sln
ngrep-1.45/win32/ngrep.vcproj
ngrep-1.45/win32/support/
ngrep-1.45/win32/support/getopt.c
ngrep-1.45/win32/support/getopt.h
ngrep-1.45/win32/support/inet_ntop.c
ngrep-1.45/win32/support/inet_ntop.h

... 省略

ngrep-1.45/pcre-5.0/libpcre.def
ngrep-1.45/pcre-5.0/libpcreposix.def
ngrep-1.45/pcre-5.0/RunTest.in
ngrep-1.45/pcre-5.0/configure
ngrep-1.45/pcre-5.0/install-sh
ngrep-1.45/pcre-5.0/mkinstalldirs
ngrep-1.45/pcre-5.0/config.guess
ngrep-1.45/pcre-5.0/config.sub
ngrep-1.45/pcre-5.0/ltmain.sh
[aws_user@192.168.11.36 tmp]$ ls -l
total 13996
-rw-rw-r-- 1 aws_user aws_user 10363484 Nov  1 09:03 clustrix-common-v4.0-526.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user  3402668 Nov  1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm
-rw-rw-r-- 1 aws_user aws_user      234 Aug  8 18:55 fizzbuzz.c
-rwxrwxr-x 1 aws_user aws_user     5229 Aug  8 18:55 fizzbuzz.out
-rwxr-xr-x 1 aws_user aws_user      214 Aug  8 18:29 fizzbuzz.pl
-rw-rw-r-- 1 aws_user aws_user    18645 Aug 17 11:55 index.html
-rw-rw-r-- 1 aws_user aws_user    19142 Nov 12 15:23 index.html.1
drwxr-xr-x 7 aws_user aws_user     4096 Nov 28  2006 ngrep-1.45
-rw-rw-r-- 1 aws_user aws_user   463361 Nov 28  2006 ngrep-1.45.tar.bz2
-rw-rw-r-- 1 aws_user aws_user     3354 Nov  1 09:08 README.txt
drwxrwxr-x 2 aws_user aws_user     4096 Aug 10 08:25 wget
[aws_user@192.168.11.36 tmp]$ cd ngrep-1.45
[aws_user@192.168.11.36 ngrep-1.45]$ ls -l
total 340
-rw-r--r-- 1 aws_user aws_user  44208 Oct 18  2006 config.guess
-rw-r--r-- 1 aws_user aws_user    854 Nov 28  2006 config.h.in
-rw-r--r-- 1 aws_user aws_user  32560 Oct 18  2006 config.sub
-rwxr-xr-x 1 aws_user aws_user 155425 Nov 15  2006 configure
-rw-r--r-- 1 aws_user aws_user   9916 Nov 15  2006 configure.in
drwxr-xr-x 2 aws_user aws_user   4096 Nov 28  2006 doc
-rwxr-xr-x 1 aws_user aws_user   5598 Sep 26  2004 install-sh
-rw-r--r-- 1 aws_user aws_user   1840 Nov 16  2006 LICENSE.txt
-rw-r--r-- 1 aws_user aws_user   2986 Nov 28  2006 Makefile.in
-rw-r--r-- 1 aws_user aws_user  15480 Nov 28  2006 ngrep.8
-rw-r--r-- 1 aws_user aws_user  36033 Nov 28  2006 ngrep.c
-rw-r--r-- 1 aws_user aws_user   2700 Nov 28  2006 ngrep.h
drwxr-xr-x 2 aws_user aws_user   4096 Nov 15  2006 pcre-5.0
drwxr-xr-x 4 aws_user aws_user   4096 Nov 28  2006 regex-0.12
drwxr-xr-x 2 aws_user aws_user   4096 Sep 26  2004 scripts
drwxr-xr-x 3 aws_user aws_user   4096 Nov 16  2006 win32

CONFIGURE~INSTALLまで

[aws_user@192.168.11.36 ngrep-1.45]$ ./configure

Configuring System ...

checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for gcc... gcc
checking for gcc option to accept ISO C89... none needed

...省略

configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[aws_user@192.168.11.36 ngrep-1.45]$ make
make  -C regex-0.12 regex.o
make[1]: Entering directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12'
gcc -g  -DSTDC_HEADERS=1 -DHAVE_STRING_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_ALLOCA=1  -I. -I. -c regex.c
make[1]: Leaving directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12'
gcc -g -O2 -DLINUX -DHAVE_CONFIG_H  -D_BSD_SOURCE=1 -D__FAVOR_BSD=1  -I. -I/usr/include  -g -c ngrep.c
gcc -g -O2 -DLINUX -DHAVE_CONFIG_H  -D_BSD_SOURCE=1 -D__FAVOR_BSD=1  -L/usr/lib -s -o ngrep ngrep.o  regex-0.12/regex.o -lpcap
[aws_user@192.168.11.36 ngrep-1.45]$ sudo -s
[sudo] password for aws_user:
[root@192.168.11.36 ngrep-1.45]# make install
./install-sh -c -m 0755 ngrep  //usr/local/bin/ngrep
./install-sh -c -m 0644 ngrep.8 //usr/local/share/man/man8/ngrep.8
[root@192.168.11.36 ngrep-1.45]# 

実行してみる。

[root@192.168.11.36 ngrep-1.45]# ngrep -W byline -q port 80
interface: eth0 (192.168.11.0/255.255.255.0)
filter: (ip) and ( port 80 )

T 192.168.11.101:12814 -> 192.168.11.36:80 [AP]
GET /nagios/ HTTP/1.1.
Via: 1.1 TMG03.
Accept-Encoding:gzip.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3.
Host: 192.168.11.36.
Keep-Alive: 115.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: ja,en-us;q=0.7,en;q=0.3.
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7.
Connection: Keep-Alive.
.


T 192.168.11.36:80 -> 192.168.11.101:12814 [AP]
HTTP/1.1 401 Authorization Required.
Date: Mon, 12 Nov 2012 06:59:18 GMT.
Server: Apache.
WWW-Authenticate: Basic realm="Nagios Access".
Content-Length: 401.
Connection: close.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>


T 192.168.11.101:13132 -> 192.168.11.36:80 [AP]
GET /favicon.ico HTTP/1.1.
Via: 1.1 TMG03.
Accept-Encoding:gzip.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3.
Host: 192.168.11.36.
Keep-Alive: 115.
Accept: image/png,image/*;q=0.8,*/*;q=0.5.
Accept-Language: ja,en-us;q=0.7,en;q=0.3.
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7.
Connection: Keep-Alive.
.


T 192.168.11.36:80 -> 192.168.11.101:13132 [AP]
HTTP/1.1 404 Not Found.
Date: Mon, 12 Nov 2012 06:59:22 GMT.
Server: Apache.
Content-Length: 209.
Connection: close.
Content-Type: text/html; charset=iso-8859-1.
.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
</body></html>

[root@192.168.11.36 ngrep-1.45]#

参考サイト

ngrepでパケットをキャプチャしてgrep
通信内容をわかりやすくキャプチャできるngrep
Network Grepで手軽なパケットキャプチャ
bash の環境設定

Comments are closed.

Post Navigation