ngrep
パケットに含まれるテキストデータの内容を基にキャプチャしたい
場合などに利用出来るngrepについて。
ngrepのインストール
[root@colinux ~]# yum install ngrep
fedora 100% |=========================| 2.1 kB 00:00
updates 100% |=========================| 2.3 kB 00:00
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
–> Running transaction check
—> Package ngrep.i386 0:1.45-1.fc7 set to be updated
–> Finished Dependency ResolutionDependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
ngrep i386 1.45-1.fc7 fedora 28 kTransaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)Total download size: 28 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): ngrep-1.45-1.fc7.i 100% |=========================| 28 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: ngrep ######################### [1/1]Installed: ngrep.i386 0:1.45-1.fc7
Complete!
パスが通ってないようなので、必要であればパスを通しておく。
[root@colinux ~]# ngrep
bash: ngrep: command not found
[root@colinux ~]#
[root@colinux etc]# whereis ngrep
ngrep: /usr/sbin/ngrep /usr/share/man/man8/ngrep.8.gz
[root@colinux etc]#
[root@colinux etc]# vi /etc/profile.d/sbin.sh if ! echo ${PATH} | /bin/grep -q /usr/sbin ; then PATH=/usr/sbin:${PATH} fi [root@colinux etc]# chmod 644 /etc/profile.d/sbin.sh
先ずは、以下のコマンドでMYSQLのPORT:3306へのアクセスを確認してみる。
ngrep -W byline -q port 3306
暗号化されていなければ、実行されたSQLの詳細やデータなどが良く分かる。
tcpdumpなどでも分かるが、こちらはDefaultでGrepなので使いやすいかもしれません。
TAR BALLの場合
ダウンロード
[aws_user@192.168.11.36 tmp]$ wget 'http://sourceforge.jp/frs/g_redir.php?m=jaist&f=%2Fngrep%2Fngrep%2F1.45%2Fngrep-1.45.tar.bz2' [aws_user@192.168.11.36 tmp]$ ls -l total 13992 -rw-rw-r-- 1 aws_user aws_user 10363484 Nov 1 09:03 clustrix-common-v4.0-526.x86_64.rpm -rw-rw-r-- 1 aws_user aws_user 3402668 Nov 1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm -rw-rw-r-- 1 aws_user aws_user 234 Aug 8 18:55 fizzbuzz.c -rwxrwxr-x 1 aws_user aws_user 5229 Aug 8 18:55 fizzbuzz.out -rwxr-xr-x 1 aws_user aws_user 214 Aug 8 18:29 fizzbuzz.pl -rw-rw-r-- 1 aws_user aws_user 18645 Aug 17 11:55 index.html -rw-rw-r-- 1 aws_user aws_user 19142 Nov 12 15:23 index.html.1 -rw-rw-r-- 1 aws_user aws_user 463361 Nov 28 2006 ngrep-1.45.tar.bz2 -rw-rw-r-- 1 aws_user aws_user 3354 Nov 1 09:08 README.txt drwxrwxr-x 2 aws_user aws_user 4096 Aug 10 08:25 wget [aws_user@192.168.11.36 tmp]$ tar xvf ngrep-1.45.tar.bz2 ngrep-1.45/ ngrep-1.45/win32/ ngrep-1.45/win32/ngrep.sln ngrep-1.45/win32/ngrep.vcproj ngrep-1.45/win32/support/ ngrep-1.45/win32/support/getopt.c ngrep-1.45/win32/support/getopt.h ngrep-1.45/win32/support/inet_ntop.c ngrep-1.45/win32/support/inet_ntop.h ... 省略 ngrep-1.45/pcre-5.0/libpcre.def ngrep-1.45/pcre-5.0/libpcreposix.def ngrep-1.45/pcre-5.0/RunTest.in ngrep-1.45/pcre-5.0/configure ngrep-1.45/pcre-5.0/install-sh ngrep-1.45/pcre-5.0/mkinstalldirs ngrep-1.45/pcre-5.0/config.guess ngrep-1.45/pcre-5.0/config.sub ngrep-1.45/pcre-5.0/ltmain.sh [aws_user@192.168.11.36 tmp]$ ls -l total 13996 -rw-rw-r-- 1 aws_user aws_user 10363484 Nov 1 09:03 clustrix-common-v4.0-526.x86_64.rpm -rw-rw-r-- 1 aws_user aws_user 3402668 Nov 1 09:03 clustrix-devnode-v4.0-8097.x86_64.rpm -rw-rw-r-- 1 aws_user aws_user 234 Aug 8 18:55 fizzbuzz.c -rwxrwxr-x 1 aws_user aws_user 5229 Aug 8 18:55 fizzbuzz.out -rwxr-xr-x 1 aws_user aws_user 214 Aug 8 18:29 fizzbuzz.pl -rw-rw-r-- 1 aws_user aws_user 18645 Aug 17 11:55 index.html -rw-rw-r-- 1 aws_user aws_user 19142 Nov 12 15:23 index.html.1 drwxr-xr-x 7 aws_user aws_user 4096 Nov 28 2006 ngrep-1.45 -rw-rw-r-- 1 aws_user aws_user 463361 Nov 28 2006 ngrep-1.45.tar.bz2 -rw-rw-r-- 1 aws_user aws_user 3354 Nov 1 09:08 README.txt drwxrwxr-x 2 aws_user aws_user 4096 Aug 10 08:25 wget [aws_user@192.168.11.36 tmp]$ cd ngrep-1.45 [aws_user@192.168.11.36 ngrep-1.45]$ ls -l total 340 -rw-r--r-- 1 aws_user aws_user 44208 Oct 18 2006 config.guess -rw-r--r-- 1 aws_user aws_user 854 Nov 28 2006 config.h.in -rw-r--r-- 1 aws_user aws_user 32560 Oct 18 2006 config.sub -rwxr-xr-x 1 aws_user aws_user 155425 Nov 15 2006 configure -rw-r--r-- 1 aws_user aws_user 9916 Nov 15 2006 configure.in drwxr-xr-x 2 aws_user aws_user 4096 Nov 28 2006 doc -rwxr-xr-x 1 aws_user aws_user 5598 Sep 26 2004 install-sh -rw-r--r-- 1 aws_user aws_user 1840 Nov 16 2006 LICENSE.txt -rw-r--r-- 1 aws_user aws_user 2986 Nov 28 2006 Makefile.in -rw-r--r-- 1 aws_user aws_user 15480 Nov 28 2006 ngrep.8 -rw-r--r-- 1 aws_user aws_user 36033 Nov 28 2006 ngrep.c -rw-r--r-- 1 aws_user aws_user 2700 Nov 28 2006 ngrep.h drwxr-xr-x 2 aws_user aws_user 4096 Nov 15 2006 pcre-5.0 drwxr-xr-x 4 aws_user aws_user 4096 Nov 28 2006 regex-0.12 drwxr-xr-x 2 aws_user aws_user 4096 Sep 26 2004 scripts drwxr-xr-x 3 aws_user aws_user 4096 Nov 16 2006 win32
CONFIGURE~INSTALLまで
[aws_user@192.168.11.36 ngrep-1.45]$ ./configure Configuring System ... checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for gcc... gcc checking for gcc option to accept ISO C89... none needed ...省略 configure: creating ./config.status config.status: creating Makefile config.status: creating config.h [aws_user@192.168.11.36 ngrep-1.45]$ make make -C regex-0.12 regex.o make[1]: Entering directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12' gcc -g -DSTDC_HEADERS=1 -DHAVE_STRING_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_ALLOCA=1 -I. -I. -c regex.c make[1]: Leaving directory `/home/aws_user/tmp/ngrep-1.45/regex-0.12' gcc -g -O2 -DLINUX -DHAVE_CONFIG_H -D_BSD_SOURCE=1 -D__FAVOR_BSD=1 -I. -I/usr/include -g -c ngrep.c gcc -g -O2 -DLINUX -DHAVE_CONFIG_H -D_BSD_SOURCE=1 -D__FAVOR_BSD=1 -L/usr/lib -s -o ngrep ngrep.o regex-0.12/regex.o -lpcap [aws_user@192.168.11.36 ngrep-1.45]$ sudo -s [sudo] password for aws_user: [root@192.168.11.36 ngrep-1.45]# make install ./install-sh -c -m 0755 ngrep //usr/local/bin/ngrep ./install-sh -c -m 0644 ngrep.8 //usr/local/share/man/man8/ngrep.8 [root@192.168.11.36 ngrep-1.45]#
実行してみる。
[root@192.168.11.36 ngrep-1.45]# ngrep -W byline -q port 80 interface: eth0 (192.168.11.0/255.255.255.0) filter: (ip) and ( port 80 ) T 192.168.11.101:12814 -> 192.168.11.36:80 [AP] GET /nagios/ HTTP/1.1. Via: 1.1 TMG03. Accept-Encoding:gzip. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3. Host: 192.168.11.36. Keep-Alive: 115. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. Accept-Language: ja,en-us;q=0.7,en;q=0.3. Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7. Connection: Keep-Alive. . T 192.168.11.36:80 -> 192.168.11.101:12814 [AP] HTTP/1.1 401 Authorization Required. Date: Mon, 12 Nov 2012 06:59:18 GMT. Server: Apache. WWW-Authenticate: Basic realm="Nagios Access". Content-Length: 401. Connection: close. Content-Type: text/html; charset=iso-8859-1. . <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> T 192.168.11.101:13132 -> 192.168.11.36:80 [AP] GET /favicon.ico HTTP/1.1. Via: 1.1 TMG03. Accept-Encoding:gzip. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3. Host: 192.168.11.36. Keep-Alive: 115. Accept: image/png,image/*;q=0.8,*/*;q=0.5. Accept-Language: ja,en-us;q=0.7,en;q=0.3. Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7. Connection: Keep-Alive. . T 192.168.11.36:80 -> 192.168.11.101:13132 [AP] HTTP/1.1 404 Not Found. Date: Mon, 12 Nov 2012 06:59:22 GMT. Server: Apache. Content-Length: 209. Connection: close. Content-Type: text/html; charset=iso-8859-1. . <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /favicon.ico was not found on this server.</p> </body></html> [root@192.168.11.36 ngrep-1.45]#
参考サイト
ngrepでパケットをキャプチャしてgrep
通信内容をわかりやすくキャプチャできるngrep
Network Grepで手軽なパケットキャプチャ
bash の環境設定