ngrep 抓包工具初体验

  |   0 评论   |   0 浏览

背景

linux/mac 下调试 http 请求是很常见的需求,而且常常需要定位是客户端还是服务端的问题。

这时候,我们就需要一个抓包工具。

常见的抓包工具有 wireshark, tcpflow 等。

对于抓 http 请求,有没有更方便的工具呢?

根据我们运维同学的推荐,还真有一个工具,就是 ngrep。

安装

mac 下安装

brew install ngrep

linux 下安装

wget http://rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/ngrep-1.45-2.el6.rf.x86_64.rpm
rpm -ivh ngrep-1.45-2.el6.rf.x86_64.rpm

或者

wget "https://rpmfind.net/linux/epel/7/x86_64/Packages/n/ngrep-1.47-0.1.a39256b.el7.x86_64.rpm"
rpm -ivh ngrep-1.47-0.1.a39256b.el7.x86_64.rpm

简单使用

抓 80 端口的包

抓包语句:ngrep port 80

模拟发送请求

[note@abeffect ~]$ curl -s "www.hacpai.com"
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.13.12</center>
</body>
</html>

抓包结果:

####
T 30.30.140.17:54351 -> 118.31.188.179:80 [AP]
  GET / HTTP/1.1..Host: www.hacpai.com..User-Agent: curl/7.54.0..Accept: */*....
##
T 118.31.188.179:80 -> 30.30.140.17:54351 [AP]
  HTTP/1.1 301 Moved Permanently..Server: nginx/1.13.12..Date: Tue, 24 Jul 2018 02:45:35 GMT..Content-Type: text/html..Content-Length: 186..Connection: keep-alive..Location: https://hacpai.com/....<html>..<head><title>301 Moved Perma
  nently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.13.12</center>..</body>..</html>..

可以看到,结果是抓到了,但是内容没有完整显示出来。

支持换行符

内容要完整显示,其示就是把换行符展示出来。

ngrep -Wbyline port 80

结果

#####
T 30.30.140.17:55286 -> 118.31.188.179:80 [AP]
GET / HTTP/1.1.
Host: www.hacpai.com.
User-Agent: curl/7.54.0.
Accept: */*.
.

##
T 118.31.188.179:80 -> 30.30.140.17:55286 [AP]
HTTP/1.1 301 Moved Permanently.
Server: nginx/1.13.12.
Date: Tue, 24 Jul 2018 03:04:13 GMT.
Content-Type: text/html.
Content-Length: 186.
Connection: keep-alive.
Location: https://hacpai.com/.
.
<html>.
<head><title>301 Moved Permanently</title></head>.
<body bgcolor="white">.
<center><h1>301 Moved Permanently</h1></center>.
<hr><center>nginx/1.13.12</center>.
</body>.
</html>.

支持正则

包其实太多了,怎么只抓 hacpai 的包呢,通过 -q 参数

ngrep -Wbyline -q hacpai port 80
ngrep -Wbyline 'GET /' port 80

结果

T 30.30.140.17:55294 -> 118.31.188.179:80 [AP]
GET / HTTP/1.1.
Host: www.hacpai.com.
User-Agent: curl/7.54.0.
Accept: */*.
.


T 118.31.188.179:80 -> 30.30.140.17:55294 [AP]
HTTP/1.1 301 Moved Permanently.
Server: nginx/1.13.12.
Date: Tue, 24 Jul 2018 03:04:45 GMT.
Content-Type: text/html.
Content-Length: 186.
Connection: keep-alive.
Location: https://hacpai.com/.
.
<html>. <head><title>301 Moved Permanently</title></head>. <body bgcolor="white">. <center><h1>301 Moved Permanently</h1></center>. <hr><center>nginx/1.13.12</center>.
</body>.
</html>.

十六进制显示

如果需要具体调试包中的 bytes,想看到 16 进制的数,怎么办呢?

ngrep -x -q hacpai port 80

结果

T 30.30.140.17:55588 -> 118.31.188.179:80 [AP]
 47 45 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a    GET / HTTP/1.1..
 48 6f 73 74 3a 20 77 77  77 2e 68 61 63 70 61 69    Host: www.hacpai
  2e 63 6f 6d 0d 0a 55 73   65 72 2d 41 67 65 6e 74   .com..User-Agent
  3a 20 63 75 72 6c 2f 37   2e 35 34 2e 30 0d 0a 41   : curl/7.54.0..A
 63 63 65 70 74 3a 20 2a    2f 2a 0d 0a 0d 0a          ccept: */*....

T 118.31.188.179:80 -> 30.30.140.17:55588 [AP]
 48 54 54 50 2f 31 2e 31  20 33 30 31 20 4d 6f 76   HTTP/1.1 301 Mov
 65 64 20 50 65 72 6d 61   6e 65 6e 74 6c 79 0d 0a    ed Permanently..
 53 65 72 76 65 72 3a 20   6e 67 69 6e 78 2f 31 2e    Server: nginx/1.
 31 33 2e 31 32 0d 0a 44  61 74 65 3a 20 54 75 65    13.12..Date: Tue
  2c 20 32 34 20 4a 75 6c   20 32 30 31 38 20 30 33    , 24 Jul 2018 03
  3a 32 30 3a 34 38 20 47    4d 54 0d 0a 43 6f 6e 74   :20:48 GMT..Cont
 65 6e 74 2d 54 79 70 65    3a 20 74 65 78 74 2f 68   ent-Type: text/h
 74 6d 6c 0d 0a 43 6f 6e   74 65 6e 74 2d 4c 65 6e    tml..Content-Len
 67 74 68 3a 20 31 38 36    0d 0a 43 6f 6e 6e 65 63    gth: 186..Connec
 74 69 6f 6e 3a 20 6b 65  65 70 2d 61 6c 69 76 65   tion: keep-alive
  0d 0a 4c 6f 63 61 74 69    6f 6e 3a 20 68 74 74 70   ..Location: http
 73 3a 2f 2f 68 61 63 70   61 69 2e 63 6f 6d 2f 0d    s://hacpai.com/.
  0a 0d 0a 3c 68 74 6d 6c    3e 0d 0a 3c 68 65 61 64    ...<html>..<head
  3e 3c 74 69 74 6c 65 3e   33 30 31 20 4d 6f 76 65    ><title>301 Move
 64 20 50 65 72 6d 61 6e   65 6e 74 6c 79 3c 2f 74   d Permanently</t
 69 74 6c 65 3e 3c 2f 68  65 61 64 3e 0d 0a 3c 62   itle></head>..<b
  6f 64 79 20 62 67 63 6f    6c 6f 72 3d 22 77 68 69    ody bgcolor="whi
 74 65 22 3e 0d 0a 3c 63  65 6e 74 65 72 3e 3c 68   te">..<center><h
 31 3e 33 30 31 20 4d 6f   76 65 64 20 50 65 72 6d    1>301 Moved Perm
 61 6e 65 6e 74 6c 79 3c    2f 68 31 3e 3c 2f 63 65    anently</h1></ce
  6e 74 65 72 3e 0d 0a 3c   68 72 3e 3c 63 65 6e 74   nter>..<hr><cent
 65 72 3e 6e 67 69 6e 78   2f 31 2e 31 33 2e 31 32    er>nginx/1.13.12
  3c 2f 63 65 6e 74 65 72   3e 0d 0a 3c 2f 62 6f 64   </center>..</bod
 79 3e 0d 0a 3c 2f 68 74    6d 6c 3e 0d 0a             y>..</html>..

完整文档

请自行查看 manual。

参考