Difference between revisions of "Linux tcpdump and ngrep"
Jump to navigation
Jump to search
(Created page with "= Common examples of tcpdump = == Usage of expressions and | or with subnets == <source lang="bash"> tcpdump -qn -i any -p -e "(dst port 9443 or dst port 22 or dst port 8672)...") |
(→ngrep) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= | = tcpdump = | ||
== | == Filter a host == | ||
<source lang="bash"> | <source lang="bash"> | ||
tcpdump -qn -i any -p -e "(dst port 9443 or dst port 22 or dst port 8672) \ | sudo tcpdump -q -i any host 97.22.22.22 | ||
</source> | |||
tcpdump -qn -i any -p -e "dst port 22 | == Expressions and/or logical operators == | ||
<source lang="bash"> | |||
# -q less verbose, -n no-dns, -p | tcpdump -qn -i any -p -e "(dst port 9443 or \ | ||
dst port 22 or \ | |||
dst port 8672) and \ | |||
(src net 10.34.96.128/25 or \ | |||
src net 10.34.97.128/25 or \ | |||
src net 10.34.98.128/25)" | |||
tcpdump -qn -i any -p -e "dst port 22 and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)" | |||
# -q less verbose, -n no-dns, -e expression | |||
# -p (--no-promiscuous-mode) Don't put the interface into promiscuous mode | |||
</source> | |||
= ngrep = | |||
''ngrep'' is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with ''tcpdump'' like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw. | |||
Install | |||
<source lang="bash"> | |||
sudo apt install ngrep | |||
sudo yum install ngrep | |||
sudo dnf install ngrep | |||
</source> | |||
Examples | |||
<source lang="bash"> | |||
sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface | |||
</source> | |||
<source lang="bash"> | |||
piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp' │piotr@ubuntu:~/git$ ping wp.pl -c 2 | |||
interface: ens33 (192.168.30.0/255.255.255.0) │PING wp.pl (212.77.98.9) 56(84) bytes of data. | |||
filter: (ip or ip6) and ( icmp ) │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms | |||
match: . │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms | |||
│ | |||
I 192.168.30.136 -> 212.77.98.9 8:0 │--- wp.pl ping statistics --- | |||
......w[....`....................... !"#$%&'()*+,-./01234567 │2 packets transmitted, 2 received, 0% packet loss, time 1002ms | |||
│rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms | |||
I 212.77.98.9 -> 192.168.30.136 0:0 │piotr@ubuntu:~/git$ | |||
......w[....`....................... !"#$%&'()*+,-./01234567 │ | |||
│ | |||
I 192.168.30.136 -> 212.77.98.9 8:0 │ | |||
......w[............................ !"#$%&'()*+,-./01234567 │ | |||
│ | |||
I 212.77.98.9 -> 192.168.30.136 0:0 │ | |||
......w[............................ !"#$%&'()*+,-./01234567 │ | |||
</source> | |||
<source lang="bash"> | |||
sudo ngrep -q '.' 'host google.com' # match only traffic going to a particular destination site | |||
sudo ngrep -q '^GET .* HTTP/1.[01]' #monitor which files your browser is requesting | |||
sudo ngrep port 25 #destination port 25 | |||
sudo ngrep -d any 'error' port 514 #monitor any network-based syslog traffic for the occurrence of the word “error” | |||
sudo ngrep port 80 #match all requests to the destination host | |||
sudo ngrep -W byline port 80 #match all requests to the destination host - prettier format | |||
sudo ngrep -t -W byline port 80 #print a timestamp when every packet is matched | |||
# -p don't put the interface into promiscuous mode | |||
# -N show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols) | |||
</source> | |||
= [https://github.com/iovisor/bcc BCC] Linux-ish DTrace = | |||
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above. | |||
[https://github.com/iovisor/bcc/blob/master/INSTALL.md Install] | |||
<source lang=bash> | |||
# Amazon Linux 2 | |||
sudo amazon-linux-extras enable BCC | |||
sudo yum install kernel-devel-$(uname -r) | |||
sudo yum install bcc | |||
# Tools listing | |||
https://github.com/iovisor/bcc/tree/master/tools | |||
</source> | </source> | ||
Latest revision as of 16:55, 10 June 2021
tcpdump
Filter a host
sudo tcpdump -q -i any host 97.22.22.22
Expressions and/or logical operators
tcpdump -qn -i any -p -e "(dst port 9443 or \
dst port 22 or \
dst port 8672) and \
(src net 10.34.96.128/25 or \
src net 10.34.97.128/25 or \
src net 10.34.98.128/25)"
tcpdump -qn -i any -p -e "dst port 22 and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)"
# -q less verbose, -n no-dns, -e expression
# -p (--no-promiscuous-mode) Don't put the interface into promiscuous mode
ngrep
ngrep is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with tcpdump like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw.
Install
sudo apt install ngrep sudo yum install ngrep sudo dnf install ngrep
Examples
sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface
piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp' │piotr@ubuntu:~/git$ ping wp.pl -c 2
interface: ens33 (192.168.30.0/255.255.255.0) │PING wp.pl (212.77.98.9) 56(84) bytes of data.
filter: (ip or ip6) and ( icmp ) │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms
match: . │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms
│
I 192.168.30.136 -> 212.77.98.9 8:0 │--- wp.pl ping statistics ---
......w[....`....................... !"#$%&'()*+,-./01234567 │2 packets transmitted, 2 received, 0% packet loss, time 1002ms
│rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms
I 212.77.98.9 -> 192.168.30.136 0:0 │piotr@ubuntu:~/git$
......w[....`....................... !"#$%&'()*+,-./01234567 │
│
I 192.168.30.136 -> 212.77.98.9 8:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
│
I 212.77.98.9 -> 192.168.30.136 0:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
sudo ngrep -q '.' 'host google.com' # match only traffic going to a particular destination site sudo ngrep -q '^GET .* HTTP/1.[01]' #monitor which files your browser is requesting sudo ngrep port 25 #destination port 25 sudo ngrep -d any 'error' port 514 #monitor any network-based syslog traffic for the occurrence of the word “error” sudo ngrep port 80 #match all requests to the destination host sudo ngrep -W byline port 80 #match all requests to the destination host - prettier format sudo ngrep -t -W byline port 80 #print a timestamp when every packet is matched # -p don't put the interface into promiscuous mode # -N show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols)
BCC Linux-ish DTrace
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above. Install
# Amazon Linux 2 sudo amazon-linux-extras enable BCC sudo yum install kernel-devel-$(uname -r) sudo yum install bcc # Tools listing https://github.com/iovisor/bcc/tree/master/tools