Step@88
-
2007-05-23
网络包抓捕工具---ipgrab - [GNU]
ipgrab 是由Mike Borella写的一个基于libpcap包的网络包捕获工具,由于比较小且结构清晰,非常适合读研。ipgrab 实现了一些几本的保捕获,并且提供BPF的支持,因此可以实现一定的捕获分析功能.
基本用法:
ipgrab [-blmnPprTtwx] [-c|--count n] [-h|--help] [-i|--interface if] [BPF expr]
The BPF expression is a string of terms that is acceptable to the Berkeley Packet Filter.
For more details on the BPF expression grammar, see the tcpdump manual page.
• -a. Don’t display application layer data.
• -b. Turn off buffering of standard output (stdout) so that all displaying occurs as soon
as possible. Useful when IPgrab output is being re-directed to a file.
• -c n / --count n. Terminate after reading and displaying the first n packets.
Chapter 2: Guidelines for Use 4
• -C proto / --CCP proto. Assume a particular CCP protocol, such as MPPC. MPPC
is the only one supported today.
• -d. Dump extra padding in packets. For example, according to an IP header, the
packet ends at a certain point, but the link layer may have padded it beyond that.
This option displays the padding. Not valid in minimal mode.
• -h / --help. Display usage screen with a brief description of the command line options.
• -i if / --interface if. Makes IPgrab listen to packets on interface if. If this option
is not used, the default interface will be assumed.
• -l. Don’t display link layer headers. The following protocols are considered to be link
layer: ARP, CHAP, Ethernet, IPCP, LCP, LLC, Loopback, PPP, PPPoE, Raw, Slip, .
• -m. Minimal mode output.
• -n. Don’t display network layer headers. The following protocols are considered to be
network layer: AH, ESP, GRE, ICMP, ICMPv6, IGMP, IP, IPv6, IPX, IPXRIP.
• -P. Initiate a dynamic port mapping. This option must be followed by a string of the
form ‘<protocol>=<port>’, such as ‘rtp=6569’.
• -p. Dump packet payloads beyond what IPgrab parses. In other words, if IPgrab
doesn’t parse a particular application, this option will dump the application data in
hex and text format.
• -r. Read packets from a file, rather than an interface. The file should be created in
"raw" format, such as with ‘-w’ option.
• -T. Don’t display timestamps in minimal mode.
• -t. Don’t display transport layer headers. The following protocols are considered to
be transport layer: SPX, TCP, UDP.
• -v. Display version number then quit.
• -w. Write the raw packets to a file, rather than the screen. The packets will not be
parsed. The file can be read with the ‘-r’ option.
• -x. Hex dump mode. After processing each layer, dump out the contents of that layer
in hex and text. Only valid in main mode.一般情况下需要了解相应的BPF规则,这样更有利于针对性的捕获 . ipgrab 捕获的数据格式一般如下:
----------------------------------------------------------------
Ethernet header (961445334.490653)
----------------------------------------------------------------
Hardware source: 00:10:4b:96:1d:a8
Hardware destination: 08:00:02:25:29:77
Protocol: 0x800 (IP)
Length: 68
----------------------------------------------------------------
IP Header
----------------------------------------------------------------
Version: 4
Header length: 5
TOS: 0x10
Total length: 54
Identification: 6795
Fragmentation offset: 0
Unused bit: 0
Don't fragment bit: 1
More fragments bit: 0
Time to live: 64
Protocol: 6 (TCP)
Header checksum: 37890
Source address: 149.112.60.156
Destination address: 149.112.36.168
----------------------------------------------------------------
TCP Header
----------------------------------------------------------------
Source port: 2692 (unknown)
Destination port: 23 (telnet)
Sequence number: 2876130028
Acknowledgement number: 3994633468
Header length: 8
Unused: 0
Flags: PA
Window size: 32120
Checksum: 58743
Urgent: 0
Option: 1 (no op)
Option: 1 (no op)
Option: 8 (timestamp)
Length: 10
Timestamp value: 181028495
Timestamp reply: 44432019
-----------------------------------------------------------------
....other data随机文章:
循序渐进使用Latex(三) 2007-12-19循序渐进使用Latex(二) 2007-12-07CLI(Command line interface)--getopt 函数 2007-12-06Doxygen 使用(一) 2007-11-30autotoolset使用(1) 2007-05-22
收藏到:Del.icio.us
