Thursday, November 20, 2014

幾個 sniffer 監聽網路封包

比較有名的 Wireshark 就不用多說了
不過 wireshark 比較龐大一點
以下幾個比較輕便型的
  1. for windows
  2. 查看每個封包
smartsniff
  1. for windows
  2. 針對 port 80
httpnetworksniffer
  1. 用 perl 搭配 tcpdump
  2. 不過不太容易視別
  1. for windows
  2. 一樣針對 port 80 ,也順便統計數量,是查那個 domain 被大量連線的好工具
websitesniffer
Ngrep + Perl : http://ssorc.tw/?p=1025
#!/usr/bin/perl
#
use strict;
my $limit = shift || 5000;
$|=1;
open (STDIN,"/usr/bin/ngrep -Wsingle -n$limit '(POST|GET)' dst port 80 |");
while (<>) {
 chomp();
 if ($_ =~ /^T /) {
 my $where = $_;
 $where =~ s/ \[AP\] .*|^T //g;
 my $get = $_;
 $get =~ s/.* \[AP\] //g;
 my %get_hash = ();
 my $is_action;
 foreach (split/\.\./,$get) {
 chomp();
 my $name = $_;
 if ($_ =~ /^GET /) {
 $name =~ s/^GET | HTTP\/.*//g;
 $get_hash{'action'} = "$name";
 $is_action = 'GET';
 } elsif ($_ =~ /^POST /) {
 $name =~ s/^POST | HTTP\/.*//g;
 $get_hash{'action'} = "$name";
 $is_action = 'POST';
 } elsif ($_ =~ /Host: /) {
 $name =~ s/Host: //g;
 $get_hash{'host'} = "$name";
 }
 }
 print "\n(--) $where => $is_action http://" . $get_hash{'host'} . "" . $get_hash{'action'};
 }
}

http://ssorc.tw/3427

No comments: