justniffer grabs traffic Dafa

Understand yourself in order to better understanding others
Confidence can solve people

This article briefly introduces a traffic grabbing artifact—justniffer, which can capture traffic online and analyze packets offline. Compared with the network capture artifact wireshark, justniffer is simpler to use and has less impact on the network. In the face of massive traffic, we need to analyze malicious requests from them frequently to prevent them, so I record some basic usages of justniffer for backup review.

Install

1
2
3
sudo add-apt-repository ppa: oreste-notelli / ppa
sudo apt-get update
sudo apt-get install justniffer

Usage

Basic commands

1
justniffer -i eth5 -u -l "%request.header.host %request.method %request.url %response.grep(\r\n\r\n(.*)) %request.grep(\r\n\r\n(.*))"

Key parameters

  • -i specifies the network interface to listen to
  • -l specifies the log output format
  • -u resolves unprintable characters to .

Log format

  • %request.header.host #HOST in the request header
  • %request.method #Request type
  • %request.url #Request URL
  • %request.grep(\r\n\r\n(.*)) #Request packet

Post Processing

Generally speaking, after we crawl the traffic, we need to save it locally and then analyze the rules. However, how to save, how to extract key content after saving? Here is a small method.

Grab the traffic to the file

You can use the following command to fetch the traffic content of a specified number of parameters and save it to a file:

1
justniffer -i eth5 -u -l "%request.header.host NMASKnmask %request.method NMASKnmask %request.url NMASKnmask %response.grep(\r\n\r\n(.*)) NMASKnmask %request.grep(\r\n\r\n(.*))" | awk -F nmask '$1 !~ /^-/ && $2 ~ /(GET|POST).*/ {print$2,$1,$3,$4,$5}' >> /log/20170927.log 2>&1

Description: This command obtains the host, method, url, response_body, and request_body contents of the traffic (note: only the GET and POST requests are filtered here), and then save it in the /log/20170927.log file. We can run this command for a period of time, such as 1 hour, and we collect an hour of traffic information when we finish the process.

Processing log files

Open the /log/20170927.log file and the format of each line we see is as follows:

1
GET NMASK www.baidu.com NMASK /test.html NMASK response_body={"result":"123"} NMASK request_body={"get":"123"}

Note: Each line of file content contains a flow of information, the flow information is divided into five content, each content is separated by NMASK (special string, customizable). Then we can write a python script, traverse the log file, and use split(“NMASK”) to get every traffic information.

For more configuration information and command parameters, please refer to: http://www.jianshu.com/p/02021de8f82e

Python uses justniffer

Need to use the subprocess module:

1
2
3
4
5
6
7
8
import subprocess
popen=subprocess.Popen("justniffer -i eth0 -u -l '%request.header.host nmask %request.method nmask %request.url nmask %response.grep(\r\n\r\n(.*))' | awk -F nmask '$1 !~ /^-/ {print}'",shell=True,stdout=subprocess.PIPE)
while 1:
Print p # can customize the function to handle traffic
if not p:
break

本文标题:justniffer grabs traffic Dafa

文章作者:nmask

发布时间:2017年09月27日 - 11:09

最后更新:2019年07月11日 - 17:07

原始链接:https://thief.one/2017/09/27/1/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: