Understand yourself in order to better understanding others
Confidence can solve people
This article briefly introduces a traffic grabbing artifact—justniffer, which can capture traffic online and analyze packets offline. Compared with the network capture artifact wireshark, justniffer is simpler to use and has less impact on the network. In the face of massive traffic, we need to analyze malicious requests from them frequently to prevent them, so I record some basic usages of justniffer for backup review.
- -i specifies the network interface to listen to
- -l specifies the log output format
- -u resolves unprintable characters to .
- %request.header.host #HOST in the request header
- %request.method #Request type
- %request.url #Request URL
- %request.grep(\r\n\r\n(.*)) #Request packet
Generally speaking, after we crawl the traffic, we need to save it locally and then analyze the rules. However, how to save, how to extract key content after saving? Here is a small method.
You can use the following command to fetch the traffic content of a specified number of parameters and save it to a file:
Description: This command obtains the host, method, url, response_body, and request_body contents of the traffic (note: only the GET and POST requests are filtered here), and then save it in the /log/20170927.log file. We can run this command for a period of time, such as 1 hour, and we collect an hour of traffic information when we finish the process.
Open the /log/20170927.log file and the format of each line we see is as follows:
Note: Each line of file content contains a flow of information, the flow information is divided into five content, each content is separated by NMASK (special string, customizable). Then we can write a python script, traverse the log file, and use split(“NMASK”) to get every traffic information.
For more configuration information and command parameters, please refer to: http://www.jianshu.com/p/02021de8f82e
Need to use the subprocess module: