1

I want to learn reverse app, I'm confused how to dump network of an app, I tried tcpflow, ngrep, etc. it works but the output data is not human readable, can you give me a linux command to get network receive / send data, from an app / hosts? i try this

sudo ngrep -W byline port 80

ouput

interface: wlp1s0 (192.168.230.0/255.255.255.0)
filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
####
T 192.168.230.135:29464 -> 91.108.56.124:80 [AP] #4
POST /api HTTP/1.1.
Host: 91.108.56.124:80.
Content-Length: 148.
Content-Type: application/x-www-form-urlencoded.
Connection: Keep-Alive.
Accept-Encoding: gzip, deflate.
Accept-Language: en-US,*.
User-Agent: Mozilla/5.0.
.
.............g[c....x.F`$..>o-...O:2..3ib.W.q.._.,.)1.....k.........!..z...M^.g^...I.p...5.yx.Ys...Y*.m.. ....w...uK.%..0`....~.f.&...Q..br..W...3..

which is easy to read like a regular text string?

noobdev
  • 33
  • 3

1 Answers1

1

Have you tried wireshark? It's not only a packet capture program like tcpdump or ngrep, it's also a network protocol decoder/analyser. i.e. it can make it easier to interpret the network traffic.

BTW, wireshark is almost certainly packaged for whatever distro you're running - e.g. on debian apt-get install wireshark.

Worth noting: wireshark itself is a GUI program (current version uses Qt, previous versions used GTK), but there is also a console version called tshark, which is useful if you need to run it remotely over an ssh session. wireshark is also capable of analysing packet capture files (e.g. as produced by tcpdump -w filename -s 0 or tshark -w filename) as well as live network capture.

Depending on your distro, tshark may be in the same package as wireshark or it may be in a separate package - e.g. on Debian, it's in the tshark package.

Also, if you're mostly interested in web traffic, libwww-perl (aka LWP, a perl library for writing web bots and similar tools) comes with a command-line tool called lwp-request (with aliases HEAD, GET, and POST) for extracting headers and/or data from URLs including the chain of request and response headers, and another called lwp-dump to "See what headers and content is returned for a URL".

LWP is also very likely to be available as a package for your distro. e.g., on debian, apt-get install libwww-perl

cas
  • 1
  • 7
  • 119
  • 185