Difference between revisions of "Ngrep"

From Christoph's Personal Wiki
Jump to: navigation, search
(Usage)
 
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
==Usage==
 
==Usage==
 
''Note: See [http://ngrep.sourceforge.net/usage.html here] for detailed examples.''
 
''Note: See [http://ngrep.sourceforge.net/usage.html here] for detailed examples.''
*Example: Basic Packet Sniffing
+
 
  ngrep -d any port 25
+
In the following examples, it is assumed that <code>eth0</code> is the used network interface (unless otherwise stated).
  ngrep -d any 'error' port syslog
+
 
  ngrep -wi -d any 'user|pass' port 21
+
* Example: Basic Packet Sniffing
*Example: Debugging HTTP interactions
+
  $ ngrep -d any port 25
  ngrep port 80
+
  $ ngrep -d any 'error' port syslog
  ngrep -W byline port 80
+
  $ ngrep -wi -d any 'user|pass' port 21
*Example: Processing PCAP dump files, looking for patterns
+
 
  ngrep -O /tmp/dns.dump -d any -T port domain
+
* Example: Debugging HTTP interactions
  ngrep -w 'm' -I /tmp/dns.dump
+
  $ ngrep port 80
  ngrep -tD ns3 -I /tmp/dns.dump
+
  $ ngrep -W byline port 80
  ngrep -I /tmp/dns.dump port 80
+
 
*Monitor all traffic not going over port 22 (i.e., SSH):
+
* Example: Processing PCAP dump files, looking for patterns
  ngrep not port 22 | strings 8
+
  $ ngrep -O /tmp/dns.dump -d any -T port domain
*Monitor all traffic coming from a certain host:
+
  $ ngrep -w 'm' -I /tmp/dns.dump
  ngrep host 192.168.0.103
+
  $ ngrep -tD ns3 -I /tmp/dns.dump
 +
  $ ngrep -I /tmp/dns.dump port 80
 +
 
 +
* Monitor all traffic not going over port 22 (i.e., SSH):
 +
  $ ngrep not port 22 | strings 8
 +
 
 +
* Monitor all traffic coming from a certain host:
 +
  $ ngrep host 192.168.0.103
 +
 
 +
* Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
 +
$ ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
 +
 
 +
* Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string 
 +
$ ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
 +
 
 +
* Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
 +
$ ngrep -l -q -d eth0 -i "" udp and port 53
 +
 
 +
* Show the query and results of <code>SELECT</code> queries going to your [[MySQL]] server:
 +
$ ngrep -d eth0 -i 'select' port 3306
 +
 
 +
* Show the query and results of ''all'' queries going to your [[MySQL]] server:
 +
If the following MySQL query returns the following:
 +
$ mysql -B -e 'select * from foo;' sandbox
 +
<pre>
 +
id name age
 +
1 Bob 23
 +
2 Alice 20
 +
</pre>
 +
Watch the traffic via `ngrep`:
 +
$ ngrep -d lo -wi "" port 3306
 +
<pre>
 +
interface: lo (127.0.0.0/255.0.0.0)
 +
filter: (ip or ip6) and ( port 3306 )
 +
match: ((^\W)|(\W$)|(\W\W))
 +
####
 +
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
 +
[...
 +
5.5.43-0ubuntu0.14.04.1.....!!!#+N'v...................?wZ=bUblw5=t.mysql_native_password.
 +
##
 +
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
 +
[...........!.......................sandusr...e....=_.P`..W...mQ.sandbox.mysql_native_password.
 +
##
 +
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
 +
...........
 +
#
 +
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
 +
!....select @@version_comment limit 1
 +
#
 +
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
 +
.....'....def....@@version_comment..!.........................(Ubuntu).........
 +
#
 +
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
 +
.....select * from foo
 +
#
 +
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
 +
.....'....def.sandbox.foo.foo.id.id.?.......B...+....def.sandbox.foo.foo.name.name.!...........)....def.sandbox.foo.foo.age.age.?.................."......1.Bob.23.....2.Alice.20.......".
 +
#
 +
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
 +
.....
 +
###
 +
</pre>
 +
 
 +
* Monitor any network-based syslog traffic for the occurrence of the word "error" (note: `ngrep` knows how to convert service port names (e.g., those found in "/etc/services") to port numbers):
 +
$ ngrep -d any "error" port syslog
 +
 
 +
* Monitor specific traffic:
 +
# Start `ngrep`:
 +
$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80'
 +
# Then send a header request to a specific URL:
 +
$ curl -I xtof.ch
 +
<pre>
 +
interface: wlan0 (192.168.1.0/255.255.255.0)
 +
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
 +
match: ^(GET|POST|HEAD)
 +
###
 +
T 2015/06/11 12:05:09.321783 192.168.1.15:34116 -> 67.207.152.20:80 [AP]
 +
  HEAD / HTTP/1.1..User-Agent: curl/7.35.0..Host: xtof.ch..Accept: */*....                                                                                                                                                         
 +
###
 +
</pre>
 +
Or, break the response by newlines:
 +
$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80' -W byline
 +
<pre>
 +
interface: wlan0 (192.168.1.0/255.255.255.0)
 +
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
 +
match: ^(GET|POST|HEAD)
 +
###
 +
T 2015/06/11 12:11:07.697041 192.168.1.15:34153 -> 67.207.152.20:80 [AP]
 +
HEAD / HTTP/1.1.
 +
User-Agent: curl/7.35.0.
 +
Host: xtof.ch.
 +
Accept: */*.
 +
.
 +
 
 +
###
 +
</pre>
  
 
==See also==
 
==See also==
Line 31: Line 126:
 
*[http://www.wireshark.org/ Wireshark] &mdash; network protocol analyser
 
*[http://www.wireshark.org/ Wireshark] &mdash; network protocol analyser
 
*[http://monkey.org/~jose/software/flowgrep/ flowgrep] &mdash; a basic IDS/IPS tool written in [[Python]] as a way to help you investigate and manage your network.
 
*[http://monkey.org/~jose/software/flowgrep/ flowgrep] &mdash; a basic IDS/IPS tool written in [[Python]] as a way to help you investigate and manage your network.
 +
*[http://tcpreplay.synfin.net/ tcpreplay] &mdash; replay network traffic stored in pcap files
  
 
==External links==
 
==External links==

Latest revision as of 17:05, 11 June 2015

ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop. It was written by Jordan Ritter.

Usage

Note: See here for detailed examples.

In the following examples, it is assumed that eth0 is the used network interface (unless otherwise stated).

  • Example: Basic Packet Sniffing
$ ngrep -d any port 25
$ ngrep -d any 'error' port syslog
$ ngrep -wi -d any 'user|pass' port 21
  • Example: Debugging HTTP interactions
$ ngrep port 80
$ ngrep -W byline port 80
  • Example: Processing PCAP dump files, looking for patterns
$ ngrep -O /tmp/dns.dump -d any -T port domain
$ ngrep -w 'm' -I /tmp/dns.dump
$ ngrep -tD ns3 -I /tmp/dns.dump
$ ngrep -I /tmp/dns.dump port 80
  • Monitor all traffic not going over port 22 (i.e., SSH):
$ ngrep not port 22 | strings 8
  • Monitor all traffic coming from a certain host:
$ ngrep host 192.168.0.103
  • Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
$ ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
  • Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string
$ ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
  • Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
$ ngrep -l -q -d eth0 -i "" udp and port 53
  • Show the query and results of SELECT queries going to your MySQL server:
$ ngrep -d eth0 -i 'select' port 3306
  • Show the query and results of all queries going to your MySQL server:

If the following MySQL query returns the following:

$ mysql -B -e 'select * from foo;' sandbox
 id	name	age
 1	Bob	23
 2	Alice	20

Watch the traffic via `ngrep`:

$ ngrep -d lo -wi "" port 3306
interface: lo (127.0.0.0/255.0.0.0)
filter: (ip or ip6) and ( port 3306 )
match: ((^\W)|(\W$)|(\W\W))
####
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
[...
5.5.43-0ubuntu0.14.04.1.....!!!#+N'v...................?wZ=bUblw5=t.mysql_native_password.
##
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
[...........!.......................sandusr...e....=_.P`..W...mQ.sandbox.mysql_native_password.
##
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
...........
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
!....select @@version_comment limit 1
#
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
.....'....def....@@version_comment..!.........................(Ubuntu).........
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
.....select * from foo
#
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
.....'....def.sandbox.foo.foo.id.id.?.......B...+....def.sandbox.foo.foo.name.name.!...........)....def.sandbox.foo.foo.age.age.?.................."......1.Bob.23.....2.Alice.20.......".
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
.....
###
  • Monitor any network-based syslog traffic for the occurrence of the word "error" (note: `ngrep` knows how to convert service port names (e.g., those found in "/etc/services") to port numbers):
$ ngrep -d any "error" port syslog
  • Monitor specific traffic:
# Start `ngrep`:
$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80'
# Then send a header request to a specific URL:
$ curl -I xtof.ch
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
match: ^(GET|POST|HEAD) 
###
T 2015/06/11 12:05:09.321783 192.168.1.15:34116 -> 67.207.152.20:80 [AP]
  HEAD / HTTP/1.1..User-Agent: curl/7.35.0..Host: xtof.ch..Accept: */*....                                                                                                                                                          
###

Or, break the response by newlines:

$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80' -W byline
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
match: ^(GET|POST|HEAD) 
###
T 2015/06/11 12:11:07.697041 192.168.1.15:34153 -> 67.207.152.20:80 [AP]
HEAD / HTTP/1.1.
User-Agent: curl/7.35.0.
Host: xtof.ch.
Accept: */*.
.

###

See also

  • nmap — network exploration tool and security scanner[1]
  • tcpdump — dump traffic on a network[2]
  • snoop — capture and inspect network packets
  • netcat (aka nc) — a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.[3]
  • Netfilter
  • NetCalc
  • Whois
  • Nagios — an Open Source host, service, and network monitoring program.
  • Wireshark — network protocol analyser
  • flowgrep — a basic IDS/IPS tool written in Python as a way to help you investigate and manage your network.
  • tcpreplay — replay network traffic stored in pcap files

External links