Ngrep

From Christoph's Personal Wiki
Jump to: navigation, search

ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop. It was written by Jordan Ritter.

Usage

Note: See here for detailed examples.

In the following examples, it is assumed that eth0 is the used network interface (unless otherwise stated).

  • Example: Basic Packet Sniffing
$ ngrep -d any port 25
$ ngrep -d any 'error' port syslog
$ ngrep -wi -d any 'user|pass' port 21
  • Example: Debugging HTTP interactions
$ ngrep port 80
$ ngrep -W byline port 80
  • Example: Processing PCAP dump files, looking for patterns
$ ngrep -O /tmp/dns.dump -d any -T port domain
$ ngrep -w 'm' -I /tmp/dns.dump
$ ngrep -tD ns3 -I /tmp/dns.dump
$ ngrep -I /tmp/dns.dump port 80
  • Monitor all traffic not going over port 22 (i.e., SSH):
$ ngrep not port 22 | strings 8
  • Monitor all traffic coming from a certain host:
$ ngrep host 192.168.0.103
  • Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods
$ ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
  • Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string
$ ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
  • Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses
$ ngrep -l -q -d eth0 -i "" udp and port 53
  • Show the query and results of SELECT queries going to your MySQL server:
$ ngrep -d eth0 -i 'select' port 3306
  • Show the query and results of all queries going to your MySQL server:

If the following MySQL query returns the following:

$ mysql -B -e 'select * from foo;' sandbox
 id	name	age
 1	Bob	23
 2	Alice	20

Watch the traffic via `ngrep`:

$ ngrep -d lo -wi "" port 3306
interface: lo (127.0.0.0/255.0.0.0)
filter: (ip or ip6) and ( port 3306 )
match: ((^\W)|(\W$)|(\W\W))
####
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
[...
5.5.43-0ubuntu0.14.04.1.....!!!#+N'v...................?wZ=bUblw5=t.mysql_native_password.
##
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
[...........!.......................sandusr...e....=_.P`..W...mQ.sandbox.mysql_native_password.
##
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
...........
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
!....select @@version_comment limit 1
#
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
.....'....def....@@version_comment..!.........................(Ubuntu).........
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
.....select * from foo
#
T 127.0.0.1:3306 -> 127.0.0.1:55741 [AP]
.....'....def.sandbox.foo.foo.id.id.?.......B...+....def.sandbox.foo.foo.name.name.!...........)....def.sandbox.foo.foo.age.age.?.................."......1.Bob.23.....2.Alice.20.......".
#
T 127.0.0.1:55741 -> 127.0.0.1:3306 [AP]
.....
###
  • Monitor any network-based syslog traffic for the occurrence of the word "error" (note: `ngrep` knows how to convert service port names (e.g., those found in "/etc/services") to port numbers):
$ ngrep -d any "error" port syslog
  • Monitor specific traffic:
# Start `ngrep`:
$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80'
# Then send a header request to a specific URL:
$ curl -I xtof.ch
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
match: ^(GET|POST|HEAD) 
###
T 2015/06/11 12:05:09.321783 192.168.1.15:34116 -> 67.207.152.20:80 [AP]
  HEAD / HTTP/1.1..User-Agent: curl/7.35.0..Host: xtof.ch..Accept: */*....                                                                                                                                                          
###

Or, break the response by newlines:

$ ngrep -t '^(GET|POST|HEAD) ' 'dst host 67.207.152.20 and tcp and dst port 80' -W byline
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( dst host 67.207.152.20 and tcp and dst port 80 )
match: ^(GET|POST|HEAD) 
###
T 2015/06/11 12:11:07.697041 192.168.1.15:34153 -> 67.207.152.20:80 [AP]
HEAD / HTTP/1.1.
User-Agent: curl/7.35.0.
Host: xtof.ch.
Accept: */*.
.

###

See also

  • nmap — network exploration tool and security scanner[1]
  • tcpdump — dump traffic on a network[2]
  • snoop — capture and inspect network packets
  • netcat (aka nc) — a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.[3]
  • Netfilter
  • NetCalc
  • Whois
  • Nagios — an Open Source host, service, and network monitoring program.
  • Wireshark — network protocol analyser
  • flowgrep — a basic IDS/IPS tool written in Python as a way to help you investigate and manage your network.
  • tcpreplay — replay network traffic stored in pcap files

External links