Grepping Packets With ngrep

By stretch | Friday, May 14, 2010 at 3:51 a.m. UTC

If Wireshark and tcpdump can be considered packet sniffing toolboxes, ngrep is a handy little multi-tool. Short for "network grep," ngrep can be used to extract from the wire packets which match a given regular expression. For example, suppose you're in the midst of troubleshooting and need to look for all (non-secured) HTTP connections. You can use ngrep to match for tell-tale HTTP requests:

stretch@Sandbox ~ $ ngrep -q -W byline "GET|POST HTTP"
interface: eth0 (192.168.10.0/255.255.255.0)
match: GET|POST HTTP
T 192.168.10.101:52965 -> 174.143.213.184:80 [AP]
GET / HTTP/1.1.
Host: packetlife.net.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: en-us,en;q=0.5.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
.

By default, ngrep will output a hash (#) for every packet it receives; this can be suppressed with the -q argument. -W byline formats the output into a more legible format.

The match expression can be combined with a pcap filter. For example, suppose we wanted to look for DNS traffic mentioning packetlife.net:

stretch@Sandbox ~ $ ngrep -q -W byline packetlife.net udp port 53
interface: eth0 (192.168.10.0/255.255.255.0)
filter: (ip or ip6) and ( udp port 53 )
match: packetlife.net

U 192.168.10.101:58325 -> 68.105.28.12:53
.i..........
packetlife.net.....

U 68.105.28.12:53 -> 192.168.10.101:58325
.i..........
packetlife.net..................................dns2.stabletransit.com..............dns1.A.`..........E._..<..........A=..

ngrep also sports the ability to reset the TCP session of a matching packet. For example, if we wanted to detect and terminate cleartext passwords being sent over Telnet we could do something like this:

stretch@Sandbox ~ $ sudo ngrep -q -K 1 -i password tcp
interface: eth0 (192.168.10.0/255.255.255.0)
filter: (ip or ip6) and ( tcp )
match: password

T 192.168.20.2:23 -> 192.168.10.101:44262 [AP]
  Password:
192.168.20.2:23 > 192.168.10.101:44262: R 2167814027:2167814027(0) win 0

-K specifies the number of RST packets to spoof, and -i is used to ignore letter case.

Obviously this isn't a permanent filtering solution, but it can be quite handy should one need to improvise a solution on the spot.

About the Author

Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.

Posted in Resources

Comments

stuh84 commented on Friday, May 14, 2010 at 8:17 a.m. UTC

That is rather awesome, just having a play with it now, I can see this being VERY useful

hunter_thom commented on Friday, May 14, 2010 at 2:07 p.m. UTC

That's awesome! I'll definitely nab this today and give it a go.

s1sh1 commented on Friday, May 14, 2010 at 10:40 p.m. UTC

It's very useful post... Thanks ! very nice tool...

sudosteve commented on Saturday, May 15, 2010 at 3:05 p.m. UTC

Thanks for sharing, works great on MAC OS X !

simon (guest) commented on Wednesday, May 19, 2010 at 9:38 p.m. UTC

Pretty nice command and really very useful to filter the large package data.

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
The four colors of wiring in a Cat 5E cabling are blue, green, orange, and what?