If Wireshark and tcpdump can be considered packet sniffing toolboxes, ngrep is a handy little multi-tool. Short for "network grep," ngrep can be used to extract from the wire packets which match a given regular expression. For example, suppose you're in the midst of troubleshooting and need to look for all (non-secured) HTTP connections. You can use ngrep to match for tell-tale HTTP requests:
stretch@Sandbox ~ $ ngrep -q -W byline "GET|POST HTTP" interface: eth0 (192.168.10.0/255.255.255.0) match: GET|POST HTTP T 192.168.10.101:52965 -> 184.108.40.206:80 [AP] GET / HTTP/1.1. Host: packetlife.net. User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:220.127.116.11) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. Accept-Language: en-us,en;q=0.5. Accept-Encoding: gzip,deflate. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7. Keep-Alive: 300. Connection: keep-alive. .
By default, ngrep will output a hash (#) for every packet it receives; this can be suppressed with the
-W byline formats the output into a more legible format.
The match expression can be combined with a pcap filter. For example, suppose we wanted to look for DNS traffic mentioning packetlife.net:
stretch@Sandbox ~ $ ngrep -q -W byline packetlife.net udp port 53 interface: eth0 (192.168.10.0/255.255.255.0) filter: (ip or ip6) and ( udp port 53 ) match: packetlife.net U 192.168.10.101:58325 -> 18.104.22.168:53 .i.......... packetlife.net..... U 22.214.171.124:53 -> 192.168.10.101:58325 .i.......... packetlife.net..................................dns2.stabletransit.com..............dns1.A.`..........E._..<..........A=..
ngrep also sports the ability to reset the TCP session of a matching packet. For example, if we wanted to detect and terminate cleartext passwords being sent over Telnet we could do something like this:
stretch@Sandbox ~ $ sudo ngrep -q -K 1 -i password tcp interface: eth0 (192.168.10.0/255.255.255.0) filter: (ip or ip6) and ( tcp ) match: password T 192.168.20.2:23 -> 192.168.10.101:44262 [AP] Password: 192.168.20.2:23 > 192.168.10.101:44262: R 2167814027:2167814027(0) win 0
-K specifies the number of RST packets to spoof, and
-i is used to ignore letter case.
Obviously this isn't a permanent filtering solution, but it can be quite handy should one need to improvise a solution on the spot.