Command Linux

What is ngrep and How to Use It?

Even though tshark and tcpdump are the most popular packet sniffing tools that dig down to the level of bits and bytes of the traffic. ngrep is another command-line nix utility that analyzes network packets and searches for them on a given regex pattern.

The utility uses pcap and GNU library to perform regex string searches. ngrep stands for Network grep that is similar to the regular grep utility. The only difference is that ngrep parses text in network packets by using regular or hexadecimal expressions.

In this article, we learn about a command-line, feature-rich utility known as ngrep that is handy for quick PCAP analysis and packet dumping.

Introduction

ngrep provides grep-like capabilities for the third layer of the OSI model, that is, currently, the tool works with IPv4/6, TCP, UDP, ICMPv4/6, IGMP protocols. Hence, the utility recognizes various protocols, captures live traffic, and examines captured pcap files. The best advantage of the ngrep utility is that a regular grep user can use his text parsing knowledge in ngrep.

Getting Started

Update the Ubuntu repository and install ngrep utility via apt-get package management tool:

[email protected]:~$ sudo apt-get update
[email protected]:~$ sudo apt-get install ngrep

The tool requires sudo-privileges to run deep packet inspection commands. Whereas the general tool syntax is as follows:

[email protected]:~$ ngrep <options> pattern/expression <filter>

The patterns are the regular expression users search for in a network packet. The filter option indicates Berkeley packet filter (BPF) that includes a series of keywords to specify packet selection rules. The keywords include protocol, source, or destination host, and ports, etc.

Capture Packets

No filter option captures all packets from the default interface, for instance, the following command will capture all network packets from all the interfaces.

[email protected]:~$ sudo ngrep

To list all the available interfaces, use the following command and press TAB multiple times to output all interfaces:

[email protected]:~$ sudo ngrep -d [TAB] [TAB]
enp0s3 lo

Basic Usage

The output to the above command shows loads of packet details on the terminal. ngrep offers a quiet “-q” option that queries all the interfaces and protocols for a specific string match, quiets the output, and only prints packet header details of relevant payload.

[email protected]:~$ sudo ngrep -q
[sudo] password for ubuntu:
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))

T 10.0.2.15:35524> 142.250.180.46:443 [AP] #1
  …."7c.X]e.Nu…m.’.U…..&….u.%z…                                                                                                                            
T 10.0.2.15:35524 -> 142.250.180.46:443 [AP] #2
  ……h..’[email protected]?aN}.’K…                                                                                                                                          
T 142.250.180.46:443 -> 10.0.2.15:35524 [A] #4
  ……

The above command with the ‘HTTP’ string displays/catches packets with the searched string.

[email protected]:~$ sudo ngrep -q ‘HTTP’

Add the t flag in the above command to print a timestamp with the match information in the YYYY/MM/DD HH:MM:SS.UUUUUU format. Similarly, using the T flag will print elapsed time between immediate matches and timestamps in +S.UUUUUU format.

[email protected]:~$ sudo ngrep -qt ‘HTTP’

[email protected]:~$ sudo ngrep -qT ‘HTTP’
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: HTTP
T +24.714768 10.0.2.15:48096> 142.250.185.35:80 [AP] #1453
  POST /gts1o1core HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0

Use the -W option with a byline flag to print output in an easy-to-understand and legible format.

[email protected]:~$ sudo ngrep -q -Wbyline ‘HTTP’
T 10.0.2.15:48570> 142.250.185.35:80 [AP] #589
POST /gts1o1core HTTP/1.1.
Host: ocsp.pki.goog.
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0.
Accept: */*.
Accept-Language: en-US,en;q=0.5.
Accept-Encoding: gzip, deflate.
Content-Type: application/ocsp-request.
Content-Length: 83.
Connection: keep-alive.

ngrep saves the captured network traffic in a pcap format that can be uploaded to Wireshark for deeper packet analysis. Use the -O option to write the searched output to a pcap file:

[email protected]:~$ ngrep -O http_capture.pcap -qt ‘HTTP’

Just like any other network sniffing tools, ngrep allows reading saved network traffic such that the -qt option helps to filter the captured traffic instead of an interface.

[email protected]:~$ ngrep -I http_capture.pcap -qt ‘HTTP’

BPF Filters

BPF includes rich syntax to filter packets based on IP address, ports, and protocols. The following commands search the traffic for TCP and UDP packets:

[email protected]:~$ ngrep -W byline ‘HTTP’ ‘tcp’

[email protected]:~$ ngrep -W byline ‘HTTP’ ‘udp’

To filter all the packets on the enp0s3 interface for port 80, run the following command:

[email protected]:~$ ngrep -d enp0s3 -W byline port 80

Similarly, use the given below commands to match the headers containing HTTP string from destination and source host:

[email protected]:~$ ngrep -q ‘HTTP’ ‘dst host 172.217’

[email protected]:~$ ngrep -q ‘HTTP’ ‘src host ‘10.0

Lastly, the following command with a host filter matches all headers from the “10.0.2” ip address.

[email protected]:~$ ngrep -q ‘HTTP’ ‘host 10.0.2’

String-based Network Packet Search

The ngrep utility can combine the above commands to search TCP packets on port 80 for a specific string of ‘User-Agent’.

[email protected]:~$ sudo ngrep -d enp0s3 -W byline -i "User-Agent:" tcp and port 80

where -i option ignores the case for regex expression.

Similarly, the below command displays all the packets on port 80 with the GET or POST string.

ubuntu@ubuntu:~sudo ngrep -d enp0s3 -i "^GET|^POST" tcp and port 80
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ( tcp and port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: ^GET|^POST
#######
T 10.0.2.15:59876> 34.122.121.32:80 [AP] #7
  GET / HTTP/1.1..Host: connectivity-check.ubuntu.com..Accept:
###########
T 10.0.2.15:48634> 34.107.221.82:80 [AP] #18
  GET /success.txt HTTP/1.1..Host: detectportal.firefox.com..User-Agent: Mozilla/5.0
#######

Conclusion

The article introduces ngrep, a packet sniffing tool that parses traffic using regular expressions. We discuss and cover all the basics to advance ngrep commands and options that facilitate network administrators in their day-to-day tasks.

Related Articles

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button