{"id":11837,"date":"2019-03-17T13:36:51","date_gmt":"2019-03-17T13:36:51","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11837"},"modified":"2019-03-17T13:36:51","modified_gmt":"2019-03-17T13:36:51","slug":"ngrep-a-network-packet-analyzer-for-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/17\/ngrep-a-network-packet-analyzer-for-linux\/","title":{"rendered":"ngrep \u2013 A Network Packet Analyzer for Linux"},"content":{"rendered":"

Ngrep<\/strong>\u00a0(network grep<\/strong>) is a simple yet powerful network packet analyzer. It is a grep-like tool applied to the network layer \u2013 it matches traffic passing over a network interface. It allows you to specify an extended regular or hexadecimal expression to match against data payloads (the actual information or message in transmitted data, but not auto-generated metadata) of packets.<\/p>\n

This tool works with various types of protocols, including IPv4\/6, TCP, UDP, ICMPv4\/6, IGMP as well as Raw on a number of interfaces. It operates in the same fashion as\u00a0tcpdump packet sniffing tool<\/a>.<\/p>\n

The package\u00a0ngrep<\/strong>\u00a0is available to install from the default system repositories in mainstream Linux distributions using package management tool as shown.<\/p>\n

$ sudo apt install ngrep\r\n$ sudo yum install ngrep\r\n$ sudo dnf install ngrep\r\n<\/pre>\n
After installing\u00a0ngrep<\/strong>, you can start analyzing traffic on your Linux network using following examples.<\/p>\n
1.<\/strong>\u00a0The following command will help you match all ping requests on the default working interface. You need to open another terminal and try to ping another remote machine. The\u00a0-q<\/code>\u00a0flag tell\u00a0ngrep<\/strong>\u00a0to work quietly, to not output any information other than packet headers and their payloads.<\/p>\n
$ sudo ngrep -q '.' 'icmp'<\/strong>\r\n\r\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\r\nfilter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))\r\nmatch: .\r\n\r\nI 192.168.0.104 -> 192.168.0.103 8:0\r\n  ]...~oG[....j....................... !\"#$%&'()*+,-.\/01234567                                                                                                             \r\n\r\nI 192.168.0.103 -> 192.168.0.104 0:0\r\n  ]...~oG[....j....................... !\"#$%&'()*+,-.\/01234567                                                                                                             \r\n\r\nI 192.168.0.104 -> 192.168.0.103 8:0\r\n  ]....oG[............................ !\"#$%&'()*+,-.\/01234567                                                                                                             \r\n\r\nI 192.168.0.103 -> 192.168.0.104 0:0\r\n  ]....oG[............................ !\"#$%&'()*+,-.\/01234567  \r\n<\/pre>\n
You can press\u00a0Ctrl + C<\/code>\u00a0to terminate it.<\/p>\n
2.<\/strong>\u00a0To match only traffic going to a particular destination site, for instance\u00a0\u2018google.com\u2019<\/strong>, run the following command, then try to access it from a browser.<\/p>\n
$ sudo ngrep -q '.' 'host google.com'<\/strong>\r\n\r\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\r\nfilter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))\r\nmatch: .\r\n\r\nT 172.217.160.174:443 -> 192.168.0.103:54008 [AP]\r\n  ..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>......p..@..EV..                                                                       \r\n\r\nT 172.217.160.174:443 -> 192.168.0.103:54008 [AP]\r\n  .............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;.$@Yv.Q6\r\n<\/pre>\n
3.<\/strong>\u00a0If you are surfing the web, then run the following command to monitor which files your browser is requesting:.<\/p>\n
$ sudo ngrep -q '^GET .* HTTP\/1.[01]'<\/strong>\r\n\r\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\r\nfilter: ((ip || ip6) || (vlan && (ip || ip6)))\r\nmatch: ^GET .* HTTP\/1.[01]\r\n\r\nT 192.168.0.104:43040 -> 172.217.160.174:80 [AP]\r\n  GET \/ HTTP\/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; \r\n  GNU C 4.8.5; text)..Accept: *\/*..Accept-Language: en,*;q=0.1..Accept-\r\n  Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,\r\n  ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I\r\n  SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,\r\n  windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-\r\n  kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive.... \r\n<\/pre>\n
4.<\/strong>\u00a0To see all activity crossing source or destination port\u00a025<\/strong>\u00a0(SMTP<\/strong>), run the following command.<\/p>\n
$ sudo ngrep port 25<\/strong>\r\n<\/pre>\n
5.<\/strong>\u00a0To monitor any network-based syslog traffic for the occurrence of the word\u00a0\u201cerror\u201d<\/strong>, use the following command.<\/p>\n
 \r\n$ sudo ngrep -d any 'error' port 514\r\n<\/pre>\n
Importantly, this tool can convert service port names stored in\u00a0\u201c\/etc\/services\u201d<\/strong>\u00a0(on Unix-like systems such as Linux) to port numbers. This command is equivalent to the above command.<\/p>\n
$ sudo ngrep -d any 'error' port syslog\r\n<\/pre>\n
6.<\/strong>\u00a0You can also run ngrep against an\u00a0HTTP<\/strong>\u00a0server (port\u00a080<\/strong>), it will match all requests to the destination host as shown.<\/p>\n
$ sudo ngrep port 80<\/strong>\r\n\r\ninterface: eth0 (64.90.164.72\/255.255.255.252)\r\nfilter: ip and ( port 80 )\r\n####\r\nT 67.169.59.38:42167 -> 64.90.164.74:80 [AP]\r\n  GET \/ HTTP\/1.1..User-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; X11; Linux i\r\n  686) Opera 7.21  [en]..Host: www.darkridge.com..Accept: text\/html, applicat\r\n  ion\/xml;q=0.9, application\/xhtml+xml;q=0.9, image\/png, image\/jpeg, image\/gi\r\n  f, image\/x-xbitmap, *\/*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *\r\n  ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ\r\n  MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:\r\n  Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....\r\n##\r\n<\/pre>\n
As you can see in the above output all HTTP headers transmission are displayed in their gory detail. It\u2019s hard to parse though, so let\u2019s watch what happens when you apply\u00a0-W<\/code>\u00a0byline mode.<\/p>\n
$ sudo ngrep -W byline port 80<\/strong>\r\n\r\ninterface: eth0 (64.90.164.72\/255.255.255.252)\r\nfilter: ip and ( port 80 )\r\n####\r\nT 67.169.59.38:42177 -> 64.90.164.74:80 [AP]\r\nGET \/ HTTP\/1.1.\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...\r\nHost: www.darkridge.com.\r\nAccept: text\/html, application\/xml;q=0.9, application\/xhtml+xml;q=0.9 ...\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.\r\nCookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.\r\nCookie2: $Version=1.\r\nCache-Control: no-cache.\r\nConnection: Keep-Alive, TE.\r\nTE: deflate, gzip, chunked, identity, trailers.\r\n<\/pre>\n
7.<\/strong>\u00a0To print a\u00a0timestamp<\/strong>\u00a0in the form of\u00a0YYYY\/MM\/DD HH:MM:SS.UUUUUU<\/strong>\u00a0every time a packet is matched, use the\u00a0-t<\/strong>\u00a0flag.<\/p>\n
$ sudo ngrep -t -W byline port 80<\/strong>\r\n\r\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\r\nfilter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))\r\n####\r\nT 2018\/07\/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP]\r\nGET \/ HTTP\/1.1.\r\nHost: google.com.\r\nUser-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text).\r\nAccept: *\/*.\r\nAccept-Language: en,*;q=0.1.\r\nAccept-Encoding: gzip, deflate, bzip2.\r\nAccept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8.\r\nConnection: keep-alive.\r\n<\/pre>\n
8.<\/strong>\u00a0To avoid putting the interface being monitored into promiscuous mode (where it intercepts and reads each network packet that arrives in its entirety), add the\u00a0-p<\/code>\u00a0flag.<\/p>\n
$ sudo ngrep -p -W byline port 80\r\n<\/pre>\n
9.<\/strong>\u00a0Another important option is\u00a0-N<\/code>\u00a0which is useful in case you are observing raw or unknown protocols. It tells\u00a0ngrep<\/strong>\u00a0to display the sub-protocol number along with single-character identifier.<\/p>\n
$ sudo ngrep -N -W byline\r\n<\/pre>\n
For more information, see the\u00a0ngrep<\/strong>\u00a0man page.<\/p>\n
$ man ngrep\r\n<\/pre>\n
ngrep Github repository:\u00a0https:\/\/github.com\/jpr5\/ngrep<\/a><\/p>\n
That\u2019s all!\u00a0Ngrep<\/strong>\u00a0(network grep<\/strong>) is a network packet analyzer that understands BPF filter logic in the same fashion tcpdump. We would like to know your thoughts about\u00a0ngrep<\/strong>\u00a0in the comments section.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Ngrep\u00a0(network grep) is a simple yet powerful network packet analyzer. It is a grep-like tool applied to the network layer \u2013 it matches traffic passing over a network interface. It allows you to specify an extended regular or hexadecimal expression to match against data payloads (the actual information or message in transmitted data, but not … <\/p>\n
Continue reading “ngrep \u2013 A Network Packet Analyzer for Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11837","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11837"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11837\/revisions"}],"predecessor-version":[{"id":11838,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11837\/revisions\/11838"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}