What is ngrep
Ngrep stands for “network grep,” and like the regular grep command, it’s a utility that focuses on parsing text contained in network packets. This network packet analyzer parses data payloads within network traffic using regular expressions. It also presents the output of the packet data in a human-friendly way. The immediate benefit is that if you are already familiar with regular expressions used to parse text with grep, all of that knowledge is transferred to ngrep.
Installation:
To install it you simply type:
apt-get install ngrepChances are that if there is one packet capturing tool installed on a Linux box, that one would be tcpdump, and not ngrep. However, you won’t have problems finding ngrep in any public repository to install it.
Examples
To run this utility you will need to become a “super user” because, like most deep packet inspection functions, it requires elevated privileges.
The general ngrep syntax is:
ngrep <regular expression>If you type:
ngrep “”ngrep will print all packet data inspected on all interfaces, and most likely that’s too noisy. Let’s look at some more targeted traffic examples.
ngrep picks as default network interface the active one, such as eth0 or wlan0. You can list all interfaces with:
ngrep -LTo capture on a specific network interface:
ngrep -d <interface>ICMP Traffic
You can specify what type of traffic packets to capture, as follows:
netbeez.net$ ngrep "" "icmp"
interface: eth0 (172.31.0.0/255.255.255.0)
filter: (ip or ip6) and ( icmp )
#
I 172.31.0.69 -> 8.8.8.8 8:0
wc..oA/^............................ !"#$%&'()*+,-./01234567
#
I 8.8.8.8 -> 172.31.0.69 0:0
wc..oA/^............................ !"#$%&'()*+,-./01234567
#
To trigger this traffic, I opened another console on the same host, and I did “ping 8.8.8.8”
ICMP doesn’t usually have any useful payload, so we can only see the packets coming in and out of the host.
You can specify UDP and TCP traffic with “‘ ‘-ngrep- “” “udp”’ and ‘ngrep “” “tcp”’ or specify a specific network interface with “‘-ngrep -“” “icmp” -d eth0′
Parse text
As an example of parsing actual payload text you can try the following:
netbeez.net$ ngrep -q 'google'
interface: eth0 (172.31.0.0/255.255.255.0)
match: google
U 172.31.0.69:34217 -> 8.8.8.8:53
$............www.google.com.....
U 172.31.0.69:34217 -> 8.8.8.8:53
.............www.google.com.....
U 8.8.8.8:53 -> 172.31.0.69:34217
$............www.google.com..............*...:..
U 8.8.8.8:53 -> 172.31.0.69:34217
.............www.google.com.................&...@......... .To trigger the http traffic, I opened another console on the same host, and I did “curl www.google.com”
In this case, ngrep detected “google.com” in the DNS request and printed the text. The “-q” option tells ngrep to avoid printing unnecessary characters in the output (try it without “-q” to see the difference).
BFP Filters
ngrep supports the BPF filters (Berkeley Packet Filters) that are also used in tcpdump and packet sniffing tools. A paper describes its functions here. As an example, the following command matches against data payloads destined to port 53:
netbeez.net$ ngrep port 53
interface: eth0 (172.31.0.0/255.255.255.0)
filter: (ip or ip6) and ( port 53 )
#
U 172.31.0.69:59619 -> 8.8.8.8:53
... .........google.com.......)........
#
U 8.8.8.8:53 -> 172.31.0.69:59619
.............google.com....................n..)........To trigger this traffic, I opened another console on the same host, and I did “dig google.com”.
ngrep grep-like text parsing
As an example between grep and ngrep, let’s say I want to do an HTTP request and extract the user user agent value. I tried the following command and I didn’t get any output:
netbeez.net$ ngrep -q 'user-agent'
interface: any
match: user-agentThe problem was that I couldn’t remember the exact capitalization for the “user agent” variable. In grep the “-i” option ignores capitalization. The same flag can be applied to ngrep:
netbeez.net$ ngrep -q -i 'user-agent'
interface: any
match: user-agent
T 2600:1700:65a0:8fa0:ec22:bebb:f20b:a9dd:49846 -> 2607:f8b0:4005:804::2004:80 [AP]
GET / HTTP/1.1..Host: www.google.com..User-Agent: curl/7.52.1..Accept: */*....Conclusion
While tcpdump is a more common packet sniffing tool that can perform the same searches as ngrep, I appreciate ngrep’s convenience and its user friendliness when it comes to parsing data payload. It understands BPF filter logic. Users familiar with ngrep has a more limited scope at the expense of missing some capabilities that tcpdump has.
