We have already discussed packet analysis with tcpdump but will dive deeper in this post! Tcpdump is probably the most popular and capable tool that allows you to dig down to all the bits and bytes of network traffic, including TCP flags.
Ngrep, stands for “network grep,” and like its cousin, the ‘regular grep’, It focuses on parsing text, but in network packets. Ngrep’s sweet spot is to parse network traffic text using regular expressions, but to also present the output in a human-friendly way. The immediate benefit is that if you are already familiar with regular expressions used to parse text with grep, all of that knowledge is transferred to ngrep.
To install ngrep you can simply do:
apt-get install ngrep
Chances are that if there is one packet capturing tool installed on a Linux box, that one would be tcpdump, and not ngrep. However, you won’t have problems finding ngrep in any public repository to install it.
You will need to run ngrep as a “super user” because, like most deep packet inspection functions, it requires elevated privileges.
The general ngrep syntax is:
ngrep <regular expression>
If you type:
ngrep will print all packets captured on all interfaces, and most likely that’s too noisy. Let’s look at some more targeted traffic examples.
You can specify what type of traffic packets ngrep should capture, as follows:
netbeez.net$ ngrep "" "icmp" interface: eth0 (172.31.0.0/255.255.255.0) filter: (ip or ip6) and ( icmp ) # I 172.31.0.69 -> 18.104.22.168 8:0 wc..oA/^............................ !"#$%&'()*+,-./01234567 # I 22.214.171.124 -> 172.31.0.69 0:0 wc..oA/^............................ !"#$%&'()*+,-./01234567 #
To trigger this traffic, I opened another console on the same host, and I did “ping 126.96.36.199”
ICMP doesn’t usually have any useful payload, so we can only see the packets coming in and out of the host.
You can specify UDP and TCP traffic with “‘ ‘-ngrep- “” “udp”’ and ‘ngrep “” “tcp”’ or specify a specific interface with “‘-ngrep -“” “icmp” -d eth0’
As an example of parsing actual payload text you can try the following:
netbeez.net$ ngrep -q 'google' interface: eth0 (172.31.0.0/255.255.255.0) match: google U 172.31.0.69:34217 -> 188.8.131.52:53 $............www.google.com..... U 172.31.0.69:34217 -> 184.108.40.206:53 .............www.google.com..... U 220.127.116.11:53 -> 172.31.0.69:34217 $............www.google.com..............*...:.. U 18.104.22.168:53 -> 172.31.0.69:34217 .............www.google.com.................&...@......... .
To trigger this traffic, I opened another console on the same host, and I did “curl www.google.com”
In this case, ngrep detected “google.com” in the DNS request and printed the text. The “-q” option tells ngrep to avoid printing unnecessary characters in the output (try it without “-q” to see the difference).
ngrep supports the Berkeley Packet Filters (BPF) that are also used in tcpdump. As an example, here is now to show traffic that goes out on port 53 only.
netbeez.net$ ngrep port 53 interface: eth0 (172.31.0.0/255.255.255.0) filter: (ip or ip6) and ( port 53 ) # U 172.31.0.69:59619 -> 22.214.171.124:53 ... .........google.com.......)........ # U 126.96.36.199:53 -> 172.31.0.69:59619 .............google.com....................n..)........
To trigger this traffic, I opened another console on the same host, and I did “dig google.com”
grep-like text parsing
As an example between grep and ngrep, let’s say I want to do an HTTP request and extract the user user agent value. I tried the following command and I didn’t get any output:
netbeez.net$ ngrep -q 'user-agent' interface: any match: user-agent
The problem was that I couldn’t remember the exact capitalization for the user agent variable. Is it “User-Agent” or “user-agent”? As you may, for grep the “-i” option ignores capitalization and the same option can be applied here:
netbeez.net$ ngrep -q -i 'user-agent' interface: any match: user-agent T 2600:1700:65a0:8fa0:ec22:bebb:f20b:a9dd:49846 -> 2607:f8b0:4005:804::2004:80 [AP] GET / HTTP/1.1..Host: www.google.com..User-Agent: curl/7.52.1..Accept: */*....
Tcpdump is a more generic packet capturing tool than ngrep, as you could use it to replicate all these examples. However, I appreciate ngrep’s convenience and user friendliness when it comes to parsing payload text. It has a more limited scope at the expense of missing some capabilities that tcpdump has.