Linux for Network Engineers: How to Analyze Network Packets with ngrep

By January 29, 2020Linux

We have already discussed packet analysis with tcpdump but will dive deeper in this post! Tcpdump is probably the most popular and capable tool that allows you to dig down to all the bits and bytes of network traffic, including TCP flags. 

Ngrep, stands for “network grep,” and like its cousin, the ‘regular grep’, It focuses on parsing text, but in network packets. Ngrep’s sweet spot is to parse network traffic text using regular expressions, but to also present the output in a human-friendly way. The immediate benefit is that if you are already familiar with regular expressions used to parse text with grep, all of that knowledge is transferred to ngrep. 

Installation:

To install ngrep you can simply do:

Chances are that if there is one packet capturing tool installed on a Linux box, that one would be tcpdump, and not ngrep. However, you won’t have problems finding ngrep in any public repository to install it.

Examples

You will need to run ngrep as a “super user” because, like most deep packet inspection functions, it requires elevated privileges. 

The general ngrep syntax is:

If you type:

ngrep will print all packets captured on all interfaces, and most likely that’s too noisy. Let’s look at some more targeted traffic examples.

ICMP Traffic

You can specify what type of traffic packets ngrep should capture, as follows:

To trigger this traffic, I opened another console on the same host, and I did “ping 8.8.8.8”

ICMP doesn’t usually have any useful payload, so we can only see the packets coming in and out of the host. 

You can specify UDP and TCP traffic with “‘ ‘-ngrep- “” “udp”’ and ‘ngrep “” “tcp”’ or specify a specific interface with “‘-ngrep -“” “icmp” -d eth0’

Parse text

As an example of parsing actual payload text you can try the following:

To trigger this traffic, I opened another console on the same host, and I did “curl www.google.com”

In this case, ngrep detected “google.com” in the DNS request and printed the text. The “-q” option tells ngrep to avoid printing unnecessary characters in the output (try it without “-q” to see the difference).

Filters

ngrep supports the Berkeley Packet Filters (BPF) that are also used in tcpdump. As an example, here is now to show traffic that goes out on port 53 only.

To trigger this traffic, I opened another console on the same host, and I did “dig google.com”

grep-like text parsing

As an example between grep and ngrep, let’s say I want to do an HTTP request and extract the user user agent value. I tried the following command and I didn’t get any output:

The problem was that I couldn’t remember the exact capitalization for the user agent variable. Is it “User-Agent” or “user-agent”? As you may, for grep the “-i” option ignores capitalization and the same option can be applied here:

Tcpdump is a more generic packet capturing tool than ngrep, as you could use it to replicate all these examples. However, I appreciate ngrep’s convenience and user friendliness when it comes to parsing payload text. It has a more limited scope at the expense of missing some capabilities that tcpdump has.