Ngrep stands for “network grep,” and like its cousin, the ‘regular grep’, It focuses on parsing text, but in network packets. The strength of this utility is to parse network traffic text using regular expressions, but to also present the output in a human-friendly way. The immediate benefit is that if you are already familiar with regular expressions used to parse text with grep, all of that knowledge is transferred to ngrep.
Installation:
To install it you simply type:
apt-get install ngrep
Chances are that if there is one packet capturing tool installed on a Linux box, that one would be tcpdump, and not ngrep. However, you won’t have problems finding ngrep in any public repository to install it.
Examples
To run this utility you will need to become a “super user” because, like most deep packet inspection functions, it requires elevated privileges.
The general ngrep syntax is:
ngrep <regular expression>
If you type:
ngrep “”
ngrep will print all packets captured on all interfaces, and most likely that’s too noisy. Let’s look at some more targeted traffic examples.
ICMP Traffic
You can specify what type of traffic packets to capture, as follows:
netbeez.net$ ngrep "" "icmp" interface: eth0 (172.31.0.0/255.255.255.0) filter: (ip or ip6) and ( icmp ) # I 172.31.0.69 -> 8.8.8.8 8:0 wc..oA/^............................ !"#$%&'()*+,-./01234567 # I 8.8.8.8 -> 172.31.0.69 0:0 wc..oA/^............................ !"#$%&'()*+,-./01234567 #
To trigger this traffic, I opened another console on the same host, and I did “ping 8.8.8.8”
ICMP doesn’t usually have any useful payload, so we can only see the packets coming in and out of the host.
You can specify UDP and TCP traffic with “‘ ‘-ngrep- “” “udp”’ and ‘ngrep “” “tcp”’ or specify a specific interface with “‘-ngrep -“” “icmp” -d eth0’
Parse text
As an example of parsing actual payload text you can try the following:
netbeez.net$ ngrep -q 'google' interface: eth0 (172.31.0.0/255.255.255.0) match: google U 172.31.0.69:34217 -> 8.8.8.8:53 $............www.google.com..... U 172.31.0.69:34217 -> 8.8.8.8:53 .............www.google.com..... U 8.8.8.8:53 -> 172.31.0.69:34217 $............www.google.com..............*...:.. U 8.8.8.8:53 -> 172.31.0.69:34217 .............www.google.com.................&...@......... .
To trigger this traffic, I opened another console on the same host, and I did “curl www.google.com”
In this case, ngrep detected “google.com” in the DNS request and printed the text. The “-q” option tells ngrep to avoid printing unnecessary characters in the output (try it without “-q” to see the difference).
Filters
ngrep supports the Berkeley Packet Filters (BPF) that are also used in tcpdump. As an example, here is now to show traffic that goes out on port 53 only.
netbeez.net$ ngrep port 53 interface: eth0 (172.31.0.0/255.255.255.0) filter: (ip or ip6) and ( port 53 ) # U 172.31.0.69:59619 -> 8.8.8.8:53 ... .........google.com.......)........ # U 8.8.8.8:53 -> 172.31.0.69:59619 .............google.com....................n..)........
To trigger this traffic, I opened another console on the same host, and I did “dig google.com”
grep-like text parsing
As an example between grep and ngrep, let’s say I want to do an HTTP request and extract the user user agent value. I tried the following command and I didn’t get any output:
netbeez.net$ ngrep -q 'user-agent' interface: any match: user-agent
The problem was that I couldn’t remember the exact capitalization for the user agent variable. Is it “User-Agent” or “user-agent”? As you may, for grep the “-i” option ignores capitalization and the same option can be applied here:
netbeez.net$ ngrep -q -i 'user-agent' interface: any match: user-agent T 2600:1700:65a0:8fa0:ec22:bebb:f20b:a9dd:49846 -> 2607:f8b0:4005:804::2004:80 [AP] GET / HTTP/1.1..Host: www.google.com..User-Agent: curl/7.52.1..Accept: */*....
Tcpdump is a more generic packet capturing tool than ngrep, as you could use it to replicate all these examples. However, I appreciate the convenience of this tool and its user friendliness when it comes to parsing payload text. It has a more limited scope at the expense of missing some capabilities that tcpdump has.
