Ngrep – How to Search Network Traffic on Linux – Command Examples

By | August 12, 2020

Ngrep

ngrep or network grep is a command line program that can be used to analyze and search network packets for a given regex pattern or string.

ngrep uses the pcap library to capture network packets and gnu regex library to perform regex searches.

ngrep is like tcpdump + grep.

In this article we shall take a quick at some quick examples of how to use the ngrep command to search network packets.

Project Url:
http://ngrep.sourceforge.net/
https://github.com/jpr5/ngrep

Install ngrep on Ubuntu

$ sudo apt-get install ngrep

Ngrep command examples

1. Capture all packets

Ngrep without any options would simply capture all packets. Its quite similar to tcpdump. Note that you need to run ngrep with sudo (root privileges) so that it can capture all packets.

$ sudo ngrep

Trick to list all devices

If you want to list out all the network devices that ngrep can sniff on use the following command and press TAB multiple times

$ ngrep -d [PRESS TAB] [PRESS TAB] [PRESS TAB]

The output would look something like this:

$ ngrep -d 
any     enp1s0  lo

2. Search network traffic for string

The follow example will search network traffic for TCP packets that have a port number 80 (HTTP) and contain the text "User-Agent: ". This particular string is present in http request packets.

$ sudo ngrep -d enp1s0 -i "User-Agent: " tcp and port 80

Here is a sample output:

$ sudo ngrep -d enp1s0 -i "User-Agent: " tcp and port 80
interface: enp1s0 (192.168.0.0/255.255.0.0)
filter: ( tcp and port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: User-Agent: 
#####
T 192.168.1.207:58642 -> 93.184.216.34:80 [AP] #5
  GET / HTTP/1.1..Host: example.com..Connection: keep-alive..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (
  KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,appl
  ication/signed-exchange;v=b3;q=0.9..Accept-Encoding: gzip, deflate..Accept-Language: en-GB,en-US;q=0.9,en;q=0.8....                                      
######
T 192.168.1.207:58642 -> 93.184.216.34:80 [AP] #11
  GET /favicon.ico HTTP/1.1..Host: example.com..Connection: keep-alive..User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
  Chrome/84.0.4147.105 Safari/537.36..Accept: image/webp,image/apng,image/*,*/*;q=0.8..Referer: http://example.com/..Accept-Encoding: gzip, deflate..Accept
  -Language: en-GB,en-US;q=0.9,en;q=0.8....                                                                                                                
##

In the above command :
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
b) The "-d" option specifies the interface to sniff. enp1s0 in this case.
c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
d) "-i" Ignore case for the search term or regex

3. Search network packets for GET or POST requests

$ sudo ngrep -d enp1s0 -i "^GET |^POST " tcp and port 80

Here is a sample output

$ sudo ngrep -d enp1s0 -i "^GET |^POST " tcp and port 80
interface: enp1s0 (192.168.0.0/255.255.0.0)
filter: ( tcp and port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: ^GET |^POST 
#
T 192.168.1.207:58642 -> 93.184.216.34:80 [AP] #1
  GET / HTTP/1.1..Host: example.com..Connection: keep-alive..Cache-Control: max-age=0..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (X11; Linux x8
  6_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp
  ,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9..Accept-Encoding: gzip, deflate..Accept-Language: en-GB,en-US;q=0.9,en;q=0.8..If-None-Match:
   "3147526947+gzip"..If-Modified-Since: Thu, 17 Oct 2019 07:18:26 GMT....                                                                                 
##############

4. Capture and search dns packets

The following example filters UDP packets on port 53. These are dns packets used by applications to resolve hostname to ip addresses.

$ sudo ngrep -d enp1s0 -i "" udp and port 53

Here is a sample output:

$ sudo ngrep -d enp1s0 -i "" udp and port 53
interface: enp1s0 (192.168.0.0/255.255.0.0)
filter: ( udp and port 53 ) and ((ip || ip6) || (vlan && (ip || ip6)))
#
U 192.168.1.207:35591 -> 8.8.4.4:53 #1
  .............www.freeformatter.com.......)........                                                                                                       
#
U 8.8.4.4:53 -> 192.168.1.207:35591 #2
  .............www.freeformatter.com..............$..6V...........$...I'...)........                                                                       
#
U 192.168.1.207:52018 -> 8.8.4.4:53 #3
  .............userstylesapi.com.......)........                                                                                                           
#
U 8.8.4.4:53 -> 192.168.1.207:52018 #4
  .............userstylesapi.com.................4,r.............".....)........                                                                           
#
U 192.168.1.207:46685 -> 8.8.4.4:53 #5
  .............fonts.gstatic.com.......)........

Ngrep on Windows

Install Ngrep on windows

The windows version can be downloaded from the following url
http://ngrep.sourceforge.net/download.html

Windows version uses Winpcap packet capture library. So make sure to first download and install winpcap before using ngrep.

Ngrep works on windows the same way as linux/ubuntu.

E:\ngrep>ngrep -l -q "User-Agent: " tcp and port 80
interface: \ (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: User-Agent:

T 192.168.1.6:1075 -> 118.214.190.56:80 [AP]
  GET /pub/adobe/reader/win/9.x/9.4.0/en_US/AdbeRdr940_en_US.msi HTTP/1.1..Ac
  cept: */*..Accept-Encoding: identity..Range: bytes=2618095-2630135..User-Ag
  ent: Microsoft BITS/6.7..Host: armdl.adobe.com..Connection: Keep-Alive....
E:\ngrep>ngrep -l -q "^GET |^POST " tcp and port 80
interface: \ (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: ^GET |^POST

T 192.168.1.6:1207 -> 64.131.72.23:80 [AP]
  POST /blog/wp-admin/admin-ajax.php HTTP/1.1..Host: www.binarytides.com..Con
  nection: keep-alive..Content-Length: 7256..Origin: http://www.binarytides.c
  om..X-Requested-With: XMLHttpRequest..User-Agent: Mozilla/5.0 (Windows NT 5
  .1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1.
  .Content-Type: application/x-www-form-urlencoded..Accept: */*..Referer: htt
  p://www.binarytides.com/blog/wp-admin/post.php?post=800&action=edit..Accept
  -Encoding: gzip,deflate,sdch..Accept-Language: en-US,en;q=0.8..Accept-Chars
  et: ISO-8859-1,utf-8;q=0.7,*;q=0.3......

The above examples used simple text strings as the serch term.
However ngrep supports regex patterns as well.

Conclusion

Ngrep is in some ways similar to tcpdump and uses the same packet capture library called libpcap. These packet sniffers are quite useful when you are developing low level network protocol applications and need to see if the application is generating packets in the correct format.

To learn about Tcpdump check this post:
Tcpdump Tutorial - How to Sniff and Analyse Packets from Commandline

Besides socket programming, packet sniffers are also used in network security and audit. They are used to monitor a network for unusual traffic and detect any threat early on.

When used with arp spoofing tools like ettercap, ngrep can be used to sniff the data of other hosts connected to the network.

Links and Resources

https://github.com/jpr5/ngrep
http://ngrep.sourceforge.net/usage.html
https://linux.die.net/man/8/ngrep

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *